This is just a brief troubleshooting article on how to easily identify if a revoked SSL certificate is the cause of Lync user login failures in Lync Server 2010.
- Seemingly out of the blue Lync clients are no longer able to sign in to Lync and the client generically reports back a “server is not responding or cannot be reached’” error.
Based on that description it appears that connectivity to the server is failing. After validating that the server is still resolvable, is still listening on 5061 (or 443 for Edge), and is not displaying any errors in the Event Log it would appear that the issue may be related to the client itself.
Except that this issue is reported on many different clients (all of them, in fact) and if an Edge server is involved then external features like federation are also broken. But attention should be turned back to a client for additional troubleshooting steps.
- Often over-looked, but make sure to ‘Turn on Windows Event Logging for Lync’ on the workstation.
- Attempt to sign in again and then check the Application event log on the Lync workstation for any errors from Communicator for Event ID 5.
The event description is the first clue pointing towards problems establishing a trusted TLs connection, meaning that the server is responding and is reachable, unlike the original error message reported within the client interface.
Communicator could not connect securely to server sip.mslync.net because the certificate presented by the server was not trusted due to validation error 0x80092010. The issuing certificate authority (CA) for the server’s certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
- A quick Internet search for the error code above returned more specific details than the event log description does, pinning this code directly to certificate revocation.
The certificate is revoked. 0x80092010 (-2146885616)
Certificate is REVOKED
- Alternatively a web browser can be used to test connections to any of the Lync Web Services if the sign in issues are to an internal Front End or Director. Attempting to access one of the web services URLs manually (like the /abs site) will also help correctly uncover the revoked certificate.