“Presence Unknown” for federated partners after replacing Lync 2013 Edge server external certificate

First things first: It’s not your fault.

Now lets’ get to the business:
I replaced the external Edge server certificate for a server, all by the book; Multi-SAN, trusted root and intermediate, all good.
However, for some of the federated partners, the went “Presence unknown”. Same goes for my presenceĀ when they’re looking for me:

springsteen unknown

Quick look at their Event Viewer I found LS Protocol Stack Event ID 14428:

“Over the past ‘XX’ minutes, Lync Server has experienced TLS outgoing connection failures 2 time(s). The error code of the last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to the server “sip.domain.com” at address [<IP ADDRESS>:5061], and the display name in the peer certificate is “Unavailable”.
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.”


First thing you’d suspect is that the root CA of your certificate is not really trusted. luckily, using the same certificate for our meeting urls, we were able to rule that out as we could verify that the certificate is trusted all the way to the top of the chain.

Since we had this issue with more than one partner, I was able to verify two ways of clearing this inconvenience:

1. Restart the Edge Access Service on the partner’s Edge server. That is, of course, if you want to lose your job and reputation.
2. run ipconfig /flushdns on the partner’s Edge server. this will force the Edge server to requery for your _sipfederationtls record and will present the Edge server with the new certificate.

Bruce is back online now!

Springsteen online