Windows Update December 2012–KB931125 Causes issues with Lync replication

We have had customers experience a problem with replication between the Lync FE’s and the Edge services. You can check status by running this command:

get-csmanagementreplicationstore

We discovered that a MSFT patch issued in December was the culprit. (Root Certificates Optional Windows Update December 2012 – KB931125). Looks like the patch added over 300 Trusted Root CA’s to the Trusted Root List. Anything over 120 apparently stops the replication service from being successful.

Resolution:

Option 1:  Edit the registry on the Edge server to add a DWord value, SendTrustedIssuerList, to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

key and assign it a value of 0.  This will prevent schannell.dll from truncating the Root CA list from the edge server, and allow validation tests to pass.

Option 2:  Open the Trusted Root CA store on the edge server.  If there are more than 120 certificates, delete unnecessary certificates until there are less than 120 certs in any of the trusted CA stores.

http://social.technet.microsoft.com/Forums/en-AU/ocsedge/thread/1cd3be72-1f65-48ae-aa8c-498f79917492

Once we added the registry key and restarted, replication began to work again

Leave a Reply