If SCHANNEL is sending a truncated list of trusted root certificate authorities to the Lync client during the TLS/SSL handshake process, this can explain why your Lync clients are randomly signing in and out.
Here’s the chain of events on more detail:
- The UC server passes its certificate trust list (CTL) of installed certification authority information to the UC client that requests the secure TLS connection.
- The CTL is truncated as per the design limitations of the Windows Server Schannel component.
- The UC client that requested the secure TLS connection does not receive certification authority information that matches the entries that are contained in its installed certification authority list.
- The TLS connection attempt fails with the error that is described in the “Symptoms” section.
To check this look in your Lync FE servers system event log for the following warning:
—-
EVENT ID: 36885
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
—-
The easiest way to fix this is to configure SCHANNEL on the Lync FE’s not to send this list:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey – KEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
- On the Edit menu, point to New, and then click DWORD Value.
- Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
- Right-click SendTrustedIssuerList, and then click Modify.
- In the Value data box, type 0 if that value is not already displayed, and then click OK.
- Exit Registry Editor.
You shouldn’t need to reboot the server for this to take effect.
For more information and other options on how to resolve this see Microsoft article –
http://support.microsoft.com/kb/2464556