Skype4Business certificate can’t sign in

Skype4Business certificate can't sign in 1“There was a problem verifying the certificate from the Server”. Skype4Business certificate can’t sign in

If you find or suffer this kind of errors on the Skype for Business infrastructure that you are administering: “Can’t sign in to Skype for Business. There was a problem verifying the certificate from the server”.
I would recommend you to check how the certificates are distributed on your local computers.
Skype4Business certificate can't sign in
Skype4Business client, with the certificate message, that prevents the user to sign in

Skype4Business certificate can’t sign in

Root Cause Details:

When distributing the root CA certificate using GPO, the contents of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates will be deleted and written again. This deletion is by design, as this is how the GP applies registry changes.

Changes in the area of the Windows registry reserved for root CA certificates will notify the Crypto API component of the client application, and the application will start synchronizing with the registry changes. This synchronization is how the applications are kept up-to-date and made aware of the most current list of valid root CA certificates.

In some cases, such as scenarios when large number of root CA certificate are distributed via GPO (similar with many Firewall or Applocker policies), Group Policy processing will take longer, and the application might not receive the complete list of trusted root CA certificates. 

Because of this, end entity certificates that chain to those missing root CA certificates will be rendered as untrusted, and various certificate-related problem will start to occur. This problem is intermittent and can be temporarily resolved by reinforcing GPO processing or reboot.

If the root CA certificate is published using alternative methods, the problems might not occur, due to the afore-mentioned situation.

Workaround


Microsoft is aware of this issue and is working to improve the certificate and Crypto API experience in a future version of Windows.

To address this issue, avoid distributing the root CA certificate using GPO. This might include targeting the registry location (such as HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates) to deliver the root CA certificate to the client.

When storing root CA certificate in a different, physical, root CA certificate store, the problem should be resolved.

Examples of alternative methods for publishing root CA certificates

Method 1: Use the command line tool certutil and root the CA certificate stored in the file rootca.cer:

certutil -addstore root c:\tmp\rootca.cer

Note

This command can be executed only by local admins and it will affect only single machine


Method 2:  Start certlm.msc (the certificates management console for local machine) and import the root CA certificate in the Registry physical store.

Skype4Business certificate can't sign in 2

Note

The certlm.msc console can be started only by local administrators. Also, the import will affect only single machine.

Method 3: Use GPO preferences to publish the root CA certificate as described in Group Policy Preferences.

To publish the root CA certificate:

  1. Manually import the root certificate on a machine using the “certutil -addstore root c:\tmp\rootca.cer” command (see Method 1).
  2. Open GPMC.msc on that machine where you have imported the root certificate.
  3. Edit the GPO which you would like to use to deploy the registry settings in the following way:
    1. Edit the Computer Configuration | Group Policy Preferences | Windows Settings | Registry | .. path to the root certificate.
    2. Add the root certificate to the GPO as presented in the following screenshot.
  4. Deploy the new GPO to the machines where the root/intermediate certificate needs to be published.
Skype4Business certificate can't sign in 3

Any other method, tool, or client management solution that distributes root CA certificates by writing them into the location HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates will work.

Skype4Business certificate can’t sign in

Following the above steps, you will get rid of this Skype4Business certificate can’t sign in issue, that appears with this message: “There was a problem verifying the certificate from the Server”.

This blog is personal, and is financed by GoogleAd, to pay the cost domain, hosting, certificate and son on.

More content regarding Skype for Business, can be found on the blog here.

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.