Lync/SfB Server: Event 41026, LS Data MCU after May 2017 .NET Framework update

Update 2017/06/28 – In Workaround #1 we also need to request new Front End certificates with Client and Server authentication in the EKU.

Recently we notice that Lync Server 2010/2013 and Skype for Business Server 2015 Front Ends were generating the Events 41025 and immediately after the Event 41026:

event41026-01a

Log Name: Lync Server
Source: LS Data MCU
Date: 5/23/2017 5:31:45 PM
Event ID: 41025
Task Category: (1018)
Level: Information
Keywords: Classic
User: N/A
Computer: sfbfe.uclobby.com
Description:
Connection to the Web Conferencing Edge Server has succeeded

Edge Server Machine FQDN: sfbedge.uclobby.com, Port:8057

event41026-01

Log Name: Lync Server
Source: LS Data MCU
Date: 5/23/2017 5:31:45 PM
Event ID: 41026
Task Category: (1018)
Level: Error
Keywords: Classic
User: N/A
Computer: sfbfe.uclobby.com
Description:
No connectivity with any of Web Conferencing Edge Servers. External Skype for Business clients cannot use Web Conferencing modality.

Cause: Service may be unavailable or Network connectivity may have been compromised.
Resolution:
Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.

External Users also reported that couldn’t use WhiteBoard, Polls, Q&A or present PowerPoint with the following errors messages:

We can’t connect to the server for sharing right now.

Network issues are keeping you from sharing notes and presenting whiteboards, polls and uploaded PowerPoint files.

event41026-02

event41026-03

While this is still being investigated a KB article was release with the current workarounds:

LS Data MCU events 41025 and 41026 are constantly generated after you install the May 2017 .NET Framework
https://support.microsoft.com/kb/4023993

The issue is OS independent and affects Lync Server 2010, Lync Server 2013 and Skype for Business Server 2015 and here is a list of the .Net Framework KBs:

  • Windows Server 2008 R2

Description of the Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7 and Windows Server 2008 R2: May 9, 2017 (KB4014504)
Note: Lync Server 2010 only

Description of the Security Only update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017 (KB4014579)
Note: Lync Server 2010 only

Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, and Windows Server 2008 Service Pack 2: May 9, 2017 (KB4014514)

Description of the Security Only update for the .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2: May 9, 2017 (KB4014599)

  • Windows Server 2012

Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows Server 2012: May 9, 2017 (KB4014513)

Description of the Security Only update for the .NET Framework 4.5.2 for Windows Server 2012: May 9, 2017 (KB4014597)

  • Windows Server 2012 R2

Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: May 9, 2017 (KB4014512)

Description of the Security Only update for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: May 9, 2017 (KB4014595)

  • Windows Server 2016

Windows 10 Version 1607 and Windows Server 2016: May 9, 2017—KB4019472 (OS Build 14393.1198)

This .NET Framework update adds an additional check to the certificate on Enhanced Key Usage (EKU), since all Lync/SfB Server by default use Web Server template, they will only have the Server Authentication in the EKU.

event41026-04

As mentioned in the KB4023993 we can use two workarounds:

Workaround #1 – Request new Edge Internal and Front End Pool Certificate with Client and Server Authentication

This workaround requires that we request a new certificate on the Edge Server Internal Interface and in all Front End Servers.

Open the Certification Authority snap-in, right click on Certificate Templates, and then select Manage:

event41026-07

Now in the Certificate Templates Console window, locate the Web Server template, right-click it, and then select Duplicate Template:

event41026-08

In the New Template window select General and add a name:

event41026-09

Note: Please take note of Template Name – WebServerClientandServer. We need to use it to request the new certificate.

In the Extensions Tab , select Application Policies and Edit it:

event41026-10

Add the Client Authentication:

event41026-11

event41026-12

event41026-13

Both Authentication should be present:

event41026-14

Back in Certification Authority snap-in, right click on Certificate Templates > New > Certificate Template to Issue:

event41026-20

Select the new template:

event41026-21

Now that we have the template with Client and Server Authentication, we need to request a new Edge Server Internal Certificate with the recently created template.

Request-CsCertificate -New -Type Internal -Template WebServerClientandServer -FriendlyName “Edge Internal with Client and Server Auth” -Output C:\UCLobby\EdgeIntCliSrv.req

event41026-15

Note: We can also use the -PrivateKeyExportable $true switch to allow the private key to be exported.

In the Active Directory Certificate Services select Request a certificate:

event41026-16

Example: http://ca.gears.lab/certsrv/

Advanced certificate request:

event41026-17

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

event41026-18

We need to select the new certificate template and submit:

event41026-19a

We download the new certificate and copy it to the Edge Server and import it:

event41026-22

On the Edge Server import and assign the new certificate:

Import-CsCertificate -Path C:\UCLobby\EdgeIntCliSrv.cer
https://technet.microsoft.com/en-us/library/gg398688.aspx

Note: If we specify the -PrivateKeyExportable $true in the Request-CsCertificate we also need to add it to the Import-csCertificate.

Set-CsCertificate -Type Internal -Thumbprint 335d17df1520a5e30beee96406ffa53e20805342
https://technet.microsoft.com/en-us/library/gg398518.aspx

event41026-23

Please also request new certificates for the Front End Servers with Client and Server Authentication.

After restarting the Lync/SfB Edge and Front End Services the issues should be fixed and external users should be able to use WhiteBoard, Polls, Q&A or present PowerPoint without issues.

Workaround #2 – Add a registry key to temporary disable the EKU check

On the all Lync/SfB Front Ends disable the check for the Web Conferencing Service.

Please note that these registry keys are for the default install locations. We can use the following script to assist adding the registry key in the correct location:

Lync/SfB Server: Disable EKU check for Web Conferencing Service
https://gallery.technet.microsoft.com/LyncSfB-Server-Disable-EKU-dab6cb88

Lync Server 2010

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs /v “C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DataMCUSvc.exe” /t REG_DWORD /d 0 /f

Note: Lync Server 2010 still uses the .NET 3.5 this is why we use v2.0.50727.

Lync Server 2013

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v “C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DataMCUSvc.exe” /t REG_DWORD /d 0 /f

Skype for Business Server 2015

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v “C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe” /t REG_DWORD /d 0 /f

After adding the registry key simply restart the Web Conferencing Service

PowerShell

Stop-CsWindowsService -InputObject RTCDATAMCU
Start-CsWindowsService -InputObject RTCDATAMCU

event41026-05

services.msc

event41026-06

Now the external users will be able to use WhiteBoard, Polls, Q&A or present PowerPoint without issues.