Sunday, August 17, 2014

Lync Edge Certificates

Are you getting problems starting your Edge service role ?

Is your Edge service going crazy about the certificate being not accessible ?
Do you get this dreaded error message from EventID: 14591
Event ID: 14591
Error 0xC3FC7D95 (LC_E_VALIDATION_CERT_NO_KEYEXCHANGE)
Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Fear not, you are not alone, after banging my head against the wall for a few days, rebuilding the Edge server from scratch, and trying out a bunch of different certificate templates; I have finally found the solution...

Although Microsoft Windows is happy with many types of Crypto Providers; alas, Lync on the other hand, only likes the "Microsoft RSA SChannel Cryptographic Provider"

Next time you want to issue a certificate, make sure you choose the "Microsoft RSA SChannel Cryptographic Provider"

To make this more informative, I have added below the certificate template options that should be used for generating Lync certificates...

    • Don't select to publish to AD, as Lync Edge can not access the AD and is not authorized to do so:
      Template - General Tab
      • Choose the Purpose to be "Signature & Encryption" and allow "Private Key to be Exported"
      Template - Request Handling Tab
      • Choose only the "Microsoft RSA SChannel Cryptographic Provider"
      Template - CSP Selection
      • Choose the Application Policies to be "Server Authentication"
      Template - Extensions Tab
      • Choose the Key Usage to be "Allow key exchange only with key encryption"
      Template - Extensions Tab