Symptoms
Consider the following scenario:
-
You deploy Microsoft Lync Server 2010, Microsoft Lync Server 2013, or Microsoft Skype for Business Server 2015.
-
The Microsoft .NET Framework 4.5.2 or a later version is installed (Lync Server 2013 or Skype for Business Server 2015).
-
You install the May 2017 .NET Framework Security and Quality Rollup.
In this scenario, you experience the following symptoms:
-
Web Applications users cannot use some features such as PowerPoint presentations, Q&A sites, and whiteboard sharing.
-
Shared Object Messaging (PSOM) protocol connectivity with Microsoft Edge fails.
-
External users cannot use such features as PowerPoint presentations, Q&A pages, or Whiteboard sharing.
-
The Lync Server 2010, Lync Server 2013, or Skype for Business Server 2015 Front End server generates the following LS Data MCU event 41026 error.
Note The Front End server alternatingly generates this event and event 41025. Event 41025 states that connectivity has succeeded.
Log Name: Lync Server
Source: LS Data MCU Date: Date/Time Event ID: 41024 Task Category: (1018) Level: Error Keywords: Classic User: N/A Computer: FrontEnd-computer-FQDN Description: No connectivity with one of the Web Conferencing Edge Servers. Edge Server Machine FQDN: Edge-computer-FQDN, Port:XXXX If the problem persists this event will be logged again after 20 minutes Cause: Service may be unavailable or Network connectivity may have been compromised.Log Name: Lync Server
Source: LS Data MCU Date: Date/Time Event ID: 41025 Task Category: (1018) Level: Information Keywords: Classic User: N/A Computer: FrontEnd-computer-FQDN Description: Connection to the Web Conferencing Edge Server has succeeded Edge Server Machine FQDN: Edge-computer-FQDN, Port:XXXXLog Name:Â Â Â Â Â Lync Server
Source:Â Â Â Â Â Â Â LS Data MCU Date:Â Â Â Â Â Â Â Â Â date time Event ID:Â Â Â Â Â 41026 Task Category: (1018) Level:Â Â Â Â Â Â Â Â Error Keywords:Â Â Â Â Â Classic User:Â Â Â Â Â Â Â Â Â N/A Computer:Â Â Â Â Â frontend1.contoso.com Description: No connectivity with any of Web Conferencing Edge Servers. External Lync clients cannot use Web Conferencing modality. Cause: Service may be unavailable or Network connectivity may have been compromised. Resolution: Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.
Resolution
To fix this issue, install the December 2017 cumulative update 6.0.9319.510 for Skype for Business Server 2015, Web Conferencing Server.
Workarounds
To work around this issue, use one of the following methods to mitigate the errors.
Workaround 1
Request a new Edge internal certificate for all Edge pools that are deployed and that contains the Client Authentication EKU. To do this, follow these steps:
Note You also have to request a new Front End default certificate that includes the Client Authentication EKU.
-
Create a Certificate Template that includes Client Authentication and Server Authentication as an Enhanced Key Usage. (Membership in Domain Administrators or equivalent is the minimum requirerement to complete this procedure.) To do this, follow these steps:
-
Open the Certification Authority snap-in.
-
Browse to the Certificate Templates folder.
-
Right-click the Certificate Templates folder, and then select Manage.
-
In the Certificate Templates Console window, locate the Web Server template, right-click it, and then select Duplicate Template.
-
In the Properties of the New Template window, select the General tab, and name the template appropriately. Note the Template name that's created.
-
Select the Extensions tab, and then click Edit.
-
In the Edit Application Policies Extension window, click Add.
-
In the Add Application Policy window, select Client Authentication, and then click OK.
-
In the Edit Application Policies Extension window, you should now see both Client Authentication and Server Authentication in the Application policies section. Click OK.
-
In the Properties dialog box of the New Template window, click OK.
-
Verify that the newly created template is shown in the Certificate Templates Console window. Close the Certificate Templates Console window.
-
In the Certification Authority main window, browse to Certificate Templates.
-
Right-click the Certificate Templates folder, and then select New, Certificate Template to Issue.
-
In the Enable Certificate Templates window, select the newly created template from step 5, and then click OK.
