certificate erro: There was a problem verifying the certificate from the server.


  • Hi Expert,

    My lync server is fine when working in internal domain situation, but if I try to use it on non domain machine or outsdie network, it appear the error message: There was a problem verifying the certificate from the server.

    Brief list:

    1. I have a internal CA server.

    2. client trusts the root certificate.

    3. one lync edge server.

    4. disable all firewall.

    5. create the SRV records at internal DNS server.




    Friday, August 26, 2011 2:06 AM

All replies

  • Non domain machines don't trust an internal CA, as you probably know. Also, clients need to get to your CRL distribution point to verify that the cerificate has not been revoked. Could you verify that the CRL is available to non-domain machines and machines outside the perimeter?


    If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks

    MCITP: Lync, Exchange 2010 & Server Administrator

    Designing Lync Blog

    View Michael Brophy's profile on LinkedIn

    Friday, August 26, 2011 9:54 AM
  • I have the same issue. One FE server in a domain using internal CA certificate. One Edge using external certificate. If a client connects to a server first time(s) a certificate warning message displays "Lync can't verify if the server Server for your login address is trusted. Do you want to connect" (free translation from german). There is an option "always trust this server".

    The server fqdn displayed is the lync pool address where the user should log on. The displayed certificate contains the pool address as SAN and also the issuing CA is trusted as client PC belongs to a forest where the issuing CA resides in a root domain (the certificate chain displayed as valid). There are no problems on the eventlog and event lync client logging doesn't has any entries at this time.

    The message disappeared during troubleshooting after the client was started and stopped several times without any changes.

    Please advice how to troubleshoot this issue.

    Friday, August 26, 2011 11:53 AM
  • I check the CRL on the ono-domain client, but I'm not so sure if the CRL can be verfied. Please advise.


    On the other hand, I have removed CRL list from internal CA server, the error still persists.



    Monday, August 29, 2011 1:30 AM
  • Hi,Human Being,

    Here are some suggestions:

    1)Have you tried to sign in on non domain or outside clients with manual configuration and see if it works?

    2)Would you please verify that you have configured the correct listening port on the access edge server and srv records,5061 or 443.More details please check

    3)Would you please go to and to test the connectivity and certificate for more details?

    4)You also can test the Lync sign in tool to get more information.

    5)If above doesn't work please enable Lync logging tool in Lync on outside clients and Lync server to get more troubleshooting information.About how to use Lync logging tool you can follow Jeff's blog.



    Monday, August 29, 2011 10:01 AM
  • Hi Sharon,

    The certificate error still persists, I did check my outside client which is trusted the root certificate.

    But the website give me the warning message: Certificate does not match name

    Furthermore, I want to change the port 443 to other, please advise how I can do it (because the port 443 is used for exchange owa).



    Tuesday, August 30, 2011 3:33 AM
  • Hi Human_Being,


    the message tells you the hostname of the server doesn't match the hostname stored in the certificate. Please check for possible typos. You should add the main hostname (CN name) to SAN list too.

    Tuesday, August 30, 2011 7:37 AM
  • Hi Willi,

    Thanks for your input.

    I make a certificate request on the edge server and then apply it on our internal CA server http://server name/certsrv/.

    Finally, I download the certificate and assign it to the edge server for external usage.

    Here is the article: (To create the certificate request for the external interface of the Edge Server )

    On the client side, I import the same certificate on the outside client. But I do not know why the outside client will use the other certificate to check with the lync edge server, although the wrong certificate is a root certificate that is used for OWA.



    Wednesday, August 31, 2011 2:11 AM
  • Make sure that the client:

    1. Trusts the issuer of the certificate on the public edge interface and the front-end
    2. Can access the Certificate Revocation Lists as listed in the certificate on both servers
    3. the FQDN's on the certificate are the right ones


    Certified IT Professional Lync Server 2010 / Exchange 2007 -
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    Thursday, September 01, 2011 6:32 AM
  • This certificate is messed me up. If someone feel interested, I can give the remote acess right for you.

    Pls contact me via

    Thursday, September 01, 2011 8:46 AM
  • How looks your dns entrie for the automaticaly signin?

    The srv record should be in the same dns domain like shows on in the dns domain.

    If you have something like shows on in the you will have trouble with authentification and certificates.

    regards Holger Technical Specialist UC
    Saturday, September 03, 2011 9:05 AM
  • hello,

    you can refer following article for edge certificates

    but still if you find that it's not working please ping me, i think there is some SAN entry mismatch in external edge interface certificate, how ever you can check your certificate on digicert link  ( )




    Rregard, Prem Desai
    • Edited by Prem Desai Sunday, September 04, 2011 11:09 PM spelling mistake
    Sunday, September 04, 2011 11:08 PM
  • Hi,

    The disicert link tells me:

    Certificate does not match name

    Valid from 20/Jul/2011 to 20/Jul/2016
    Monday, September 05, 2011 1:30 AM
  • Hi Holger Bunkradt,

    My (SRV) is under my domain scope, and the services host is my lync edge server.

    Everything's working perfect in LAN with domain client.

    Monday, September 05, 2011 1:37 AM
  • Hi,

    the subject name of the certificate should be the name of your access edge and the additional SAN for the web Edge. The A/V certificate could be a internal certificate or also as SAN in the public certificate.

    The issuer should be trusted on all external Lync Clients.

    regards Holger Technical Specialist UC
    Monday, September 05, 2011 8:28 AM
  • But my external lync clients already trusted the root cert (
    Monday, September 05, 2011 9:48 AM
  • Ok, but in your screenshot I didn't se the sip FQDN as Subject right?
    regards Holger Technical Specialist UC
    Monday, September 05, 2011 9:54 AM
  • DNS requirements for external sign in Lync you can refer article and for lync edge server certificate we need access edge Lync interface as subject name.

    once you fix this part i think your issue will be resolved.

    Rregard, Prem Desai
    Monday, September 05, 2011 4:19 PM
  • Hi,

    I have import the cert into the external client (mmc-computer account), but I have no idea why the client alway checks the when connecting.

    P.S the is my root CA and it is used for RPC over https.

    Furthermore I try to import the cert into the IE, but after I did not find this sip cert. I guess that I can only import the root cert in IE.



    Tuesday, September 06, 2011 1:50 AM
  • hello,

    is your is CA, for certificate assigned to edge interfaces?? then you need the root cert of in trusted certificate store in client machine

    to import the certificate run MMC command then select certificates- then local machine (make sure you wont select my account) ->then trusted certificates->and then right click and import.

    Rregard, Prem Desai
    Tuesday, September 06, 2011 7:09 PM
  • Hi,

    The is the root certificate:

    Certification Path:


    I hv already imported the in the external client.

    mmc-local machine-personal & trust store.

    Wednesday, September 07, 2011 1:19 AM
  • are you able to sign in communicator clinet on edge server by adding host entry for your SIP domain and IP address of access edge server?? and should be present only in trust store not under personal store.

    Rregard, Prem Desai
    Saturday, September 10, 2011 10:35 AM