Lync 2013: Certificate requirements for Lync 2013 Edge server

Last weeks I have been installing Lync in a large environment of a customer of ours. During the implementation everything went very smooth, till the last two days. First we discovered that there were some troubles using the mandatory profiles, and second we faced issues with federation. During the initial tests we noticed that federation was working for presence information and chat messages, however starting audio/video and starting a conference between a federated user and an internal user was where the trouble started.

After doing a lot of research and checking the environment we were totally out of ideas! all ports, and IP addresses were set correctly and all Best Practices were followed. During our search we found in chapter 9 of the Lync 2010 and Lync 2013 Resource Kit a reference to a utility that is called: MSTurnPing.exe. Using the MSTurnPing.exe program we are able to test the A/V Authentication Service and the A/V Edge Services. By executing this tool using the ‘Lync 2013 Management Shell’, which is started on a Front-End Server, lots of results can be gained. In order to execute this tool, navigate to the folder where it is located and execute the following command in the Lync 2013 Management Shell:

.\MSTurnPing.exe –ServerRole AudioVideoEdgeServer

During the execution of this tool we got results, which were saying:

Exception Message: The target principal name is incorrect
Cause: Lync Server Audio/Video Authentication service is not started
Resolution: Start Lync Server Audio/Video Authentication Service

After these messages I was a bit confused, cause the A/V authentication service was already started on the edge server and all of the other components (starting audio/video conference with external users) seems to work fine. After digging around, someone noticed to have a look at the certificate. Within the initial certificate there were no additional Subject Alternate Name’s (SAN’s). These SAN’s were also not proposed by the deployment wizard, and thus not added by us. Reading through blogs and discussion boards people stated that the Edge pool FQDN and the server FQDN needed to be added as SAN’s in the certificate (not sure why the pool FQDN should be added, as this was already the Subject Name of the certificate, however we followed by adding the pool FQDN as well). This requirement is not explicitly stated in this TechNet article.

Using these suggestions, we decided to replace the certificate on the edge internal interface. After a while (requesting certificates from the edge server to the internal CA wasn’t that easy) the new certificate were requested and added to the edge internal interface. In order to make sure that the new certificate will be used by the services, the server is rebooted. After the reboot I started the MSTurnPing.exe application once again and I received notifications that everything works perfectly.

Results MSTurnPing

Also the second step in testing, creating a call between a federated user and a internal user,  was executed perfectly and we were able to add audio and video, and create a conference as well during the meeting. During this tests everyone concluded that the requested functionality is working!


Make sure that the Server FQDN and the Edge pool FQDN are added to your internal interface certificate in order to make sure that all calls will be accepted and upgraded to a conference.


Lync 2010/2013 and mandatory Windows profiles

During the last couple of weeks I have been implementing Lync Server 2010 and Lync Server 2013 in various environments. During these implementations Citrix played a major role, as the users desktops will be provided by the Citrix platform. The installation process when using Lync Within Citrix is exactly the same. Even during the planning and configuration there isn’t a lot to worry about when using Citrix. Of course you have to plan for the amount of users and the tasks they are performing. Maybe even have a look at the possibilities/support options for desktop virtualization and the supportability by Microsoft and Citrix for the Lync client as well. However the major pains begins when the testing phase starts.

When a users logs into a Citrix hosted desktop a Windows profiles will be used. Within these profiles the ‘home directory’ and other information is stored. As users starts working on a remote hosted workspace it might not be wanted that the user can modify the computer settings. The only thing that users should do is changing the users desktop. In order to set these permissions special user profiles will be used. These special user profiles are called mandatory profiles.

Whenever a user is signed into Windows, remote or locally, the profile will be locked as mandatory profile. Using these mandatory profiles means that a very little amount of settings can be changed or stored within the profile. This behavior has some effects for Lync as well. For example during Lync conferences (an Audio/Video conversations with other features) Lync uses the Public Key Infrastructure keys, and stores these keys in the profile. When the profiles are mandatory these keys cannot be saved, resulting in the following error when starting the conference: (An error occurred during the online meeting, and in the dialog box: When contacting your support team, reference error ID 16389 (Source ID 0)).

In order to make sure that the Lync configuration can be tested, a little change to the registry needs to be applied. The registry setting for the state key needs to be changed to the hexadecimal value: 0x0000004 (4). The State registry key can be found in: HKLM\software\microsoft\windowsnt\currentversion\profilelist\{SID}. Make sure you open RegEdit as administrator. Of course the following Microsoft statement applies to changing settings to the registry:

Caution You can impair or disable Windows with incorrect changes or accidental deletions if you (or other users) use Registry Editor to change the system configuration. Wherever possible, you should use the Control Panel, Windows Diagnostics, and Administrative Tools in Windows to change the Registry. Registry Editor should be used only as a last resort.

When the changes to the registry are applied logging off and on makes sure that the logged in user enables the new settings. By logging off and back in makes sure that the user is logged in as a ‘normal user’. When Lync is started , you will notice a installation screen, this is done in order to change some settings in Lync. After signing in everything is working normally and Lync conferencing can now be tested, on the client machines!