-
Verify that the new template is displayed under Certificate Templates.
-
-
Request a certificate by using the Deployment Wizard on the Edge Server
-
Open the Skype for Business (Lync) Server Deployment Wizard.
-
Select Install or Update Skype for Business (Lync) Server System.
-
Select the Run Again option on the Step 3: Request, Install or Assign Certificates page.
-
In the Certificate Wizard window, select Edge Internal, and then click Request.
-
Click Next on Request a certificate for the Edge internal (Edge internal) Skype for Business Server usages page.
-
In the Delayed or Immediate Requests window, select the appropriate option.
-
Follow the instructions on the next page to specify either the Certificate Authority or the Certificate Request File, and then click Next.
-
On the Specify Alternate Certificate Template page, select the Use alternate certificate template for the selected certification authority check box.
-
In the Certificate template name field, type the template name that you noted in the previous section in step 5, and then click Next.
-
On the Name and Security Settings page, select settings as required, and then click Next.
-
On the Organization Information page, input settings as required.
-
On the Geographical Information page, input settings as required.
-
On the Subject Name / Subject Alternative Names page, select Next.
-
On the Configure Additional Subject Alternative Names page, add any additional required SANs, and then click Next.
-
On the Certificate Request Summary page, review the request entries, and then click Next.
-
After the request is generated, click Next, and then click Finish.
-
Follow your organization’s usual procedure to process the request from the Certificate Authority. Make sure that you use the newly created template.
-
Import and assign the request to the Skype for Business Edge internal usage.
-
Verify that the certificate has the appropriate EKUs. To do this, open the certificate, select the Details tab, and then scroll down to and select the Enhanced Key Usage check box. You should see Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2).
-
Workaround 2
Add a registry entry to exclude the DataMCU process from the new certificate validation process that occurs after you install the .NET Framework update.
Important back up the registry for restoration in case problems occur.
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,To work around the conferencing modality connection issues in Lync Server 2010, Lync Server 2013, and Skype for Business 2015, you must add an application exception for the Web Conferencing Service (DATAMCUSVC.exe).
To do this, use the following examples to set the exceptions in your environment.
For Skype for Business Server 2015
-
Determine and record the path of DATAMCUSVC.exe on the server.
By default, the installation path is as follows:C:\Program Files\Skype for Business Server 2015\Web Conferencing
You can also obtain this information through the Services tool by reviewing the properties of the Skype for Business Server Web Conferencing service. To do this, follow these steps:
-
Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
-
Create the following DWORD name and value:
DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
DWORD Value: 0Important Do not include quotation marks in the DWORD name. The new DWORD name and value should resemble the following:
DWORD Name: C:\Program Files\Skype for Business Server 2015\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0 -
Restart the Skype for Business Server Web Conferencing service (RTCDATAMCU).
For Lync Server 2013
-
Determine and record the path of DATAMCUSVC.exe on the server.
By default, the installation path is as follows:C:\Program Files\Microsoft Lync Server 2013\Web Conferencing You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing service.
-
Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
-
Create the following DWORD name and value:
DWORD Name: Path_obtained_in_Step_1 \DATAMCUSVC.exe DWORD Value: 0
Important Do not include quotation marks in the DWORD name.
The new DWORD name and value should resemble the following:DWORD Name: C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0 -
Restart the Lync Server Web Conferencing Service (RTCDATAMCU).
For Lync Server 2010
-
Determine and record the path of DATAMCUSVC.exe on the server.
Note By default, the installation path is as follows:C:\Program Files\Microsoft Lync Server 2010\Web Conferencing
You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing Service.
-
Start Registry Editor. To do this, click Start, click Run, type regedit, and then click Ok.
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs
Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
-
Create the following DWORD names and values:
DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
DWORD Value: 0Important Do not include quotation marks in the DWORD name. The w3wp.exe path is case sensitive and should be all in lowercase.
The new DWORD name and value should resemble the following:
DWORD Name: C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DATAMCUSVC.exe
DWORD Value: 0 -
Restart the Lync Server Web Conferencing service (RTCDATAMCU).
Status
Microsoft is currently investigating this issue and will update this article in the future.