Environment:
In the environment we have deployed the follow servers:
Skype for Business Server 2015 Front-End Enterprise Pool
Skype for Business Server 2015 Edge Enterprise Pool
Operating System: Server 2012 R2
Issue:
We have opened all the necessary ports from the FE servers to the Edge servers and we can telnet from the FE Pool servers to the Edge servers on TCP port 4443. When we check the event logs on the FE server we see the below errors:
Front End Server:
Skype for Business Server 2015, File Transfer Agent cannot send replication data to Replica Replicator on Edge
Skype for Business Server 2015, File Transfer Agent cannot get replication status from Replica Replicator Agent on Edge
Edge machine: Edge01.domain.ca
Exception: System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme ‘Anonymous’. —> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
— End of inner exception stack trace —
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Rtc.Xds.Replication.Common.IReplicationWebService.DownloadFiles(String senderFqdn, String sourceDirPath, String tempDirPath)
at Microsoft.Rtc.Xds.Replication.FileTransfer.FileTransferTask.CopyFilesFromReplicaUsingWcf(String fromDir, String tmpDir, String toDir)
Cause: Service may be unavailable or Network connectivity may have been compromised.
Resolution:
Verify that Replica Replicator Agent service is running on the Edge machine, network connectivity is available and TLS is configured correctly. For details, see http://support.microsoft.com/kb/2464556
Edge Server
Resolution:
I tried adding the SendTrustedIssuerList REG_DWORD , Value 0 registry key into HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL but that did not fix the issue.
I checked the local computer certificate store on the Edge Server and found that there were Intermediate Certificates in the Trusted Root Certification Authorities Store. I ensured that the Intermediate certificates were in the Intermediate Certification Authorities Store and then deleted them from the Trusted Root Certification Authorities Store then stopped and started the services on the edge server
- Stop-CSWindowsService
- Start-CSWindowsService
Then checked the event logs on the FE pool and it started to replicate the data over to the edge server.
Yes!! Thank you so much for solving my headache!
had the same issue, after replacing edge public certs. front end unable to talk to edge. had to re check edge and 1 intermediate cert in the new cert chain was sitting in the trusted root folder. once moved out to intermediate folder, restarted services all good. thanks for that.