Search This Blog

Thursday, February 4, 2016

Sonus SBA issue Oauth certificate is missing

Log Name:      Lync Server
Source:        LS Replica Replicator Agent Service
Date:          2/4/2016 5:29:26 AM
Event ID:      3041
Task Category: (3003)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      sba.domain.com
Description:
The replication of certificates from the central management store to the local machine failed due to a problem with encryption key management. Microsoft Lync Server 2013, Replica Replicator Agent will continuously attempt to retry the replication. While this condition persists, the certificates on the local machine will not be updated.
Exception: Microsoft.Incubation.Crypto.GroupKeys.KeyException: Not able to read from the key object. ---> System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at Microsoft.Incubation.Crypto.GroupKeys.ADRepository.ReadKey(Guid keyId)
   --- End of inner exception stack trace ---
   at Microsoft.Incubation.Crypto.GroupKeys.ADRepository.ReadKey(Guid keyId)
   at Microsoft.Incubation.Crypto.GroupKeys.DKMBase.ReadKey(Guid guid)
   at Microsoft.Incubation.Crypto.GroupKeys.DKMBase.Unprotect(MemoryStream cipherText, Boolean pinnedOutput)
   at Microsoft.Rtc.Management.Internal.KeyManagement.GroupKeyWrapper.DecodeToArray(String cipherText)
   at Microsoft.Rtc.Management.Deployment.Core.Certificate.ReplicateCMSCertificates(IScopeAnchor scope)
   at Microsoft.Rtc.Internal.Tools.Bootstrapper.Bootstrapper.ReplicateCMSCertificates().
Cause: The encryption key database has been corrupted or local machine cannot access it.
Resolution:
Ensure that forest configuration is up to date. Run Enable-CSAdForest and/or Enable-CSComputer Power Shell commands to validate forest and local machine configuration.


The solution in my case was to set rights to SBA compouter account - RTCComponentUniversalServices, RTCHSUniversalServices, RTCSBAUniversalServices.

It is needed to access AD contaner fof Lync certificates -   domain.local/Program Data/Microsoft/Distributed KeyMan/LyncCertificates.  - Open with ADSI edit and check it's security.


Once it is done, wait until AD replicates everywhere. Then in SBA run enable-cscomputer and reboot.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)