3

Setting up a new Lync 2013 install in the Company Network I got everything nearly working except Client Login.

here seems to be a mismatch of capabilities or some Settings in the TLS area - Connection Fails, and I get quite a lot of Schannel Events 36874. EventData is:

<EventData>
  <Data Name="Protocol">TLS 1.2</Data> 
</EventData>

The General text is:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

There is no clear documentation how to handle it - it is related to SOME SORT of TLS encryption issues, but Windows does not even like to tell what. There SUPPOSEDLY is a GPO Setting regarding allowed encryptions, but I am not able to find it - maybe a temporary blindness, or it is well hidden.

Own CA, that all works. Servers are fresh installed 2012, and a fresh installed Windows 8 for the Client. The Domain is older (so old Default Settings in a GPO may cause this).

This is quite frustrating. Links to the Event ID on the Internet find mostly People that have the problem, no clear Information how to handle it. Anyone can point me to the right direction?

chutz
  • 7,569
  • 1
  • 28
  • 57
TomTom
  • 50,857
  • 7
  • 52
  • 134
  • According to http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4a9eb2a1-4b92-467b-86da-a85f1437021a/ , it maybe problem cause by how you generate/request your cert. Jump down to Matthias Aevermann post and start from there. – John Siu Nov 08 '12 at 05:14
  • That would be nice if it would not be: *Svr2012 and Windows 8 and *a request generated by the Lync 2013.... wizard. I don't Enver anything manually. – TomTom Nov 08 '12 at 17:10
  • Try this: http://technet.microsoft.com/en-us/library/dd197492%28WS.10%29.aspx That increases the log level of schannel event. Hope that give more info. – John Siu Nov 08 '12 at 19:40
  • A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205. THe Event is 36888 and that is it - NO additional Information available. – TomTom Nov 11 '12 at 07:40
  • Can you check event log on client machine or even debug the network traffic. Seems it is the client dropping the connection completely. – John Siu Nov 11 '12 at 07:48
  • Can you check your cert info? AES? SHA? – John Siu Nov 11 '12 at 08:01

1 Answers1

4

I found a solution on

http://social.technet.microsoft.com/Forums/en-US/lyncprofile/thread/41718327-203f-445f-8657-87b0a8545ead/

from User Matt. I Quote:

I have been working with Microsoft for a couple of weeks on this and we have identified a workaround that resolves the issue.

To be clear on my environment: I am using Windows Server 2012 with Lync Server 2013. The issue was that the Lync 2013 Client could not login to the Lync 2013 Server while the Windows 8 Lync APP and the Lync 2010 client could log in. We were receiving a lot of SChannel error messages (36888 and 36874) in the System log indicating TLS errors 10 and 40 and SChannel errors 1205 and 1203. Basically the Lync 2013 client was unable to negotiate TLS 1.2 with the Lync 2013 Server.

To Resolve this issue do the following:

  • On the Lync 2013 server open the registry and browse to the following location: HKLM\System\CurrentControlSet\SecurityProviders\SChannel\Protocols

  • Create the following Key under Protocol: TLS 1.2

  • Create the following two Keys under TLS 1.2: Client and Server

  • Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled

  • Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0

  • Reboot the server.

Entering these keys Disables TLS 1.2 on the server forcing the client and server to communicate over TLS 1.1.

Good Luck,

Matt

This worked for me.

Matthias
  • 56
  • 2
  • Will try. So the problem is a bad negotiation to TLS 1.2? – TomTom Jan 16 '13 at 14:04
  • I don't know what causes the problem, but it seems it's a TLS neogation problem. strange is, that it works with Lync 2010 Client. – Matthias Jan 16 '13 at 14:47
  • The correct path in the registry is `HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols`, you missed "Control" in your quote. – Rob Jan 14 '16 at 09:16
  • Just as a side note here: If you disable TLS 1.2 this might cause issues with windows updates as mentioned in the link. So this might be no longer a good solution... – BastianW Feb 25 '16 at 20:10