how to resolve Root CA issue with SFB/Lync Edge service fails to start or replication fails; Get-ChileItem and SendTrustedlssuerList

I ran across a problem you are all likely familiar with. You are aware of the requirements for SFB edge server certificate stores. There are conditions which will not allow the Edge

Server to replicate with the FE pool. Aspects have been covered on this, but I wanted to add a new one to the list ,of ways we can handle this issue. I will briefly introduce the common

Method, and then introduce the other method which exists.

 

The conditions most commonly associated with EDGE replication/service issues are:

  • Edge Certificate Misplacement in the Edge Certificate store
  • Root CA store has issued too many certificates for the trusted issuer list.

To take care of the first issue, I use a simple  command to help me clean up the certificate store:

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

The rule being, if the file is not 0k, then you have certs in the wrong place. The file is like the bartender at 2AM. The certificate can go anywhere,

accept where it is currently sitting. You don’t have to go home, you just can’t stay here.

 

The second issue is where I found an alternative. The edge will not replicate if your root CA has more than 130 entries. The trusted Issuer list begins

to be truncated after that point. So commonly you can revoke and delete these certs over the limit, and your problem is solved. However, if your

customer is not wanting to do that then what do you do? This is where a registry edit will also work. This key called SendTrustedlssuerList is the

target of your interest. If you set its value to 0, this will cause the schannel to stop truncating the list of certificates to the edge server. I admit

I don’t like this method of doing it, but I know you face lots of customers that won’t let you touch their Domain controllers. Were just trying to

Do our job! Below is the registry location you need to set to 0:

 

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedlssuerList

 

This was missing from my growing list of notepad thing to remember. I hope you keep this as well for your notepad memory.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s