Last weeks I have been installing Lync in a large environment of a customer of ours. During the implementation everything went very smooth, till the last two days. First we discovered that there were some troubles using the mandatory profiles, and second we faced issues with federation. During the initial tests we noticed that federation was working for presence information and chat messages, however starting audio/video and starting a conference between a federated user and an internal user was where the trouble started.
After doing a lot of research and checking the environment we were totally out of ideas! all ports, and IP addresses were set correctly and all Best Practices were followed. During our search we found in chapter 9 of the Lync 2010 and Lync 2013 Resource Kit a reference to a utility that is called: MSTurnPing.exe. Using the MSTurnPing.exe program we are able to test the A/V Authentication Service and the A/V Edge Services. By executing this tool using the ‘Lync 2013 Management Shell’, which is started on a Front-End Server, lots of results can be gained. In order to execute this tool, navigate to the folder where it is located and execute the following command in the Lync 2013 Management Shell:
.\MSTurnPing.exe –ServerRole AudioVideoEdgeServer
During the execution of this tool we got results, which were saying:
Exception Message: The target principal name is incorrect
Cause: Lync Server Audio/Video Authentication service is not started
Resolution: Start Lync Server Audio/Video Authentication Service
After these messages I was a bit confused, cause the A/V authentication service was already started on the edge server and all of the other components (starting audio/video conference with external users) seems to work fine. After digging around, someone noticed to have a look at the certificate. Within the initial certificate there were no additional Subject Alternate Name’s (SAN’s). These SAN’s were also not proposed by the deployment wizard, and thus not added by us. Reading through blogs and discussion boards people stated that the Edge pool FQDN and the server FQDN needed to be added as SAN’s in the certificate (not sure why the pool FQDN should be added, as this was already the Subject Name of the certificate, however we followed by adding the pool FQDN as well). This requirement is not explicitly stated in this TechNet article.
Using these suggestions, we decided to replace the certificate on the edge internal interface. After a while (requesting certificates from the edge server to the internal CA wasn’t that easy) the new certificate were requested and added to the edge internal interface. In order to make sure that the new certificate will be used by the services, the server is rebooted. After the reboot I started the MSTurnPing.exe application once again and I received notifications that everything works perfectly.
Also the second step in testing, creating a call between a federated user and a internal user, was executed perfectly and we were able to add audio and video, and create a conference as well during the meeting. During this tests everyone concluded that the requested functionality is working!
Make sure that the Server FQDN and the Edge pool FQDN are added to your internal interface certificate in order to make sure that all calls will be accepted and upgraded to a conference.