Wednesday, September 28, 2022

[Solved] Issue with Windows Fabric & cert chain or certificate revocation list

Abstract: If you check your Skype for Business frontend server event log you see multiple warnings for the Windows Fabric related to the cert chain trust and the certificate revocation list (CRL).

The errors in the event log show up similar like the following:

cert chain trust status is in error: 0x1000040
ignore error 0x80092013:certificate revocation list offline

As 0x1000040 implies:
#define CERT_TRUST_REVOCATION_STATUS_UNKNOWN 0x00000040
#define CERT_TRUST_IS_OFFLINE_REVOCATION

The first line above is nearly the same as the 2nd line. This lead to the following solution:

Solution:

The error show up if the CRL, which is specified in the SSL certificates you are using on your Skype for Business (=SfB) environment, couldn´t be reachable from your SfB frontend server. This could be due to a firewall issue (e.g. needed port isn´t open) or a proxy exclusion list isn´t set via “netsh winhttp set proxy”. Once the server can reach the CRL again the problem should be solved.

To find the CRL you could open the SSL certificate and check the “CRL Distribution Point” property for more details.

Keep noted that most Skype for business (aka Lync) server use a certificate from an internal Microsoft certificate autority (MS CA). So do not check only the external CRL for the public certificate you are using, check also the internal CRL!

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

23FollowersFollow
- Advertisement -

Latest Articles