Author Archives: ArmgaSys

SSL Certificates, SharePoint, and User Profile Synchronization… OH MY!

SharePoint is complex!  Add in User Profiles and FIM Synchronization with SSL and SharePoint can become a administrator’s worst nightmare.  Our latest “really?” moment recently occurred when MySite (User Profile) details stopped replicated back to Active Directory in our of our installs.

A quick review of recent Events yield the following nuggets:

Event 6801 FIMSynchronization Service

The extensible extension returned an unsupported error.
The stack trace is:
“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.


Event 8311, SharePoint Foundation

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=*.ARMGASYS.COM, OU=Domain Control Validated\nIssuer Name: CN=Go Daddy Secure Certificate Authority – G2, OU=, O=”, Inc.”, L=Scottsdale, S=Arizona, C=US\nThumbprint: ABCDEF123456790\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..

Awesome, yet another SharePoint SSL issue (Only Microsoft Lync is more painful when it comes to SSL)

The Solution:  Add the SSL certificate chain to the SharePoint trust

Step#1: Download the SSL certificate and related chain

  1. Open IE and navigate to the SharePoint site in question
  2. Click on the padlock and view the certificate for the site
  3. Click the Certification Path tab
  4. For each certificate authority listed in the chain, perform the following:
    1. Select the certificate (I.E. Go Daddy Root Certificate Authority – G2)
    2. Click View Certificate.  A new windows for the certificate will be displayed
    3. Click the Details tab
    4. Click Copy to File
    5. This will launch the “Certificate Export Wizard”
    6. Follow the wizard taking all defaults.  Save the .CER file to an accessible location
  5. Copy the .CER files to your SharePoint server or a location where you have access to SharePoint Central Administration.
  6. Launch SharePoint Central Administration and Navigate to Security –> Manage Trust
  7. For each .CER file, perform the following:
    1. Click New on the Manage Trust screen (located in upper left corner)
    2. Give the certificate a usable name
      HINT: We like to include the month and year… just in case (I.E. GODADDY LEVEL 1 CERT MAR2014)
    3. Browse for the .CER file
    4. Click OK


Happy encrypting!

No connectivity with the Lync Web App reported every 20 minutes or so

We seem to see to encounter a specific connectivity error a lot across a variety of Lync environments.  In some instances, users will complain about slow connectivity or no connectivity.  The primary symptom is the following event log entry (repeated every 20 minutes or so):

No connectivity with the Lync Web App. Affected Web browser clients cannot use Web Conferencing modality.

Server Machine FQDN:, Port:8061
Server Type: External-WebApp-Edge [HTTP side error:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
If the problem persists this event will be logged again after 20 minutes
Cause: Service may be unavailable or Network connectivity may have been compromised.

Never fear, this one is easy to fix!

The Root Issue
The application pool registered to the Lync Server External Web Site\Reach application is set to activate On Demand.  This results in an IIS application pool that is not spun up when an external reach request is received resulting in a connectivity fault.


The Solution
Important:  The UI based solution only works in IIS8.  If you are running IIS7.5,  See the “Manually Fix This Issue” below 

  1. Launch Internet Information Services (IIS) Manager on your front-end pool server
  2. Navigate to Sites –> Lync Server External Web Site –> Reach
  3. Right click on Reach and select Manage Application –> Advanced Settings
  4. Note the Application Pool in the advanced settings pop-up
    This will be set to LyncExtReach in normal environments
  5. Click on Application Pools and locate the application pool noted in step#4 above
  6. Right click on the Application Pool and select Advanced Settings
  7. Change the Start Mode to AlwaysRunning
  8. Restart IIS


Told you it was easy!


UPDATED 09/2014:  How to Manually Fix This Issue
Running IIS7.5?  Don’t see the Start Mode in IIS, here is the manual method!

  1. Edit the following file in the editor of your choice
    Important:  Make sure you are running your editor as an Administrator!
  2. Search for name=”LyncExtFeature”
    Important:  You are looking for the <add name=”LyncExtReach” within the <system.applicationHost><applicationPools> section!
  3. Edit the entry to include the startMode attribute (see bold text below)
    <add name=”LyncExtReach” autoStart=”true” managedRuntimeVersion=”v4.0″ managedPipelineMode=”Integrated” startMode=”AlwaysRunning”>
  4. Save the file and restart IIS

Exchange Unified Messaging Doesn’t Start (No Certificate Found)

So, you have updated your SSL certificates in Exchange 2010 to comply with (insert corporate policy here).  All seems well until you receive a frantic call: “Voice Mail is down!”.

A quick search of the event viewer turns up:

The Microsoft Exchange Unified Messaging service was unable to start. More information: “Microsoft.Exchange.UM.UMService.UMServiceException: No certificate was found using the thumbprint ” specified in the UMCertificateThumbprint property of the UMServer object.
   at Microsoft.Exchange. UM.UMService.UMConnectionManagerHelper.TLSConnectionManager.Initialize()
   at Microsoft.Exchange.UM.UMService.UMService.InitializeConnectionManager()
   at Microsoft.Exchange.UM.UMService.UMService.StartService()
   at Microsoft.Exchange.UM.UMService.UMService.OnStartInternal(String[] args)”


You cradle your head in your hands and begin to weep softly.

Fear not!

The Solution

  1. Launch Exchange Management Console from the server hosting the Unified Messaging Role
    Important: Remember to launch with UAC elevated permissions!
  2. Expand and click on Server Configuration
  3. From the server list in the center pane, select the server hosting the Unified Messaging Role
  4. In the lower center pane, you’ll very likely notice the new SSL certificate is not assigned to any services
  5. Right click on the certificate and select Assign Services to Certificate
  6. In the wizard, check the Unified Messaging (UM) service
  7. Finish the wizard and dry your tears!