Windows Server 2012 Certificate issues with Lync.

With the new Windows Server 2012 and the enhanced certificate control, some may have experienced different “strange” error scenarios. Features stop working, and servers are behaving strange.

In Lync, one of the most common situations is when federation stops working. In most cases, you’re able to see Messages in the event log on you Access edge server indicating that something is wrong with the certificates. The Server 2012 has a more strict certificate handling than previous server versions, and the placing of certificates in the certificate store is critical.

Make sure that no intermediate certificates are placed under Trusted Root Certificates. If they are, this will break the certificate structure on the server and strange errors will start to appear in the event logs.

To check if you have certificates in the wrong stores, the following PS command can be run(it will list the certificates with wrong location):

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

Advertisements

Migrating from Lync 2010 to Lync 2013: Points to remember

This post focuses on some key points I’ve come accross when migrating from Lync 2010 to Lync 2013(causing small delays in progress :)).

  1. Static Routing: One of my first migrations took a bit longer to Complete due to faulty routing on the new Edge server. The static routes were created on the server prior to activating the NIC, which lead to failure to communicate. Once the routes were deleted and recreated, everything worked like a charm.
  2. Office Web apps has to be published to the internet using HTTPS and SSL certificate, otherwise you won’t be able to share Powerpoint’s with your federated contacts. Consider using the same URL for internal and external use because this allows for the SSL certificate to be used on both sites on the IIS.
    How to publish Office Web Apps server
  3. Mobility login: Problems with Exchange Web Services(EWS). Make sure Exchange Web Services External URL is set correct. Consider using the same URL for internal and external web services.
    This script provided by MVP Ståle Hansen is an excellent Resource for setting Exchange URL’s.
  4. External web services URL: Remember to change External Web Services FQDN on the new Front End pool, your web services won’t work unless you do 🙂
    Lync_WebServicesURL
  5. Client Version policy: Remember to allow legacy clients to login to the new Lync 2013 server(for Legacy). Default is Blocked for Lync 2010 Clients older than 4.0.07577.4103(CU6, June 2012).

    Lync2013_DefaultClientVersionPolicy
    Change Version Number to 4.0.7577.0108, Comparison operation to “Newer than or same as” and Action “Allow” to allow all Lync 2010 Client releases.
  6. This applies only to Lync 2013 on Windows Server 2012.
    After installing Lync on Windows Server 2012, replication between Edge server and Front End stops working. This could be as a result of the stricter certificate handling on Windows Server 2012. Check out this post by Terence Luk on how to fix this problem. Another solution to the problem could be found in this article by Herman Seminiano. Both solutions fixes the problem.

This post will be updated as I discover more points to remember during future migration projects.