Lync 2013 – TLS Negotiation took too long to complete

I recently came across an issue with Lync 2013 where SCOM (System Center Operations Manager) was periodically reporting errors with the Conferencing Attendant and IM MCU.  The SCOM errors were as follows:

 

 

Strangely, no users had reported issues and initial thoughts were performance problems with the Lync Front End servers.  This is quite a large Pool with 7 Front Ends and each Front End would periodically generate the above errors in SCOM.  All servers were running the latest CU and all certificates were valid for 2 years.

These errors could also be seen in the Lync event logs on each Front End:

 

 

It transpired that the Lync Front End servers could not access the CRL (Certificate Revocation List) due to Firewalls between the Lync servers and the customers Certificate Authority.  You can view the CRL distribution points via the certificate Details tab, example below (Note the CRL may also be published via LDAP internally):

CRL

 

You can check Lync servers have successfully accessed the CRL by running: certutil -urlcache CRL.  If the CRL has been accessed you will see it in the list returned.

You can also verify if the Lync servers can access the CRL by doing the following:

  1. Export Front End certificate from MMC to C:\temp\LyncFE.cer (No need to export Private Key)
  2. Run from elevated command prompt: certutil.exe -v -verify -URLfetch c:\temp\LyncFE.cer > C:\temp\certutil.txt
  3. Open certutil.txt from C:\temp

If the CRL can’t be accessed you will see the following error towards the bottom of the file: ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

If the CRL can be accessed you will see the following towards the bottom of the file: Leaf certificate revocation check passed

Once the Firewall ports were opened between Lync and the CA server hosting the CRL the TLS Timeout Errors in the Lync Event logs and SCOM stopped.  It is likely that if you see this issue in Skype for Business 2015, it’s also caused by the CRL being inaccessible.

Author: Chris Hayward

Share This Post On

Trackbacks/Pingbacks

  1. Weekly IT Newsletter – April 11-15, 2016 | Just a Lync Guy - […] · Lync 2013 – TLS Negotiation took too long to complete […]

Submit a Comment

Your email address will not be published. Required fields are marked *