“Presence Unknown” for federated partners after replacing Lync 2013 Edge server external certificate

Standard

First things first: It’s not your fault.

Now lets’ get to the business:
I replaced the external Edge server certificate for a server, all by the book; Multi-SAN, trusted root and intermediate, all good.
However, for some of the federated partners, the went “Presence unknown”. Same goes for my presence when they’re looking for me:

springsteen unknown

Quick look at their Event Viewer I found LS Protocol Stack Event ID 14428:

“Over the past ‘XX’ minutes, Lync Server has experienced TLS outgoing connection failures 2 time(s). The error code of the last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to the server “sip.domain.com” at address [<IP ADDRESS>:5061], and the display name in the peer certificate is “Unavailable”.
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.”

14428

First thing you’d suspect is that the root CA of your certificate is not really trusted. luckily, using the same certificate for our meeting urls, we were able to rule that out as we could verify that the certificate is trusted all the way to the top of the chain.

Since we had this issue with more than one partner, I was able to verify two ways of clearing this inconvenience:

1. Restart the Edge Access Service on the partner’s Edge server. That is, of course, if you want to lose your job and reputation.
2. run ipconfig /flushdns on the partner’s Edge server. this will force the Edge server to requery for your _sipfederationtls record and will present the Edge server with the new certificate.

Bruce is back online now!

Springsteen online

Advertisements

4 thoughts on ““Presence Unknown” for federated partners after replacing Lync 2013 Edge server external certificate

  1. Guy Bachar

    In case you are using DigiCert Certificates, a really nice tool would be the DigiCert util which will Fix intermediate certificate problems or install new root CA in case those are missing:
    https://www.digicert.com/util/
    Another great service will be the DigiCert diagnostic tool which will help you to verify a federated partner certificate and certificate chains in case those are missing on your side:
    http://www.digicert.com/help/

  2. hello,
    i have a lync server 2013 and and edge lync 2013
    i don’t know how but all the client lync 2013 have the contact appears on “Presence unknown” on Relationship.
    On status, no contact appears
    On groupe, nothing appears
    I don’t known why
    others users from others company still can see my presence on their lync client
    i hope you can help me, what can we do for troobleshoot this and fixe issues?
    Thanks

  3. lebricoleur974

    When i said, on group noting appears, really nothing appears, no group favorit or others contacts…
    and i have test with another user of my company, it seeams to work fine, on the same lync client, see status correctly, group and all good
    pease, can you help me?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s