none
A fatal error occurred when attempting to access the SSL client credential private key RRS feed

  • Question

  • Hi,

     

    Were trying to use the Test-CSFederatedPartner cmdlet to test Federation to a remote party but the command fail with the following error:

    Test-CsFederatedPartner -Domain redscan.net -TargetFqdn lyn
    c-edge.avt-systems.co.uk
    Test-CsFederatedPartner : The operation failed due to issues with Tls. See the
    exception for more information.
    At line:1 char:24
    + Test-CsFederatedPartner <<<<  -Domain redscan.net -TargetFqdn lync-edge.avt-s
    ystems.co.uk
        + CategoryInfo          : OperationStopped: (:) [Test-CsFederatedPartner],
        TlsFailureException
        + FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
       ntheticTransactions.TestFederatedPartnerCmdlet

    We are running this on the Frontend. Using Microsoft Network Monitor I can see the command is only communicating with the internal domain controllers via LDAP. After the command is run we get the following error in the event log:

    A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10003.

    Does anyone know which certificate this would be checking, or how to resolve this error ?

     

    Regards,

     

    Neil
    Friday, July 22, 2011 1:23 PM

Answers

  • Hi,Neil,

    By search on the internet this error is often caused by the service ssl certificate is not fully trusted or the service account hasn't full permission.

    Would you please go to http://www.digicert.com/help/ and test your certificate status?

    Have you created and enabled federation route between you and your partner?

    Is the federate domain listed in the collection of allowed (federated) domains?

    Also please verify the account you run the cmdlets has the appropriate permission and try to reassign a new certificate for the server.

    Otherwise if there are more error messages along with this error in the event viewer please also extract them for troubleshooting.

    If above doesn't help could you elaborate more on your Lync topology,please?

     

    Moreover,another post with the same error message just for your reference(TMG relevant). http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/15c4bded-1848-480a-914d-a131cb49f0bd

    Regards,

    Sharon

     

     

    Tuesday, July 26, 2011 8:44 AM
    Moderator

All replies

  • Hi,Neil,

    By search on the internet this error is often caused by the service ssl certificate is not fully trusted or the service account hasn't full permission.

    Would you please go to http://www.digicert.com/help/ and test your certificate status?

    Have you created and enabled federation route between you and your partner?

    Is the federate domain listed in the collection of allowed (federated) domains?

    Also please verify the account you run the cmdlets has the appropriate permission and try to reassign a new certificate for the server.

    Otherwise if there are more error messages along with this error in the event viewer please also extract them for troubleshooting.

    If above doesn't help could you elaborate more on your Lync topology,please?

     

    Moreover,another post with the same error message just for your reference(TMG relevant). http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/15c4bded-1848-480a-914d-a131cb49f0bd

    Regards,

    Sharon

     

     

    Tuesday, July 26, 2011 8:44 AM
    Moderator
  • hi,

    Were you able to get to a resolution on this issue ? Seeing teh same problem, however federation using client works correctly.

    Wednesday, August 3, 2011 1:10 PM
  • Just came across this, you'll get this error if you don't run the Lync Shell with administrative permissions and try to run the test-csfederatedpartner. Close the shell, then start it as administrator and it should work fine if your certs are configured correctly.
    Thursday, March 22, 2012 3:46 PM
  • This is NTFS permission problem, just go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder.

    and then restart server.

    Done

    • Proposed as answer by Ivan_Sanchez19 Tuesday, December 11, 2018 6:52 PM
    • Unproposed as answer by Ivan_Sanchez19 Tuesday, December 11, 2018 6:52 PM
    Monday, August 26, 2013 4:08 AM
  • Well done! This fixed it for me

    John Lucas - Code Monkey

    Wednesday, February 26, 2014 11:17 PM
  • Thank you for providing an answer instead of a link to another forum.  It pointed me to the issue right away.
    Tuesday, June 3, 2014 3:49 PM
  • Muchas gracias, esto me fue de utilidad, tenía dos semanas buscando y no encontraba la solución.

    Saludos.

    Tuesday, December 11, 2018 6:53 PM