2

After working with my internal IT department, they've determined that the simple reason I cannot get to the Lync server from my home computer is because it is not a member of the domain. There are two solutions they proposed: join the domain, or VPN in. The former isn't really an option, and the latter is a solution I can make work (only connect when I really need to talk to someone; running all my traffic through the VPN is downright miserable).

The error I get when I connect is:

"There was a problem verifying the certificate from the server. Sign-in may be 
delayed while we retry the connection..."

more detailed error:

02/15/2013|18:05:57.470 1C58:C28 TRACE :: SECURE_SOCKET: security negotiation has completed, verifying server cert
02/15/2013|18:05:57.472 1C58:C28 ERROR :: SECURE_SOCKET: negotiation failed
02/15/2013|18:05:57.472 1C58:13D0 ERROR :: CSIPTransportLayerSecurity::OnTlsNegotiationComplete (65ea2f0) failed with 0x80ee0065. Raising OnConnect with the same error
02/15/2013|18:05:57.472 1C58:13D0 ERROR :: CSIPClientConnection::OnConnect (80ee0065) this: 01D7B0A0
02/15/2013|18:05:57.472 1C58:13D0 INFO  :: SIP_MSG_PROCESSOR::OnRequestConnectionConnectComplete - Enter this: 065E2848, callid=(null), ErrorCode: 0x80ee0065
02/15/2013|18:05:57.472 1C58:13D0 ERROR :: Releasing connection and notifying transactions
02/15/2013|18:05:57.472 1C58:13D0 ERROR :: SIP_MSG_PROCESSOR::NotifyRequestConnectionConnectComplete - Error: 80ee0065
02/15/2013|18:05:57.472 1C58:13D0 TRACE :: CSIPTransportLayerSecurity::Shutdown - [0x065EA2F0]

As a developer, this looks like a different version of the SSL errors I get when I visit a website that's using a misnamed certificate. With that thinking, I went ahead and VPNed in, grabbed the certificate it presented me with and accepted it. Then I added it into my trusted CAs just to be sure. I was really hoping this would work, but results in the same error.

Anyone played this game before? Is there a workaround?

Improve this question

5 Answers 5

Reset to default
0

You may want to check with your IT Department to see if you need to install a Cert to talk to your exchange server. Also, try inputting your company's Lync server in the "Advanced" options when you access the Lync settings. Hope this helps.

Improve this answer
0

I Think this is caused by not having the rights to get a certificate from the lync edge server, So suspect that the External access policy is set to null, rather than Allow External or Allow External + Federation

Improve this answer
0

You don't really spell out what sort of Lync Topology your IT guys have set up.

How are you accessing the servers from your Home computer? Are you coming in from the internet via your home internet connection, or have you taken your computer with you to the office and plugged it into the network there?

If the former, then have they correctly set up an Edge server for the Lync install? Or are they trying to just use the Front End server and making it's interfaces publically available over the internet?

If the latter, you can't just install the certificate that the Lync server is sending you, you also need to install the entire certificate chain that goes with it into your local cert repository. That might mean Intermediate and Root CAs, or just one root CA.

Improve this answer
0

Unfortunately, the answer I ended up receiving from the IT folks was "we can't figure out why it doesn't work and have no plans to further look into the issue, so use one of the two proposed approaches or don't use Lync". We went with option #2, stopped using Lync entirely, and switched our department over to Slack.

Thanks for all the attempts at helping.

Improve this answer
0

The proper way would have been to block lync/Skype from accessing the internal network while on VPN to force the connection to the Edge. This resolves the certificate issue and it improves the performance issue as going through an encrypted vpn connection with an encrypted lync/skype connection is not optimal. If there is no Edge then downloading the root and or intermediate certificate from your company would allow your non-domain machine to trust the internal certificate.

https://blogs.technet.microsoft.com/nexthop/2011/11/14/enabling-lync-media-to-bypass-a-vpn-tunnel/

http://www.stevenjordan.net/2014/08/configure-lync-clients-on-split-tunnel.html

Improve this answer
1
  • You should consider quoting and citing your referece links. So when those reference links no longer work (happens all the time with Microsoft links) your answer will still be helpful. You mention what the "proper way is" but don't provide any specifics.
    – Ramhound
    Commented Jan 24, 2017 at 15:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .