Tag Archives: ssl certificate

Lync 2013 - Failing Voicemail and Forwarded calls after replacing front end ssl certificate

Problem: While setting up my first Lync Enterprise Pool, I generated a new certificate on a new front end server, and replaced the certificate on the first front end server to match.  While Lync 2013 will accept the changes, you will begin to slowly see Lync's familiar errors such as failures in forwarding calls, contacting voicemail, etc., with services such as IM, direct internal/external calling working great.

Solution: Turns out that you must restart, at a minimum, the front-end service on all other machines in the Lync enterprise pool after you apply the new SSL certificate.  Unfortunately, this will logout your users from their Lync client for 30 seconds to a minute while the service restarts, but users should be able to remain on a call if the mediation service is still up.  Looking forward to when the new SSL certs expire, I would schedule this as maintenance in the evening where you could simply restart each of the Lync Front End services/servers to prevent unexpected behavior after applying the certificate.

Here was the error I began to see from the Lync 2013 client while trying to call my voicemail:

The description for Event ID 11 from source Lync cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Lync
80ef01f4
RequestUri: sip:[email protected];opaque=app:voicemail
From: sip:[email protected];tag=693ec81203
To: sip:[email protected];opaque=app:voicemail;tag=7CBCF099907DE2498340425795C4E09A
Call-ID: e3535707c76342fd909faaa232247182
Content-type: multipart/alternative;boundary="----=_NextPart_000_0039_01CE980F.27472B30";call-type=audiovideo

------=_NextPart_000_0039_01CE980F.27472B30
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-ID: <[email protected]>
Content-Disposition: session; handling=optional; ms-proxy-2007fallback

...........

...........

..........

------=_NextPart_000_0039_01CE980F.27472B30
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-ID: <[email protected]>
Content-Disposition: session; handling=optional

........

........

........

------=_NextPart_000_0039_01CE980F.27472B30--
Response Data:

183 Session Progress
500 The server encountered an unexpected internal error
ms-diagnostics: 1;reason="Service Unavailable";AppUri="http%3A%2F%2Fwww.microsoft.com%2FLCS%2FDefaultRouting";reason="Failed when constructing the outgoing request";source="lyncserver.mydomain.local";OriginalPresenceState="0";CurrentPresenceState="0";MeInsideUser="Yes";ConversationInitiatedBy="0";SourceNetwork="0";RemotePartyCanDoIM="No"

 

Lync 2013 GUI Error: Unfortunately, I didn't grab a screenshot, but the error I was received was "Error ID 1 Source ID 243"

Side notes: When doing a premiliary search on the Lync error (before I made it to event viewer), I stumbled accross an article by Romans Fomicevs that had the exact same issue as me as well.  He's got some additional tracing and insight on the subject as well, definitely go give him a +1 on his Google page! 🙂 http://blog.yogi-way.lv/2013/07/lync-server-2013-and-new-internal.html

Request SSL Certificate With a Subject Alternative Name (SAN) via enterprise CA with a GUI

For those that want to quickly request a new SSL certificate via your Enterprise Certificate Authority, using a GUI instead of certutil commands, here is a tutorial on how to do so.

  1. Login to the server you want the SSL cert with the SAN address.
  2. Click Start->Run->MMC
    mmc
  3. Click File->Add/Remove Snap-Ins
    mmc - add-remove snap-in
  4. Select Certificates and click Add >
    mmc - add-remove-snap-in-certificates
  5. Select Computer account and click Next >
    certificates snap-in computer account
  6. Click Finish
    certificates snap-in local computer
  7. Click OK
    add-remove snap-ins local certificates
  8. Expand Certificates (Local Computer)->Personal->Certificates
    mmc - personal certificates
  9. Right click on the right pane and select All Tasks -> Request New Certificate...
    mmc - personal certificates request
  10. Click Next on the Certificate Enrollment screen
    certificate enrollment welcome
  11. Select Active Directory Enrollment Policy and click Next
    certificate enrollment policy
  12. Check what type of certificate you would like to request and click on the "Click here to configure settings." link
    certificate enrollment selected policy

    1. Note: you must have configured a template for this link to show up.  By default you will only see Computer, which will not allow you to request the certificate with the SAN address
  13. On the certificate properties page, enter in the following info for the Subject name
    1. Common name
    2. Country
    3. Locality
    4. Organization
    5. Organization Unit
    6. State
  14. On the certificate properties page, enter in the following info for the Alternative Name
    1. DNS of the FQDN (common name)
    2. DNS of the SAN name (short name)
  15. You should now have something like this
    certificate request - properties
  16. Optionally, click on the Private Key tab, expand Key options, and check Make private key exportable
    certificate request - private key exportable
  17. Click OK on the Certificate Properties window
  18. Click Enroll
    certificate enrollment - enroll
  19. Click Finish once the request has been signed
    certificate enrollment - success

At this point, you can export the certificate from the machine or have your application reference it.