SOLUTION: Cisco CUPS and Lync Federation does not work with TLS error 0x80090327 An unknown error occurred while processing the certificate

Applies To: Lync 2010 and Cisco Unified Communications Manager, Release 9.1

Problem:

You need to configure Partitioned Intradomain between Lync 2010 and CUPS 9.1 (This post is valid for inter domain federation see important notes below)

CUPS and Lync 2010 Enterprise servers based on the document Partitioned Intradomain Federation for IM and Presence Service on the documents Cisco Unified Communications Manager, Release 9.1(1)

(http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/intradomain_federation/9_1_1/CUP0_BK_PFB0D200_00_partitioned-intradomain-guide-911/CUP0_BK_PFB0D200_00_partitioned-intradomain-guide-911_chapter_010.html)

Partitioned Intradomain means that CUPS users and Lync users have the same sip domain addresses like cupsuser@contoso.com and lyncuser@contoso.com

But you observed that CUPS users can send IM and see presence information of Lync users but Lync users cannot send IM and see presence of CUPS users.

Symptoms:

CUPS user can send IM and Lync user can reply in the same IM session. But if Lync user starts conversation then cannot send IM to CUPS user. Also Lync user cannot see the presence of the cups user. (Presence Unknown)

Following errors logged in Lync Server event log:

Log Name:     Lync Server
Source:       LS Protocol Stack
Date:         11/20/2014 8:02:10 PM
Event ID:     14428
Task Category: (1001)
Level:         Error
Keywords:     Classic
User:         N/A
Computer:     LYNCFE.internal.contoso.com
Description:
TLS outgoing connection failures.

Over the past 20 minutes, Lync Server has experienced TLS outgoing connection failures 7 time(s). The error code of the last failure is 0x80090327 (An unknown error occurred while processing the certificate.) while trying to connect to the server “CISCOCUPS.internal.contoso.com” at address [10.15.10.100:5061], and the display name in the peer certificate is “Unavailable”.

Cause: Most often a problem with the peer certificate or perhaps the DNS A record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.

Resolution:

Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

Log Name:     Lync Server

Source:       LS Protocol Stack
Date:         11/20/2014 8:47:24 PM
Event ID:     14501
Task Category: (1001)
Level:         Error
Keywords:     Classic
User:         N/A
Computer:     LYNCFE.internal.contoso.com
Description:

A significant number of invalid certificates have been provided by remote IP address 10.15.10.100 when attempting to establish an MTLS peer. There have been 17 such failures in the last 74 minutes.

Certificate Names associated with this peer were
The serial number of this certificate is The issuer of this certificate is The specific failure types and their counts are identified below.
Instance count   – Failure Type
373                 0x80090327
104               0x80090326

Cause:

As documented in the document page 64:

“Validate Existing Lync Signed Certificate

To support TLS encryption between the IM and Presence Service and Lync, each Lync server must have a signed security certificate that supports Client Authentication. If a signed certificate is already installed on the Lync server, the following procedure describes how to check if that existing signed certificate supports Client Authentication

Verify that the certificate is assigned one of the following OID values:

  • If the certificate is configured for both server and client authentication, the OID value is

“1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2”

  • If the certificate is configured for server authentication only, the OID value is “1.3.6.1.5.5.7.3.1”

So pool certificate installed on LYNC 2010 Front End servers must have Server Authentication (for Lync requirement) AND Client Authentication purposes.

If the pool certificate has only Server Authentication purpose (Which is default and enough configuration for Lync setup) then Cups does not allow Lync Server to connect.

Resolution:

Request new pool certificate for Lync FE servers with both Server Authentication AND Client Authentication purposes. To do so you can provide following OIDs with comma on the Certificate Request page:

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

1- Note every SANs on existing certificate first. (see important note below)

2- You need to choose Advanced Certificate Request and

other in Type of certification Needed Menu Windows CA Certificate Request page and copy and paste 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 in OID field.

3- Enter all SANs you need in the following format in Attributes field:

SAN:DNS=lncpool.contoso.com&DNS=sip.Conotoso.com&DNS=LYNCFE.internal.contoso.com etc…

Get the new certificate an install on on Lync Server using mmc certificate snap-in. Verify that Client Authentication and Server Authentication are listed in the Intended Purposes column.

When you get and install new certificate on Lync Server then run Lync server deployment wizard and assign new certificate. After assigning, restart Lync Services and federation works immediately.

Important Notes:

1- Do not use Request-CsCertificate command in the document on page 66. Because the certificate you got will not contain SANs. If you assign this certificate then users with different sip domain addresses cannot sign in.

2- Same issue on Inter domain federation between Lync/OCS Edge Server and Cisco Presence Server. The access edge certificate on access edge interface of Edge server must have both Server Authentication and Client Authentication purposes. see: Inter domain Federation for IM and Presence Service on Cisco Unified Communications Manager document.

More Information:

You must also configure CUPS and CUCM serves by using host names (FQDNs) not IP addresses. Other wise you will have certificate warnings on LYNC server and also on Jabber client. Adding IP addresses to SAN on CUCM certificated does not help either!

 

 

 

Advertisements
Gallery | This entry was posted in Cisco Cups & Jabber, Lync 2010 and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s