I have DC with Windows Server 2008 R2
And Lync Server on top of Windows Server 2008 R2
I installed Lync Server 2010 Standard Edition and install CA in the same server.
I export this certificate to client , but unfortuntelly I could not logon to Lync Clients in Windows 7.
Error from client event log:
Event Type: Error
Event Source: Schannel
Event ID: 36884
Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is server_name. The SSL connection request has failed. The attached data contains the server certificate
Lync Client error:
cannot sign in to lync there was a problem verifying the certificate from the server
lync Server warning:
Event ID: 103
Could you please help.
You'll need to actually issue a certificate to the Lync server from the CA and use that certificate. You can't just use the root CA certificate for Lync server. If you use the certificate wizard in Lync it will automatically populate the required names. See this document for more guidance: http://technet.microsoft.com/en-us/library/gg412818.aspx
The root CA certificate must also be in the "Trusted Certification Authorities" store of the Computer account (not personal/user) on the client.
I have almost the same setup except for :
- we have a separate server for Root CA ( standalone ) , Intermediate CA ( enterprisa domain )
- we generate the certificate for the server
- installed the certificate on the server
- imported root and intermediate ca on the domain joined pc
Still got the same error while connecting to the lync server with the lync client
Can you help ?
I have solved the issue .
I thought that assigning the new certificate to the IIS Lync Website would be enough , instead I had to restart the Lync Certificate Wizard and assign the certificate throught it
- Proposed as answer by Charbel Hanna Tuesday, May 03, 2011 1:13 PM
actually there is a very good documentation of how to design your infrastructure and which certificates you need at http://technet.microsoft.com/en-us/library/gg425921.aspx
I don´t use split-brain-DNS and instead work with DNS-Pin-Point-Zones. I guess that is why I had the same error showing up. In my case the client expects the name specified in the SRV-Record _sipinternaltls._tcp.example.com, which was <lyncfrontendpool.example.com>. There is a Pin-Point-Zone for lyncfrontendpool.example.com, which points to the IP of the internal server. Since the client wants to verify, that the name it requested is signed by the certificate, the name, which the SRV-Record points to has to be in the Subject Alternative Names of the certificate assigned to the lync front end server.
In the documentation at Microsofts Technet, it is written, that one should put the lyncfrontendpool.examle.com in the SRV-Record. In my eyes it should instead be lyncfrontendpool.example.net, which points directly to the internal domain. I guess MS made a mistake in their docs or that it just doesn´t fit for our deployment.
Copy certificate chain from one of the working machine to the affected machine, Follow below guide for installing Lync client certificate,