Troubleshooting Lync 2013 PowerPoint sharing issue: “There was a problem verifying the certificate from the server. Please contact your support team.”

So you recently deployed Lync Server 2013 and managed to deploy Office 2013 Web Apps (or also known as WAC) server that facilitates PowerPoint sharing. The users are happy because now they can share PowerPoint decks with animations and videos with Lync 2013.

The next day, one user reported that he is unable to share and view PowerPoint presentation with the following error message:

 

"There was a problem verifying the certificate from the server. Please contact your support team”.

 

 

 

This user is using a non-domain-joined (workgroup) machine and obviously he has imported the internal Root CA certificate to his machine since he is already able to sign in to Lync Server 2013 and start a conference.

A suggestion from Beta Support engineer was to disable “Check for server certificate revocation” in Internet Explorer and conveniently the problem is resolved.

 

 

 

 

 

Whilst the solution is deemed sufficient in this scenario since it is only affecting one user, in an environment with many non-domain-joined (workgroup) machines this solution is not acceptable.

Upon further investigation, it was found that when validating WAC server certificate using CERTUTIL –URLFETCH –VERIFY “WAC.cer” from the non-domain-joined (workgroup) machine, the result is the following:

 

 

 

The result of certificate verification shows that the certificate only contains LDAP target for its AIA and CDP extensions, and verification is failing because non-domain-joined (workgroup) machine does not have access to the LDAP target.

Digging deeper to this problem, it is found that the Root CA used within the organisation is an Enterprise Root CA (AD-integrated), and by default AIA and CDP extensions are set to LDAP target only. HTTP target is defined, however it is not enabled:

 

 

 

 

 

To provide non-domain-joined (workgroup) machines with alternative target to perform CRL check properly, then HTTP target must be enabled for the AIA and CDP extensions. This can be done by simply enabling the highlighted options (above). Note that by default the HTTP target depends on “Certificate Authority Web Enrollment” role services to be enabled as it is pointing a virtual directory that is created upon installation of Certificate Authority Web Enrollment.

After making the changes at Active Directory Certificate Services (ADCS) side, reissue the CRL by executing CERTUTIL –CRL from the ADCS server. Then, WAC server certificate must be re-issued (request a new certificate to be used for WAC server).

Validate the new WAC certificate from the non-domain-joined (workgroup) machine, and the result will look like the following:

 

 

 

Once verified, install and reconfigure WAC server to use the new certificate, and PowerPoint sharing will work without requiring changes to the Internet Explorer security setting.

Comments

  • Anonymous
    January 01, 2003
    Thanks for the post. It's a much better solution than just changing the IE security settings. Just to add on, in my lab I found that even after enabling http for the CDP and AIA extensions on the CA server and re-issuing a new certificate to the WebApps server, the old farm seems to have been deleted. Running get-OfficeWebAppsFarm returned a "No Web Farm found" error message. To fix this, I had to re-create the farm using the new-OfficeWebApps Farm cmdlet and specify the new cert in the parameters. After that I could start sharing Powerpoint content in Lync2013. I think this steps should be documented in the Office WebAppa Farm deployment guide or alternatively, be fixed in the next CU for the Lync2013 client.

  • Anonymous
    January 07, 2013
    I have this certificate error for non-domain and domain computers. I re-create the the certificate as per the following site www.ucprimer.com/deploying-lync2013-web-apps-server.html.Then domain joined computers started to work perfectly, but not non-domain computers. As per this site, I disable “Check for server certificate revocation” in the IE then non-domain computers are worked.

  • Anonymous
    October 08, 2013
    What about non-domain joined machines that are outside your organization (e.g. home office users, partner networks, etc)? Should this CDP/AIA point be available from the Internet for these clients? i.e. published via something like TMG?

  • Anonymous
    October 10, 2013
    John, Outside of the organisation the internal cert is not used but one from a Public CA residing on the reverse Proxy. Their Crl is reachable from the internet. = no Problem !

  • Anonymous
    February 10, 2014
    Do I need manual certificate CRL verification (certutil.exe -URLFetch -Verify MyOwasCert.crt) on each non-domain PC to get PowerPoint presentations working inside my organization?

  • Anonymous
    February 10, 2014
    Do I need manual certificate CRL verification (certutil.exe -URLFetch -Verify MyOwasCert.crt) on each non-domain PC to get PowerPoint presentations working inside my organization?

  • Anonymous
    April 04, 2014
    Hi Leute, eine SmartRoom Integration in die Lync 2013 Umgebung eines Kunden hat uns etwas Kopfschmerzen bereitet. Beim präsentieren einer Powerpoint in einem Smart Meeting kam immer folgender Fehler: “There was a problem verifying the certificate from

  • Anonymous
    October 06, 2014
    Tnxxxxxxxxxxxxxx

  • Anonymous
    November 06, 2014
    mine wont connect at all it is just saying cannot connect with server try again later and obviously the internet is working or I wouldn't be able to post this comment but it wont work AT ALL and at this point it is very frustrating!

  • Anonymous
    May 29, 2015
    it's Work for me Thanxx..

  • Anonymous
    July 31, 2015
    Pingback from Skype for Business Server 2015 Deployment – Part 2 : Jeff Schertz's Blog