Troubleshooting Lync 2013 PowerPoint sharing issue: “There was a problem verifying the certificate from the server. Please contact your support team.”


So you recently deployed Lync Server 2013 and managed to deploy Office 2013 Web Apps (or also known as WAC) server that facilitates PowerPoint sharing. The users are happy because now they can share PowerPoint decks with animations and videos with Lync 2013.

The next day, one user reported that he is unable to share and view PowerPoint presentation with the following error message:

 

"There was a problem verifying the certificate from the server. Please contact your support team”.

 

 

 

This user is using a non-domain-joined (workgroup) machine and obviously he has imported the internal Root CA certificate to his machine since he is already able to sign in to Lync Server 2013 and start a conference.

A suggestion from Beta Support engineer was to disable “Check for server certificate revocation” in Internet Explorer and conveniently the problem is resolved.

 

 

 

 

 

Whilst the solution is deemed sufficient in this scenario since it is only affecting one user, in an environment with many non-domain-joined (workgroup) machines this solution is not acceptable.

Upon further investigation, it was found that when validating WAC server certificate using CERTUTIL –URLFETCH –VERIFY “WAC.cer” from the non-domain-joined (workgroup) machine, the result is the following:

 

 

 

The result of certificate verification shows that the certificate only contains LDAP target for its AIA and CDP extensions, and verification is failing because non-domain-joined (workgroup) machine does not have access to the LDAP target.

Digging deeper to this problem, it is found that the Root CA used within the organisation is an Enterprise Root CA (AD-integrated), and by default AIA and CDP extensions are set to LDAP target only. HTTP target is defined, however it is not enabled:

 

 

 

 

 

To provide non-domain-joined (workgroup) machines with alternative target to perform CRL check properly, then HTTP target must be enabled for the AIA and CDP extensions. This can be done by simply enabling the highlighted options (above). Note that by default the HTTP target depends on “Certificate Authority Web Enrollment” role services to be enabled as it is pointing a virtual directory that is created upon installation of Certificate Authority Web Enrollment.

After making the changes at Active Directory Certificate Services (ADCS) side, reissue the CRL by executing CERTUTIL –CRL from the ADCS server. Then, WAC server certificate must be re-issued (request a new certificate to be used for WAC server).

Validate the new WAC certificate from the non-domain-joined (workgroup) machine, and the result will look like the following:

 

 

 

Once verified, install and reconfigure WAC server to use the new certificate, and PowerPoint sharing will work without requiring changes to the Internet Explorer security setting.

Comments (11)

  1. Anonymous says:

    Thanks for the post. It's a much better solution than just changing the IE security settings. Just to add on, in my lab I found that even after enabling http for the CDP and AIA extensions on the CA server and re-issuing a new certificate to the WebApps server, the old farm seems to have been deleted. Running get-OfficeWebAppsFarm returned a "No Web Farm found" error message.

    To fix this, I had to re-create the farm using the new-OfficeWebApps Farm cmdlet and specify the new cert in the parameters. After that I could start sharing Powerpoint content in Lync2013.

    I think this steps should be documented in the Office WebAppa Farm deployment guide or alternatively, be fixed in the next CU for the Lync2013 client.

  2. I have this certificate error for non-domain and domain computers. I re-create the the certificate as per the following site http://www.ucprimer.com/deploying-lync2013-web-apps-server.html.Then domain joined computers started to work perfectly, but not non-domain computers. As per this site, I disable “Check for server certificate revocation” in the IE then non-domain computers are worked.

  3. John says:

    What about non-domain joined machines that are outside your organization (e.g. home office users, partner networks, etc)? Should this CDP/AIA point be available from the Internet for these clients? i.e. published via something like TMG?

  4. John,

    Outside of the organisation the internal cert is not used but one from a Public CA residing on the reverse Proxy. Their Crl is reachable from the internet. = no Problem !

  5. Dmitriy Seleznev says:

    Do I need manual certificate CRL verification (certutil.exe -URLFetch -Verify MyOwasCert.crt) on each non-domain PC to get PowerPoint presentations working inside my organization?

  6. Dmitriy Seleznev says:

    Do I need manual certificate CRL verification (certutil.exe -URLFetch -Verify MyOwasCert.crt) on each non-domain PC to get PowerPoint presentations working inside my organization?

  7. Anonymous says:

    Hi Leute, eine SmartRoom Integration in die Lync 2013 Umgebung eines Kunden hat uns etwas Kopfschmerzen bereitet. Beim präsentieren einer Powerpoint in einem Smart Meeting kam immer folgender Fehler: “There was a problem verifying the certificate from

  8. reza says:

    Tnxxxxxxxxxxxxxx

  9. anony.muos says:

    mine wont connect at all it is just saying cannot connect with server try again later and obviously the internet is working or I wouldn’t be able to post this comment but it wont work AT ALL and at this point it is very frustrating!

  10. Anil says:

    it’s Work for me Thanxx..

  11. anonymouscommenter says:

    Pingback from Skype for Business Server 2015 Deployment – Part 2 : Jeff Schertz’s Blog

Skip to main content