About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2014/06/26

Lync 2013 Server 2012 replication issues

A slightly different twist on an old issue

Situation

I had a client using Windows Server 2012 as the OS for a Lync 2013 deployment.  Replication between the Edge and the Front End Enterprise Pool was not working. Everything appeared to be set correctly, you can browse to the replication location for the Edge (https://serverfqdn.domain.com:4443/ReplicationWebService), you can telnet to the Edge server on 4443.

 

The Fix

We are using all public certificates from a well-known CA (GoDaddy), so the certificates not being trusted from domain member to non-domain member was clearly not the issue.

After a bit of searching you find that adding some registry changes to the SCHANNEL on the edge servers and the Front End Pool members will resolve the issue. 

Like so:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"ClientAuthTrustMode"=dword:00000002
"SendTrustedIssuerList"=dword:00000000

Or, for you PowerShell freaks out there: (lines wrapped)

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ -Name ClientAuthTrustMode -Value 2 -propertytype "DWord"
New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ -Name SendTrustedIssuerList -Value 0 -propertytype "DWord"

If you want to get real fancy, you can affect multiple domain servers using remote PS.  For my current project I did this for 20 servers, 12 domain members and 8 out in the DMZ.

$credential = Get-Credential -Credential domain\user
Enter-PSSession -ComputerName FQDN -Credential $credential
New-ItemProperty blah blah blah
New-ItemProperty blah blah blah
Exit

For you reg /s fans, copy the following to a handy file of your own with a .reg extension and click away.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"ClientAuthTrustMode"=dword:00000002
"SendTrustedIssuerList"=dword:00000000

As always, YMMV

No comments: