SHA512 certificates preventing RTCSRV from starting


Hi All

just a quick note about SHA512 certificates and their effect on Lync Server 2013 and Skype for Business 2015. If your Certificate Authority issues certificate with a SHA512 signature hash algorithm (which is where a lot of organisations are now moving to *from sha1*), there is a problem with using these certificates on Windows Server 2012 R2 (and Windows Server 2012, and 2008 R2) if you do not have a particular hotfix installed.

When you try to start a on premises Front End Pool for Skype for Business 2015 or Lync Server 2013 you'll start seeing these errors in the System Event log.

This issue happens when the Pool certificate you are using has a Signature hash algorithm of sha512RSA

The good news is the fix is easy, go and install the hotfix from http://support.microsoft.com/kb/2975719. So if you hit this go and install the hotfix. 

Interestingly, the first server in a Front End Pool appears to successfully start the RTCSRV service, it's just the 2nd+ servers attempting to start the RTCSRV service that fails. The key is check if you have sha512 certs, and if you are getting the Schannel errors.

 

Happy Skype/Lync'ing.

Steve

Comments (4)

  1. soder says:

    Would be great, if there was a Lync certificate document officially from MSFT that lists all the supported (and I mean really supported and tested) algorithms and settings. So that I dont need to do investigation and detective work why this or that or TLS v1.x does not work under certain constallation of the stars.

    MS PSS (during a lenghty support incident) promised a revised certificate document in the timeframe of Lync 2010 (around 2011), but as you can guess they did not write anything in this topic in the last 4 years. Nothing. Nada. Embarassing there is nobody inside the Lync product team who is capable of going to the floor where the PKI guys are sitting in the Redmond campus, and put together their heads and spend some weeks to write a proper guide. Lync is the worst PKI-candidate, if there is any chance a PKI setting will break an app, Lync will be the first to crash and die in such cases. Still the necessary background support document-wise is not provided for the external community. I am not even pissed off, 4 years bashing the idiots in Redmond is a long time, and I can see there is 0 result of it.

  2. soder says:

    From the lack of answer / state of silence I have to assume that either a)  I am indeed right and people agree with me b) this is a haunted site with write-only / never-read-comments owner

  3. Hi Soder

    thanks for your comments. The Lync Server certificate TechNet pages that I use for reference when deploying Lync/Skype are (I am sure a Skype for Business version will be released shortly, but use this 2013 version for now):

    Internal Certificates - technet.microsoft.com/.../gg398094(v=ocs.15).aspx

    External Certificates - technet.microsoft.com/.../gg398920(v=ocs.15).aspx

    If there are gaps/questions you have around those articles there is a contact section at the bottom of the TechNet page where you can provide feedback about your concerns.

    HTH

    Steve

  4. soder says:

    No need to approve my critics, its still the truth I wrote down..

Skip to main content