For this week, I have a short post documenting a serious error we encountered while installing Lync Server 2013.
A fix is available (thankfully). But it took us hours of back-and-forth research to locate it. I hope this post will save our readers all that time!
Stuck on an Internal Certificate Error…or Are We?
When we left off at Part 6, Larry and I were waiting for a new Active Directory server to finish installing. We wanted to use the new 2012 Certificate Services to issue internal certs for Lync Server.
Once AD had finished, we made a cert request. The cert issued, and we downloaded it to a file. The cert was placed in “Trusted Root Cert Authorities” for both the user and the Lync 2013 local machine.
However, we still had no luck. Lync would not recognize the cert.
Re-issuing the cert & adding it just to the local machine had more luck; it was recognized for “Web services internal” in Certificate Wizard. Recall that we already had an external cert for external Web services.
Everything looks okay now…but Lync’s not working. We were unable to connect to the server with a test account (not even for IM).
We tried reworking the cert, restarting the servers, going back in the Lync 2013 install process…nothing.
The error was not in the Certificate Wizard though. It was somewhere else.
Error: Lync Front End Service Appears Active (But Really Isn’t)
While we investigated, Larry checked the services running in the background. The Lync Front End service did appear in the services listing. Despite this, Lync would only connect for a moment–and then drop.
However, this service was a ghost!
According to this TechNet forum thread, the Lync Front End service had not activated properly.
Lync 2013 Enterprise Pool Front-End Service doesn’t start – Lync Server 2013 TechNet Forums
This error is NOT in current Microsoft documentation.
The solution was a fix from a Microsoft engineer (posted to the above thread by RSudmeijer):
Please note this will lower security so I don’t know if this has any security impact for Server 2012 and Lync. And if this will be the fix that Microsoft will offer. But the solution works for testing until further notice.
On the Front-End server create the following registry:
Create a registry key named ClientAuthTrustMode and set value to 2.
Restart the machine after making the changes. Once the server is restarted, check if the service is started.
This error only occurs during a migration from Lync Server 2010 to Lync Server 2013.
The fix corrected the Front End server issues, AND allowed for internal certificate retrieval.
Once Larry implemented this, we were able to test Lync 2013 via IM.
Larry also pointed the 2010 topology to the 2013 Edge server. External DNS must point to new Edge only. The new Edge Server (provided DNS is updated) will work for both 2013 and 2010 users.
And that’s how we fixed the most challenging error Lync Server 2013 gave us. All that’s left was installing Mobility services, installing the Web Apps server, and testing. Look for more on those next week!