LS Data MCU events 41024, 41025 and 41026 are constantly generated after you install the May 2017 .NET Framework update

Applies to: Skype for Business Server 2015Lync Server 2013Lync Server 2010 Standard Edition More

Symptoms


Consider the following scenario:

  • You deploy Microsoft Lync Server 2010, Microsoft Lync Server 2013, or Microsoft Skype for Business Server 2015.

  • The Microsoft .NET Framework 4.5.2 or a later version is installed (Lync Server 2013 or Skype for Business Server 2015).

  • You install the May 2017 .NET Framework Security and Quality Rollup.

In this scenario, you experience the following symptoms:

  • Web Applications users cannot use some features such as PowerPoint presentations, Q&A sites, and whiteboard sharing.
  • Shared Object Messaging (PSOM) protocol connectivity with Microsoft Edge fails.
  • External users cannot use such features as PowerPoint presentations, Q&A pages, or Whiteboard sharing. 
  • The Lync Server 2010, Lync Server 2013, or Skype for Business Server 2015 Front End server generates the following LS Data MCU event 41026 error.

    Note The Front End server alternatingly generates this event and event 41025. Event 41025 states that connectivity has succeeded.

    Log Name: Lync Server
    Source: LS Data MCU
    Date: Date/Time
    Event ID: 41024
    Task Category: (1018)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: FrontEnd-computer-FQDN
    Description:
    No connectivity with one of the Web Conferencing Edge Servers.
    Edge Server Machine FQDN: Edge-computer-FQDN, Port:XXXX
    If the problem persists this event will be logged again after 20 minutes
    Cause: Service may be unavailable or Network connectivity may have been compromised.

    Log Name: Lync Server
    Source: LS Data MCU
    Date: Date/Time
    Event ID: 41025
    Task Category: (1018)
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: FrontEnd-computer-FQDN
    Description:
    Connection to the Web Conferencing Edge Server has succeeded
    Edge Server Machine FQDN: Edge-computer-FQDN, Port:XXXX

    Log Name:      Lync Server
    Source:        LS Data MCU
    Date:          date time
    Event ID:      41026
    Task Category: (1018)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      frontend1.contoso.com
    Description:
    No connectivity with any of Web Conferencing Edge Servers. External Lync clients cannot use Web Conferencing modality.
    Cause: Service may be unavailable or Network connectivity may have been compromised.
    Resolution:
    Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.

Workarounds


To work around this issue, use one of the following methods to mitigate the errors.

Workaround 1

Request a new Edge internal certificate for all Edge pools that are deployed and that contains the Client Authentication EKU. To do this, follow these steps:

Note You also have to request a new Front End default certificate that includes the Client Authentication EKU.

  • Create a Certificate Template that includes Client Authentication and Server Authentication as an Enhanced Key Usage. (Membership in Domain Administrators or equivalent is the minimum requirerement to complete this procedure.) To do this, follow these steps:

    1. Open the Certification Authority snap-in.

    2. Browse to the Certificate Templates folder.

    3. Right-click the Certificate Templates folder, and then select Manage.

    4. In the Certificate Templates Console window, locate the Web Server template, right-click it, and then select Duplicate Template.

    5. In the Properties of the New Template window, select the General tab, and name the template appropriately. Note the Template name that's created.

    6. Select the Extensions tab, and then click Edit.

    7. In the Edit Application Policies Extension window, click Add.

    8. In the Add Application Policy window, select Client Authentication, and then click OK.

    9. In the Edit Application Policies Extension window, you should now see both Client Authentication and Server Authentication in the Application policies section. Click OK.

    10. In the Properties dialog box of the New Template window, click OK.

    11. Verify that the newly created template is shown in the Certificate Templates Console window. Close the Certificate Templates Console window.

    12. In the Certification Authority main window, browse to Certificate Templates.

    13. Right-click the Certificate Templates folder, and then select New, Certificate Template to Issue.

    14. In the Enable Certificate Templates window, select the newly created template from step 5, and then click OK.

    15. Verify that the new template is displayed under Certificate Templates.

  • Request a certificate by using the Deployment Wizard on the Edge Server

    1. Open the Skype for Business (Lync) Server Deployment Wizard.

    2. Select Install or Update Skype for Business (Lync) Server System.

    3. Select the Run Again option on the Step 3: Request, Install or Assign Certificates page.

    4. In the Certificate Wizard window, select Edge Internal, and then click Request.

    5. Click Next on Request a certificate for the Edge internal (Edge internal) Skype for Business Server usages page.

    6. In the Delayed or Immediate Requests window, select the appropriate option.

    7. Follow the instructions on the next page to specify either the Certificate Authority or the Certificate Request File, and then click Next.

