To work around this issue, use one of the following methods to mitigate the errors.
Workaround 1
Request a new Edge internal certificate for all Edge pools that are deployed and that contains the Client Authentication EKU. To do this, follow these steps:
Note You also have to request a new Front End default certificate that includes the Client Authentication EKU.
-
Create a Certificate Template that includes Client Authentication and Server Authentication as an Enhanced Key Usage. (Membership in Domain Administrators or equivalent is the minimum requirerement to complete this procedure.) To do this, follow these steps:
-
Open the Certification Authority snap-in.
-
Browse to the Certificate Templates folder.
-
Right-click the Certificate Templates folder, and then select Manage.
-
In the Certificate Templates Console window, locate the Web Server template, right-click it, and then select Duplicate Template.
-
In the Properties of the New Template window, select the General tab, and name the template appropriately. Note the Template name that's created.
-
Select the Extensions tab, and then click Edit.
-
In the Edit Application Policies Extension window, click Add.
-
In the Add Application Policy window, select Client Authentication, and then click OK.
-
In the Edit Application Policies Extension window, you should now see both Client Authentication and Server Authentication in the Application policies section. Click OK.
-
In the Properties dialog box of the New Template window, click OK.
-
Verify that the newly created template is shown in the Certificate Templates Console window. Close the Certificate Templates Console window.
-
In the Certification Authority main window, browse to Certificate Templates.
-
Right-click the Certificate Templates folder, and then select New, Certificate Template to Issue.
-
In the Enable Certificate Templates window, select the newly created template from step 5, and then click OK.
-
Verify that the new template is displayed under Certificate Templates.
-
Request a certificate by using the Deployment Wizard on the Edge Server
-
Open the Skype for Business (Lync) Server Deployment Wizard.
-
Select Install or Update Skype for Business (Lync) Server System.
-
Select the Run Again option on the Step 3: Request, Install or Assign Certificates page.
-
In the Certificate Wizard window, select Edge Internal, and then click Request.
-
Click Next on Request a certificate for the Edge internal (Edge internal) Skype for Business Server usages page.
-
In the Delayed or Immediate Requests window, select the appropriate option.
-
Follow the instructions on the next page to specify either the Certificate Authority or the Certificate Request File, and then click Next.
-
On the Specify Alternate Certificate Template page, select the Use alternate certificate template for the selected certification authority check box.
-
In the Certificate template name field, type the template name that you noted in the previous section in step 5, and then click Next.
-
On the Name and Security Settings page, select settings as required, and then click Next.
-
On the Organization Information page, input settings as required.
-
On the Geographical Information page, input settings as required.
-
On the Subject Name / Subject Alternative Names page, select Next.
-
On the Configure Additional Subject Alternative Names page, add any additional required SANs, and then click Next.
-
On the Certificate Request Summary page, review the request entries, and then click Next.
-
After the request is generated, click Next, and then click Finish.
-
Follow your organization’s usual procedure to process the request from the Certificate Authority. Make sure that you use the newly created template.
-
Import and assign the request to the Skype for Business Edge internal usage.
-
Verify that the certificate has the appropriate EKUs. To do this, open the certificate, select the Details tab, and then scroll down to and select the Enhanced Key Usage check box. You should see Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2).
Workaround 2
Add a registry entry to exclude the DataMCU process from the new certificate validation process that occurs after you install the .NET Framework update.
[Asset 4023997]
To work around the conferencing modality connection issues in Lync Server 2010, Lync Server 2013, and Skype for Business 2015, you must add an application exception for the Web Conferencing Service (DATAMCUSVC.exe).
To do this, use the following examples to set the exceptions in your environment.
For Skype for Business Server 2015
- Determine and record the path of DATAMCUSVC.exe on the server.
By default, the installation path is as follows:
C:\Program Files\Skype for Business Server 2015\Web Conferencing
You can also obtain this information through the Services tool by reviewing the properties of the Skype for Business Server Web Conferencing service. To do this, follow these steps:
- Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
- Create the following DWORD name and value:
DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
DWORD Value: 0
Important Do not include quotation marks in the DWORD name. The new DWORD name and value should resemble the following:
DWORD Name: C:\Program Files\Skype for Business Server 2015\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0
- Restart the Skype for Business Server Web Conferencing service (RTCDATAMCU).
For Lync Server 2013
- Determine and record the path of DATAMCUSVC.exe on the server.
By default, the installation path is as follows:
C:\Program Files\Microsoft Lync Server 2013\Web Conferencing
You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing service.
- Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
- Create the following DWORD name and value:
DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe DWORD Value: 0
Important Do not include quotation marks in the DWORD name.
The new DWORD name and value should resemble the following:
DWORD Name: C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0
- Restart the Lync Server Web Conferencing Service (RTCDATAMCU).
For Lync Server 2010
- Determine and record the path of DATAMCUSVC.exe on the server.
Note By default, the installation path is as follows:
C:\Program Files\Microsoft Lync Server 2010\Web Conferencing
You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing Service.
- Start Registry Editor. To do this, click Start, click Run, type regedit, and then click Ok.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs
Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
- Create the following DWORD names and values:
DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
DWORD Value: 0
Important Do not include quotation marks in the DWORD name. The w3wp.exe path is case sensitive and should be all in lowercase.
The new DWORD name and value should resemble the following:
DWORD Name: C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0
- Restart the Lync Server Web Conferencing service (RTCDATAMCU).