After applying KB931125 CMS replication and conferencing broke. Apparently that pushed us over the maximum size of the trusted certifcate authorities list that the Schannel security package supports (12,228 bytes).
It was resolved by creating a registry key on all of the Lync servers and restarting IIS (iisreset /restart):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
“SendTrustedIssuerList”=dword:00000000
Thanks to Tom and Mike for pointing us in the right direction with their forum posts.
Following are some of the event IDs from a front end’s Lync Server log:
- 47067 LS UserPin Service
- 61035 LS MCU Infrastructure
- 61039 LS MCU Infrastructure
- 61043 LS MCU Infrastructure
References:
Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003
http://support.microsoft.com/kb/933430
The Audio-Video Conferencing Server failed to send health notifications to the MCU factory
http://social.technet.microsoft.com/Forums/en-US/ocsconferencing/thread/506821e2-d3fe-42bd-a6dc-daed6c5f0df6
1/11/2013 MS posted an acticle about this problem. Will test their fix in the near future.
http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx
http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx
Fix: http://support.microsoft.com/kb/2801679