    8. On the Specify Alternate Certificate Template page, select the Use alternate certificate template for the selected certification authority check box.

    9. In the Certificate template name field, type the template name that you noted in the previous section in step 5, and then click Next.

    10. On the Name and Security Settings page, select settings as required, and then click Next.

    11. On the Organization Information page, input settings as required.

    12. On the Geographical Information page, input settings as required.

    13. On the Subject Name / Subject Alternative Names page, select Next.

    14. On the Configure Additional Subject Alternative Names page, add any additional required SANs, and then click Next.

    15. On the Certificate Request Summary page, review the request entries, and then click Next.

    16. After the request is generated, click Next, and then click Finish.

    17. Follow your organization’s usual procedure to process the request from the Certificate Authority. Make sure that you use the newly created template.

    18. Import and assign the request to the Skype for Business Edge internal usage.

    19. Verify that the certificate has the appropriate EKUs. To do this, open the certificate, select the Details tab, and then scroll down to and select the Enhanced Key Usage check box. You should see Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2).

Workaround 2

Add a registry entry to exclude the DataMCU process from the new certificate validation process that occurs after you install the .NET Framework update.

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To work around the conferencing modality connection issues in Lync Server 2010, Lync Server 2013, and Skype for Business 2015, you must add an application exception for the Web Conferencing Service (DATAMCUSVC.exe).

To do this, use the following examples to set the exceptions in your environment.

For Skype for Business Server 2015

  1. Determine and record the path of DATAMCUSVC.exe on the server.

    By default, the installation path is as follows:
     
    C:\Program Files\Skype for Business Server 2015\Web Conferencing
    You can also obtain this information through the Services tool by reviewing the properties of the Skype for Business Server Web Conferencing service. To do this, follow these steps:
  2. Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
  3. Locate the following registry subkey:  
    HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs

    Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
  4. Create the following DWORD name and value:
    DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
    DWORD Value: 0
    Important Do not include quotation marks in the DWORD name. The new DWORD name and value should resemble the following:
    DWORD Name: C:\Program Files\Skype for Business Server 2015\Web Conferencing\DATAMCUSVC.exe
    DWORD Value: 0
  5. Restart the Skype for Business Server Web Conferencing service (RTCDATAMCU).

For Lync Server 2013

  1. Determine and record the path of DATAMCUSVC.exe on the server.

    By default, the installation path is as follows:
    C:\Program Files\Microsoft Lync Server 2013\Web Conferencing
    You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing service.
  2. Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
  3. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
    Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
  4. Create the following DWORD name and value:
    DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe DWORD Value: 0
    Important Do not include quotation marks in the DWORD name.

    The new DWORD name and value should resemble the following:

    DWORD Name: C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DATAMCUSVC.exe
    DWORD Value: 0

  5. Restart the Lync Server Web Conferencing Service (RTCDATAMCU).

For Lync Server 2010

  1. Determine and record the path of DATAMCUSVC.exe on the server.

    Note By default, the installation path is as follows:  
    C:\Program Files\Microsoft Lync Server 2010\Web Conferencing
    You can also obtain this information through the Services tool by reviewing the properties of the Lync Server Web Conferencing Service.
  2. Start Registry Editor. To do this, click Start, click Run, type regedit, and then click Ok.
  3. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs
    Note If you are proactively deploying the update in advance of applying the .NET Framework security update, you must create one or more keys manually because they do not yet exist.
  4. Create the following DWORD names and values:
    DWORD Name: Path_obtained_in_Step_1\DATAMCUSVC.exe
    DWORD Value: 0
    Important Do not include quotation marks in the DWORD name. The w3wp.exe path is case sensitive and should be all in lowercase.
     
    The new DWORD name and value should resemble the following:
    DWORD Name: C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DATAMCUSVC.exe
    DWORD Value: 0
  5. Restart the Lync Server Web Conferencing service (RTCDATAMCU).

Status


Microsoft is currently investigating this issue and will update this article in the future.