Tuesday, May 14, 2013

Lync Server Access Edge service fails to start with: “… service-specific error code -2146762487”

Problem

Lync Server 2013 Role: Lync Edge

Base Operating System: Windows Server 2012

You attempt to start your Lync Server 2013’s Edge server’s Lync Server Access Edge service but notice that the service fails with the following message:

Windows could not start the Lync Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487.

clip_image001

clip_image001[4]

Reviewing the System logs on the Edge server show event ID 7024 errors logged:

image

The Lync Server Access Edge service terminated with the following service-specific error: A Certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

image

You confirm that the root certificate issuing your Edge server’s certificate is listed in the Trusted Root Certification Authorities:

image

You review the certificate assigned to the external interface for the Edge server in the MMC and notice that the certificates in the chain are all listed as This certificate is OK.:

imageimageimage

Solution

For those who have came across one of my previous posts:

Lync Server 2013 Edge server replication issues on Windows Server 2012
http://terenceluk.blogspot.com/2013/04/lync-server-2013-edge-server.html

… will know that I’ve ran into a few challenges with Lync Server 2013 Edge servers on a Windows Server 2012 operating system.  As noted in the post above, Windows Server 2012 is more stringent when it comes to trusted certificates and actions such as mistakenly putting an intermediate certificate in the trusted root certificate store can cause replication to stop working between the Edge and front end server.  What was interesting about this problem indicated in this post is that I had the issuing root certificate on the server’s Trusted Root Certification Authorities and while all indications point to the server trusting the certificate being used by the Edge server, the services did not.  What I ended up having to do to correct this problem was import the intermediate certificate in the chain into my Intermediate Certification Authorities:

clip_image001[6]

https://certs.godaddy.com/anonymous/repository.pki

clip_image001[8]

clip_image001[10]

clip_image001[12]

A bit strange but something I can live with going forward.

15 comments:

Anonymous said...

Hey Terence
Thanks heaps, knew it had to be related to certs but fact that it said all certs were OK confused me.


G

Gerald said...

Thanks a lot. I thought it has something to do with my Root CA.

Anonymous said...

How did you know what intermediate certs to use from goDaddy? i too am having the same issue

thank you in advance for your reply

neoweapon said...

Thanks man. Thank fixed my issue!

Anonymous said...

grazie mille my friend,

solved the problem for me

Unknown said...

Thank You. This was a Life-saver for sure. I was a bit confused at the solution description but with Your good problem discription it just had to be this problem.

pesos said...

Hi Terence, any idea why this would all of a sudden happen after months of running just fine? Out of 5 identically configured edge servers, only one got this issue - just out of the blue.

Anonymous said...

Thanks Terence worked perfectly

G

Anonymous said...

My Solution is install Digicert and test key in internal and external certificate

Jay Allred said...

Thanks for the solution. It helped me out of this very error tonight!

Jeoffrey said...

Thanks!! This saved our issue also. Very strange since our edge server was working fine for a few months and suddenly decided to stop working because of this yesterday!

JustPlainWeird said...

A bit different on the EventIDs (14397, 14649, 12303), same startup error message on an Edge server running for over a year. Intermediate certificate just plain gone. Partner server running just fine. After installing the service starts naturally. Ran the digicert utility, turned off Auto Root update. Even assuming that this is what wiped the cert, odder than hell that it only happened on one server

Luciano Ladeira said...

Great.
Worked for me.

Anonymous said...

Many thanks for this article! Worked for me as well.

Blogger said...

Bluehost is the best hosting company with plans for any hosting requirments.