Search This Blog

Wednesday, April 11, 2018

Microsoft-Windows-Windows Fabric/Admin warning 4097 in Skype for Business

Hello,

if you have this error (actually warning) in Skype for Business FrontEnd, you most probably  can ignore it.

Investigation:

check settings.xml in C:\ProgramData\Windows Fabric\GVASFE1.domain.com\Fabric\Fabric.Config.1.0.0

you can see

   Parameter Name="IgnoreCrlOfflineError" Value="true" 
   Parameter Name="CrlCheckingFlag" Value="3221225476"


So the setting is set to ignore the error. The description of CrlCheckingFlag  you can find in
C:\Program Files\Skype for Business Server 2015\Server\Core\ClusterManifest.Xml.Template

CrlCheckingFlag setting follows the rest of the Lync Server components (sipstack, web) which
        set the following flags:
               CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL           =0x00000004 |  // do not go on the wire for cert retrieval
               CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY        =0x80000000 |  // do not go on the wire for cert revocation check
               CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT=0x40000000

                                                              0xC0000004=3221225476 (unsigned int)
     
     


as you see  CrlCheckingFlag equal 0xC0000004

means - check cache only - exclude root - we must be checking only intermediate CRL and if it is locally cached.

to check local cache (of current user) use command

certutil -urlcache CRL

to chache a specific CRL - use command

certutil -f -urlfetch -verify gvasfe1.cer
where cer is a file with a certificate
refer https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ 

Fabric run as network service, so you can check that also, but it would require hacking: https://windoh.wordpress.com/2011/04/23/crl-caching-in-windows-and-a-little-bit-about-ocsp-caching-too/


Summary: as you can see SFB Windows fabric is set up to ignore the error and continue, the error may come from issues retrieving CRL or absence of CRL in local cache. In most cases you should also ignore this error.   If you want to fix it (not recommended), replace in ClusterManifest.Xml.Template %CRLCHECKINGFLAG% as 0 and reboot

No comments: