Pages

Sunday, April 7, 2019

Skype for Business Server 2019 Edge server fails to replicate with Front-End server

Problem

You’ve just completed deploying a new Skype for Business 2019 Edge but notice that when you review the replication status with the cmdlet Get-CsManagementStoreReplicationStatus, the UpToDate field never changes to True.  Executing the cmdlet Invoke-CsManagementStoreReplication to initiate replication doesn’t change this either.

Reviewing the System logs on the Edge server reveal several Schannel errors:

Log Name: System

Source: Schannel

Event ID: 36882

Level: Error

User: NETWORK SERVICE

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.

The following errors are also found in the Lync Server logs:

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14366

Level: Error

User: N/A

Multiple invalid incoming certificates.

In the past 1 minutes the server received 1 invalid incoming certificates. The last one was from host 10.198.40.152.

Cause: This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.

Resolution:

No action needed unless the number of failures is large. Contact the administrator of the host sending the invalid certificate and resolve this problem.

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14366

Level: Error

User: N/A

TLS outgoing connection failures.

Over the past 1 minutes, Skype for Business Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x800B0109(CERT_E_UNTRUSTEDROOT) while trying to connect to the server "contsfbstd01.contoso.com" at address [10.198.40.152:5061], and the display name in the peer certificate is "contsfbstd01.contoso.com".
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

Log Name: Lync Server

Source: LS Web Conferencing Edge Server

Event ID: 41987

Level: Error

User: N/A

Web Conferencing Server connection failed to establish.

Over the past 1 minutes Skype for Business Server has experienced incoming TLS connection failures 1 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) and the last connection was from the host "".

Cause: This can occur if this box is not properly configured for TLS communications with remote Web Conferencing Server.

Resolution:

Check your topology configuration to ensure that both this host and remote Web Conferencing Server can validate each other TLS certificates and are otherwise trusted for communications.

Solution

This error is typically associated with the Edge server not trusting the certificate presented by the Front-End server because the internal services is using a certificate generated by an internal Microsoft Certificate Authority and since the Edge server is not joined to the domain, it does not trusted the issuing authority by default.  To correct the problem, simply export the CA that issued the certificate for the front-end server and import it into the Trusted Root Certification Authorities store on the Edge server:

The following event will be logged in the Lync Server logs once replication succeeds:

Log Name: Lync Server

Source: LS Web Conferencing Edge Server

Event ID: 41999

Level: Information

User: N/A

Web Conferencing Server connected successfully

Web Conferencing Server with FQDN contsfbstd01.contoso.com connected successfully

Get-CsManagementStoreReplicationStatus should show that replication has succeeded:

No comments: