Skype For Business Mac Error There Was A Problem Verifying The Certificate
I'm in the process of deploying my first Skype for Business 2015. The previous administrator configured the local domain with all of the servers using a.local domain. It then says 'Can't sign in to Lync' ' There was a problem verifying the certificate from the server'. Obviously because the internal CA is not trusted.
-->Problem
When an Office 365 user tries to sign in to Skype for Business Online (formerly Lync Online) by using Lync 2010 or Lync 2013, the user receives the following error message:
Additionally, when you try to sign in to Lync after a network outage or a Skype for Business Online service outage, you receive the following error message:
Cause
This issue may occur if one or more of the following conditions are true:
The software is out of date.
- The Lync client is out of date.
- The Microsoft Online Services Sign-In Assistant is out of date.
The certificates cannot be acquired or validated.
- The Skype for Business Online personal certificate or the cached credentials are corrupted or are out of date.
- Part of the certificate chain is untrusted and the certificate chain fails validation.
Solution
Resolution for Lync 2013
Delete the sign in information
During the sign in process, Lync 2013 caches your credentials and other information about its connection to Skype for Business Online. If you have trouble signing in to Skype for Business Online, click Delete my sign-in information and Lync 2013 will automatically remove any saved password, certificates, and connection settings for the user account.
Resolution for Lync 2010
- Update the Lync client to the latest version that's available on the Downloads page of the Office 365 portal.
- Update the Microsoft Online Services Sign-In Assistant to the latest version.
- Clear your cached certificates, credentials and connections.
Additional troubleshooting steps for Lync 2013 and Lync 2010
Note
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
If the steps earlier in this article don't resolve the issue, try the following methods, as appropriate for your situation:
When Lync connects to a specific front-end server, it caches that endpoint to make the sign-in process faster in the future. However, sometimes the endpoint can be changed and can cause sign-in to fail. To delete the endpoint cache, follow these steps:
- Locate the local application data folder:
Windows Vista, Windows 7 and Windows 8 (excluding Windows 8 RT):
%LOCALAPPDATA%MicrosoftCommunicator<sip_address@contoso.com>
Windows XP:
Disable sip mac catalina. %USERPROFILE%Local SettingsApplication DataMicrosoftCommunicator<sip_address@contoso.com>
- Delete the folder associated with your sign-in address.
- Restart Lync, and then try to sign in to Skype for Business Online.
- Locate the local application data folder:
If you're using Lync 2010, delete the Skype for Business Online personal certificate and then download a new one. Be aware that when the user clicks Save Password in Lync 2010, this action also saves the certificate in Windows Certificate Manager.
To delete a personal certificate, follow these steps:
- Delete the certificate in Windows Certificate Manager. To do this, follow these steps:
- Open Windows Certificate Manager. To do this, press Windows + R, type certmgr.msc, and then click OK.
- Expand Personal, and then expand Certificates.
- Sort by the Issued By column, and then look for a certificate that's issued by Communications Server.
- Verify that the certificate is present and that it isn't expired.
- Delete the certificate and try to sign in to Skype for Business Online. If you can't sign in to Skype for Business Online, go to step 2.
- If you're running Windows 7, remove the user's stored credentials in Windows Credential Manager. To do this, follow these steps:
Open Control Panel, and then click Credential Manager.
Locate the set of credentials that's used to connect to Skype for Business Online.
Expand the set of credentials, and then select Remove from Vault.
Try to sign in to Skype for Business Online again, and then type your new set of credentials.
Note
These steps aren't necessary in Lync 2013 because the steps that were previously mentioned that delete sign in information removes the certificates automatically.
- Delete the certificate in Windows Certificate Manager. To do this, follow these steps:
Flush the DNS cache. To do this, follow these steps:
Press Windows + R, type the following command, and then press Enter:
Ipconfig /flushdns
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
On the affected computers, check the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid
If the value of MachineGuid contains braces around the GUID (for example, {c1cbd94c-0d35-414c-89ef-dd092b984883}), then remove the braces, restart Lync, and then try to sign in again.
Resolution for Skype for Business Online administrators: Validate the certificate chain
End-users may receive an error stating that the certificate can’t be validated, and this usually happens because one of the certificates in the chain is untrusted and can’t be validated. This typically occurs for customers who use single sign-on in Office 365 or for customers who have Lync hybrid deployments.
For more information about certificate validation with Lync, see Lync Mobile users cannot sign in after they update to client version 5.4.
Note
Although this article is written for mobile devices, the same concepts apply to Lync clients.
More Information
If the issue persists after you perform these troubleshooting steps, contact Microsoft Office 365 technical support or the Microsoft Office 365 Community forums. In certain cases, the Active Directory Domain Services user account may be incomplete or corrupted. Therefore, Skype for Business Online can't generate a personal certificate. This may not affect all of a tenant's accounts because the effect depends on the state of the server when the user account was created.
To narrow the issue, determine whether the issue occurs for multiple user accounts on the same computer. Then, try to sign in to Skype for Business Online from the same computer by using multiple user accounts. This process indicates whether the problem is related to the configuration of the computer or an issue with the Skype for Business Online user account.
Did this fix the problem?
- Check whether the problem is fixed.
- If the problem is fixed, you are finished with these steps.
- If the problem isn't fixed, go to Microsoft Community, or contact support.
- We'd appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the 'Fix it for me' blog or send us an email message.
Still need help? Go to Microsoft Community.
Related Articles
- 1 What Is an SSL Certificate Verification?
- 2 Can Two SSL Certificates Sit on the Same IP?
- 3 The Host Name Does Not Match Any Name Found on the Server Certificate
- 4 Alternatives to Private SSL Certificates
Certificates confirm not only that the server is presenting the website you wanted to visit, but also that a certificate authority has confirmed that the company or organization behind the site is legitimate. If you encounter a problem verifying a certificate from a server, it's either a technical glitch or an attempt to scam you.
Date and Time
Just as your driver's license expires every few years, server certificates have expiration dates. If the server's operator hasn't renewed the certificate with the certificate authority which issued it by the expiration date, then your computer will not verify it as valid. However, your computer could reject a valid certificate if your date and time are not set correctly. If your computer thinks the current date is a time before the certification authority ever issued the certificate, then it will treat the certificate as invalid.
Certificate Usage
There is more than one type of server certificate. Some certificates authenticate a single domain, some authenticate multiple domains, while others certify multiple subdomains within one or more domains. If a website operator is trying to use a certificate for the wrong purpose, such as a single domain certificate when he needs a wildcard certificate for multiple subdomains, then your browser won't be able to verify the certificate.
Self-Signed Certificate
A server's certificate has to be signed by a certification authority for your browser to verify the certificate as valid. However, some servers, such as those operated by military or government organizations, sign their own certificates and act as their own certificate authorities. They have an internal method for authenticating the server certificate's signature, and don't rely on certificate authorities like everyone else does. A browser cannot independently verify self-signed certificates.
Fraud
There are a variety of technical issues that could produce browser error messages when you are visiting a perfectly legitimate site. However, the problem could also be that the server you are connected to is just pretending to be the site you wanted to visit. Your browser won't tell you specifically that a server is really an attempt to intercept your connection and steal your data. When you get a verification error, it is better to err on the side of caution than put your personal information at risk.
References (4)
About the Author
Micah McDunnigan has been writing on politics and technology since 2007. He has written technology pieces and political op-eds for a variety of student organizations and blogs. McDunnigan earned a Bachelor of Arts in international relations from the University of California, Davis.
Cite this Article