Our Lync 2013 Enterprise Edition Front End Pool consists of 3 servers dispersed globally.
Renewing Lync Server 2010/2013 Certificates. This article focus on Internal Certificate renew (we’ll explain the differences to External Certificate Request in the end). External Certificate Request (Edge) The same process can be followed for External Certificate Renewal/Request. If your organization wants to support public IM connectivity with AOL, you must use Windows PowerShell instead of the Certificate Wizard to request the certificate to be assigned to the external edge for the Access Edge service. This is because the Lync Server 2013 Web Server template that the Certificate Wizard uses to request a certificate.
We had some issues where users weren't able to join Lync meetings and determined there was a certificate issue on one of the FE's.
That was resolved, but now for some reason the other 2 FE's now show missing OAuthTokenIssuer certificates despite it showing correctly on the 3rd.
EXAMPLE GOOD SERVER IN THE POOL:
EXAMPLE BAD SERVER IN THE POOL:
My understanding from TechNet's article Assigning a server-to-server authentication certificate to Microsoft Lync Server 2013 states:
Lync Server's replication service will then automatically create a set of scheduled tasks that will decrypt and deploy the certificate to all your Front End Servers.
So I'm lost as to why the other 2 FE servers aren't showing the OAuth cert anymore, when they were yesterday? I would restart the FE services but my experience in the past has been that it won't come back up if it doesn't see valid certs.
Is there a way to determine what happened to these certs on the problem FEs? Potential log files or Powershell commands? I've tried
Get-CsCertificate -Type OAuthTokenIssuer
to no avail, it reports back an error finding the cert.TheCleaner
TheCleanerTheCleaner28.4k2323 gold badges111111 silver badges183183 bronze badges
1 Answer
TROUBLESHOOTING
The following cmdlets were ran on the 3 FE’s:
Get-CSManagementStoreReplicationStatus
= Returned expected positive resultsInvoke-CSManagementStoreReplication
= Ran and waited for replication- All 3 servers returned true expected results after running
Get-CSManagementStoreReplicationStatus
again Get-CsCertificate –Type OAuthTokenIssuer
= Failed to find cert still
ANSWER
In the end however, the simplest answer is usually the best. Since the Lync Deployment Wizard has a step, STEP 1, that grabs all the replication certs from the Central Store, I went ahead and rand that Step again from the Deployment Wizard on the two problematic Front End servers. The results showed successful, and when I went and looked again the cert was now there.
Hope that helps someone else.
TheCleanerTheCleaner28.4k2323 gold badges111111 silver badges183183 bronze badges
Not the answer you're looking for? Browse other questions tagged lync-2013 or ask your own question.
A consultant setup our Lync 2013 server about a year ago and that includes the following servers.An internal Lync front end server - lync.domain.com
An external Lync edge server in the DMZ - lyncedge.domain.com
Office Web Apps in the DMZ for sharing office documents in Lync online meetings - webapps.domain.com
An IIS AAR Reverse Proxy in the DMZ and in the Intermediate DMZ. This is the actual endpoint if your off our network, all the appropriate IP's come into this guy, which does the job of directing you to the proper resources internally.
We have recieved an email from GoDaddy that states the following:
As we mentioned earlier, we recently switched from using SHA-1 certificates to the more secure SHA-2 algorithm for new certificates.
Google Chrome is a very popular internet browser. Starting in November, they'll begin displaying errors on the padlock icon for any website using SHA-1 SSL certificates.
It appears the following SSL certificate(s) are still using the SHA-1 algorithm. Please re-key them now to update to SHA-2 and avoid problems in November.
lync.domain.com
lyncedge.domain.com
webapps.domain.com
Please re-key your certificate(s) today to avoid alarming any visitors on your website. If you have any questions, take a look at the instructions below or call our SSL team at (480) 463-8887.
Sincerely,
GoDaddy
Follow these directions to re-key your certificate:
1. Log in to your Account Manager.
2. Click SSL Certificates.
3. Next to the certificate you want to re-key, click View Status.
4. Click Manage.
5. Click Re-Key certificate.
6. In the Certificate Signing Request (CSR) field, paste your new CSR, including:
---BEGIN NEW CERTIFICATE REQUEST--- and ---END CERTIFICATE REQUEST---
7. Click Save.
8. Click Submit All Saved Changes.
Now I don't want to forget anything as this is in production and people are using Lync. What is the proper order of getting the new certificates installed and where do I go about getting the CSR (from which server(s))?
![Edge Edge](http://image.slidesharecdn.com/lynccertificateassignments-130610052445-phpapp02/95/lync-certificate-planning-and-assignments-7-638.jpg?cb=1370842193)
![Edge Edge](/uploads/1/2/4/7/124781582/944661972.jpg)