none
cannot sign in to lync there was a problem verifying the certificate from the server

    Question

  • Hello,

     

    I have DC with Windows Server 2008 R2

    And Lync Server on top of Windows Server 2008 R2

    I installed Lync Server 2010 Standard Edition and install CA in the same server.

    I export this certificate to client , but unfortuntelly I could not logon to Lync Clients in Windows 7.

     

    Error from client event log:

    Event Type: Error

    Event Source: Schannel

    Event ID: 36884

    Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is server_name. The SSL connection request has failed. The attached data contains the server certificate

     

    Lync Client  error:

    cannot sign in to lync there was a problem verifying the certificate from the server

     

    lync Server warning:

    Source: Microsoft-Windows-CertificationAuthority

    Event ID: 103

     

    Could you please help.

    Thanks

    Amjed

    Monday, February 21, 2011 9:01 AM

All replies

  • You'll need to actually issue a certificate to the Lync server from the CA and use that certificate. You can't just use the root CA certificate for Lync server. If  you use the certificate wizard in Lync it will automatically populate the required names. See this document for more guidance: http://technet.microsoft.com/en-us/library/gg412818.aspx

     

    The root CA certificate must also be in the "Trusted Certification Authorities" store of the Computer account (not personal/user) on the client.

    Monday, February 28, 2011 9:57 PM
  • Hi ,

     I have almost the same setup except for :

    - we have a separate server for Root CA ( standalone ) , Intermediate CA ( enterprisa domain )

    - we generate the certificate for the server

    - installed the certificate on the server

    - imported root and intermediate ca on the domain joined pc

     

    Still got the same error while connecting to the lync server with the lync client

    Can you help ?

    thanks

     

    Monday, April 11, 2011 9:22 AM
  • I have solved the issue .

    I thought that assigning the new certificate to the IIS Lync Website would be enough , instead I had to restart the Lync Certificate Wizard and assign the certificate throught it

    HTH

    Stefano

     

    • Proposed as answer by Charbel Hanna Tuesday, May 03, 2011 1:13 PM
    Monday, April 11, 2011 10:49 AM
  • Hi there,

    actually there is a very good documentation of how to design your infrastructure and which certificates you need at http://technet.microsoft.com/en-us/library/gg425921.aspx 

    I don´t use split-brain-DNS and instead work with DNS-Pin-Point-Zones. I guess that is why I had the same error showing up. In my case the client expects the name specified in the SRV-Record _sipinternaltls._tcp.example.com, which was <lyncfrontendpool.example.com>. There is a Pin-Point-Zone for lyncfrontendpool.example.com, which points to the IP of the internal server. Since the client wants to verify, that the name it requested is signed by the certificate, the name, which the SRV-Record points to has to be in the Subject Alternative Names of the certificate assigned to the lync front end server.

    In the documentation at Microsofts Technet, it is written, that one should put the lyncfrontendpool.examle.com in the SRV-Record. In my eyes it should instead be lyncfrontendpool.example.net, which points directly to the internal domain. I guess MS made a mistake in their docs or that it just doesn´t fit for our deployment.

    HTH,
    Martin

    Monday, July 25, 2011 11:44 AM
  •  

    Hi Amjed,

     

    Copy certificate chain from one of the working machine to the affected machine, Follow below guide for installing Lync client certificate,

    http://www.mytricks.in/2011/07/microsoft-lync-client-certificate.html

     

    Cheers!



    Thursday, July 28, 2011 5:16 PM