Howdy,

Today I’m going to write about a problem I’ve been seeing in a lot of deployments that include Skype for business or Lync Server on a Windows server 2012 R2 OS at customers
Side Note: this blog article was written using my new Lumia 950XL with OneNote and Display dock connected to it, how cool is that 🙂

Scenario:

Lync or Skype for business deployment  with Enterprise pool including 3 or more frontends inside the pool

Symptoms:

Users are unable to login to Lync client or the frontend services not starting sometimes, when checking the frontends logs you see a log of Event ID 32042 LS user services,

“Invalid incoming HTTPS certificate
Subject Name: xxx Issuer: xxx
Cause: this can happen if the HTTPS certificate has expired or is untrusted. The Certificate serial number is attached for reference….”

error

Or another one is:
“Sending HTTPS request failed. Server functionality will be affected if messages are failing consistently
 Sending the message to https://<frontend.domain&gt;:444/.. Failed”

Troubleshooting:

If you go and check the mentioned certificate you notice that all of the “important” certificate for Lync to function are correctly issued and not expired, then you start to wonder what the F this event is talking about???

Root cause:

The problem is usually a certificate installed in the wrong container, windows server 2012 is more sensitive than older versions of windows servers when it comes to SSL certificate and TLS connection, and one mess placed certificate can cause a chain reaction of problems on the OS.

Resolution:

Using PowerShell check if the Trusted root certification container has no mess placed certificates, usually Admins install the intermediate certificate in the Trusted root certificate causing this problems

:\>Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\wrong_certificate.txt”

Exam the content of the text file where you should find the name of the certificate(s) causing the problem in this file locate it and delete it or move it to the correct container, restart your server and all should be fine 😉