Oranda Router service fails to initialize with invalid...

Expand / Collapse
 

Oranda Router service fails to initialize with invalid certificate


Article ID: 51599 - Last Review: July 11th, 2012


PROBLEM

In Lync 5.10, the Oranda Router service will not initialize successfully on service startup.  It indicates that the certificate issued to the server is from an Invalid Provider, and just continues to repeat the error.


SYMPTOMS

OrandaRouter log will show the following error repeatedly:

eError    7/9/2012 7:44:15 PM      RouterInitialization =>   An error occurred trying to get a valid certificate: Invalid provider type specified.


CAUSE

The server contains a certificate that has a provider that is not from a ‘Microsoft RSA SChannel Cryptographic Provider’.  In this example, it was a ‘Microsoft Software Key Storage Provider’, which the router cannot validate.  The router picks the first certificate that matches a very basic criterion; contains the name of the local host as part of the subject.  It does not move on to the next certificate once it has hit the first one.


RESOLUTION

In command prompt, run the following command:  ‘certutil –store my’

This will give the results of all certificates issued, along with all relevant information, including the Provider.  The certificate in position ‘Certificate 0’ should be a valid ‘Microsoft RSA SChannel Cryptographic Provider’. Here is an example of the output:

Invalid Provider:

================ Certificate 0 ================
Serial Number: 29db6db1000000000c16
Issuer: CN=pF-CA-CA, DC=pFyre, DC=com
 NotBefore: 7/10/2012 1:41 AM
 NotAfter: 7/10/2013 1:41 AM
Subject: EMPTY (DNS Name=PF-OTT-LNC-CC1.prairiefyre.com)
Non-root Certificate
Template: 8021xWorkstationAuthentication, 8021x Workstation Authentication
Cert Hash(sha1): 19 2a 89 c7 23 e0 2b fb c9 e4 75 02 9c 0c e2 4c bf 07 07 27
  Key Container = le-8021xWorkstationAuthentication-007e8036-231d-439c-9c22-3021
baa26f4d
  Unique container name: 66c7256fb4108ce44814944b1f43ee40_1ec258bc-839b-45d7-8c4
6-302b2cdab8da
  Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.


Valid Provider:

================ Certificate 0 ================
Serial Number: 28961184000000000c15
Issuer: CN=pF-CA-CA, DC=pFyre, DC=com
 NotBefore: 7/9/2012 7:45 PM
 NotAfter: 7/9/2013 7:45 PM
Subject: CN= PF-OTT-LNC-CC1.prairiefyre.com
Certificate Template Name (Certificate Type): Machine
Non-root Certificate
Template: Machine, Computer
Cert Hash(sha1): d2 28 03 15 64 46 97 3d 31 71 e9 a0 ce ff 28 d2 6a fc ff 41
  Key Container = aedfb606ac31b338fa71902905eb86c5_1ec258bc-839b-45d7-8c46-302b2
cdab8da
  Simple container name: le-Machine-a11f7a28-4143-40e0-bdee-78c43236d35f
  Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed

So when the router hits the invalid certificate, it fails and refuses to start.  Assuming that this certificate is not required for the pF server, it can be deleted.  In this case it is the ‘8021x Workstation Authentication’ certificate, which is useless for this server as it is not using wireless connection.

Once the invalid certificate is deleted (using MMC snap-in) a restart of the prairieFyre Enterprise Router Service may be required.

 

Keywords:  certificate Invalid provider type specified Lync 5.10 RouterInitialization



Rate this Article:
     

Add Your Comments


Name: *
Email Address:
Web Address:
Verification Code:
*
 

Details
Last Modified:Wednesday, July 11, 2012
Last Modified By: amontpetit
Type: FIX
Article not rated yet.
Article has been viewed 8,635 times.
Options