Lync 2013 / Skype for Business Edge SSL negotiation wasn’t sucsessful

I’m going out on a limb here…

You’re reading this blog post because like me your building your nice greenfield Lync 2013 or Skype4B implementation

As part of the install you have spun up an edge server, checked all the port requirements and had the firewall team implement your changes, got your SSL certificates ready and assigned.

Everything looks good. so you head over to https://testconnectivity.microsoft.com/ punch in the details of your test account and get the most unhelpful error message ever

The certificate couldn’t be validated because SSL negotiation wasn’t successful.

Now, I’m sure you have probably spent a little while checking for the obvious before jumping on Google and punching the error in.

  • Edge certificate
  • Intermediates if you need them
  • Certificate between Edge and Front end pool
  • Maybe you even checked the firewall to make sure it wasnt it.
  • A couple of articles out there will suggest looking at the TLS handshake

2 things I can recommend to make troubleshooting this alot easier.

1.) Go grab The Remote UC troubleshooting Tool (RUCT)  by Curtis Johnstone.

It gives a much better technical view of whats going on instead of the Microsoft Lync Connectivity Analyzer application and at least lets you verify what SSL certs are coming through.

You can grab it here http://www.insideocs.com/Tools/RUCT/RUCT.htm

Edit: Yes, I know James Cussen has built a similar tool to RUCT for checking DNS and the like, I still use RUCT for checking SSL certificates and chains.
You can grab James’ tool from here http://www.mylynclab.com/2014/03/lync-edge-testing-suite-part-2-lync-dns.html

 2.) Check your remote access policy..

For some insane reason, if you haven’t defined your remote access policy.. instead of the port being shut or getting an error message.. The Lync server will abort the TLS handshake.. WHAT?

To fix, head over to your Lync/Skype4B control panel and in the “Federation and External Access” section, ensure you have “Enabled communications with remote users” ticked.

Check your remote communications are enabled

Check your remote communications are enabled

 

 

Edit: 19/04/2016

I’ve seen this happen with Skype4B as well, so I’ve updated the article a wee bit to try and help others find it.

 

3 thoughts on “Lync 2013 / Skype for Business Edge SSL negotiation wasn’t sucsessful

  1. Ahmed

    I am having the same issue with SFB federation when doing test connectivity analyzer getting the same issue.

    Reply
    1. Avatar photoJames Arber Post author

      Dont worry. It’s bitten me more than once.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.