For a couple of week one of my customer was complaining about little hickups in their Lync 2013 environment. It was working, but every now and then they had these strange little issues. When I moved my own accounts to Lync Online I was not able to federate with this customer anymore so it was time to start investigating.
I noticed that replication with the Edge Transport server was not working anymore, indicated by the red cross in the Lync Control Panel. Updating the servers with the latest hotfixes for Windows and Lync 2013 didn’t work, rebooting the servers didn’t work, replication just didn’t take place.
The same results were visible in the Lync Management Shell when using the Get-CsManagementStoreReplicationStatus. Using Lync Management Shell I knew replication was not working for almost three months:
The strange thing was that all ports were open. Even different, the Lync Front-End server (standard edition) and the Lync Edge server were on the same network so there wasn’t even a firewall between the two servers (I know, this is not the recommended approach).
The eventlog didn’t reveal much, except that the latest replica status was reported after startup (or after recycling the services)
The replication web services reported ok as well in the eventlog:
I was even able to access the Replication Web Services using Internet Explorer without any issues, not even a certificate warning:
So, everything seems to be fine and it should be working. After some serious head banging on my desk, complaining, discussing and some research it should be something with the certificates. It turns out that there has been some changes in the SSL authentication mechanism. The Client Authentication Trust mode supported by the Schannel provider can be configured and can have one of the following values:
- 0 – Machine Trust (default) – Requires that the client certificate is issued by a certificate in the Trusted issuers list.
- 1 – Exclusive Root Trust – Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the trusted issuer list.
- 2 – Excluse CA Trust – Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.
For Lync 2013 Client Authentication Trust Mode should be set to “2”. This can be achieved by creating a REG_DWORD in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL (on the Lync 2013 Edge server) and assign it a value of “2”:
Reboot the Lync Edge server, wait for the services to start and check the replication again using the Get-CSManagemenStoreReplicationStatus. It should be running fine now.
At this moment all other services are running fine again, I was able to federate with my own Lync account and other (small) issues seem to be solved as well.
Unfortunately I was not able anymore to figure out what went wrong at this particular customer. Replication hasn’t been running for almost 3 months and it was impossible to check if any changes or updates were made in that timeframe.
More information regarding TLS/SSL and the SCHANNEL SSP can be found on the following article:
What’s New in TLS/SSL (Schannel SSP) in Windows Server and Windows – http://technet.microsoft.com/en-us/library/hh831771.aspx