Saturday, December 31, 2016

Skype for Business Server Access Edge service does not start

Problem

You’ve noticed that the Skype for Business Server Access Edge service on your Skype for Business Server 2015 Edge server is stopped and the following error is thrown when you attempt to start it:

Windows could not start the Skype for Business Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487.

imageimage

Reviewing the event log displays the following errors:

Log Name: System

Source: Service Control Manager

Event ID: 7031

Level: Error

The Skype for Business Server Access Edge service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 180000 milliseconds: Restart the service.

image

Log Name: System

Source: Service Control Manager

Event ID: 7024

Level: Error

The Skype for Business Server Access Edge service terminated with service-specific error %%-2146762487.

image

Log Name: Lync Server

Source: LS Server

Event ID: 12303

Level: Error

The protocol stack reported a critical error: code 0x800B0109 (Configuration failure prevented the server from starting up). The service has to stop.

image

Log Name: Lync Server

Source: LS Server

Event ID: 12303

Level: Error

The protocol stack reported a critical error: code 0x800B0109 (CERT_E_UNTRUSTEDROOT). The service has to stop.

image

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14623

Level: Error

A serious problem related to certificates is preventing Skype for Business Server from functioning.

Unable to use the certificate configured for the external edge of the Access Edge Server.

Error 0x800B0109(CERT_E_UNTRUSTEDROOT).

The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

Cause: The Skype for Business Server failed to initialize with the configured certificate.

Resolution:

Review and correct the certificate configuration, then start the service again.

image

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14397

Level: Error

A configured certificate could not be loaded from store. The serial number is attached for reference.

Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).

image

Clicking on the Details tab show the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="LS Protocol Stack" />

<EventID Qualifiers="33769">14397</EventID>

<Level>3</Level>

<Task>1001</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2016-12-30T01:27:45.000000000Z" />

<EventRecordID>154713</EventRecordID>

<Channel>Lync Server</Channel>

<Computer>svr-edge-01.ccs.int</Computer>

<Security />

</System>

- <EventData>

<Data>0x800B0109(CERT_E_UNTRUSTEDROOT)</Data>

<Binary>A6AC495DE63987EAE958F6506F58377D</Binary>

</EventData>

</Event>

image

One of the first troubleshooting steps I attempted was from the following blog post:

Attempting to follow the instructions provided by this blog post does not apply to your situation:

http://www.lyncexch.co.uk/lync-edge-january-2014-cu-update-issue/

However, using the following cmdlets to review the certificates’ serial numbers does not show a match for either:

  • A6AC495DE63987EAE958F6506F58377D
  • D77385F6056F859EAE78936ED594CA6A (reverse of the serial above)

Set-Location Cert:\LocalMachine\My

Get-ChildItem | FL

image

Get-ChildItem -Path 6224B3942798530F57A6F9BB560061BAF125DF1F | Format-List -Property *

image

**The serial for this certificate is 68000000BD4AC93CAEFE91A8BB0000000000BD

Get-ChildItem -Path 379944BB47EE3EE70E7ED9E5908041A5556F69CE | Format-List -Property *

image

**The serial for this certificate is 7D37586F50F658E9EA8739E65D49ACA6

Solution

As I’ve come across a similar problem in the past, I sort of had a feeling that this had to do with a certificate that was missing from the intermediate or root store of the Edge server.  To determine this, open the Certification Path of the certificate being used for the Edge interface:

image

Note that the issuing Certificate Authorities are:

  • GeoTrust Global CA
  • RapidSSL SHA256 CA

In this environment, the Root certificate GeoTrust Global CA was already in the Trusted Root Certification Authorities but the RapidSSL SHA256 CA was not in the Intermediate Certification Authorities:

image

I proceeded to obtain the issuing intermediate certificate via RapidSSL’s website:

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548

image

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO28616

image

Installed the certificate:

image

Then was able to successfully start the Skype for Business Server Access Edge service:

image

1 comment:

Anonymous said...

Thank you so much, we had exactly the same issue due to missing intermediate certificate.