Problem
You’ve noticed that the Skype for Business Server Access Edge service on your Skype for Business Server 2015 Edge server is stopped and the following error is thrown when you attempt to start it:
Windows could not start the Skype for Business Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487.
Reviewing the event log displays the following errors:
Log Name: System
Source: Service Control Manager
Event ID: 7031
Level: Error
The Skype for Business Server Access Edge service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 180000 milliseconds: Restart the service.
Log Name: System
Source: Service Control Manager
Event ID: 7024
Level: Error
The Skype for Business Server Access Edge service terminated with service-specific error %%-2146762487.
Log Name: Lync Server
Source: LS Server
Event ID: 12303
Level: Error
The protocol stack reported a critical error: code 0x800B0109 (Configuration failure prevented the server from starting up). The service has to stop.
Log Name: Lync Server
Source: LS Server
Event ID: 12303
Level: Error
The protocol stack reported a critical error: code 0x800B0109 (CERT_E_UNTRUSTEDROOT). The service has to stop.
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14623
Level: Error
A serious problem related to certificates is preventing Skype for Business Server from functioning.
Unable to use the certificate configured for the external edge of the Access Edge Server.
Error 0x800B0109(CERT_E_UNTRUSTEDROOT).
The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.
Cause: The Skype for Business Server failed to initialize with the configured certificate.
Resolution:
Review and correct the certificate configuration, then start the service again.
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14397
Level: Error
A configured certificate could not be loaded from store. The serial number is attached for reference.
Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).
Clicking on the Details tab show the following:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
– <System>
<Provider Name=”LS Protocol Stack” />
<EventID Qualifiers=”33769″>14397</EventID>
<Level>3</Level>
<Task>1001</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2016-12-30T01:27:45.000000000Z” />
<EventRecordID>154713</EventRecordID>
<Channel>Lync Server</Channel>
<Computer>svr-edge-01.ccs.int</Computer>
<Security />
</System>
– <EventData>
<Data>0x800B0109(CERT_E_UNTRUSTEDROOT)</Data>
<Binary>A6AC495DE63987EAE958F6506F58377D</Binary>
</EventData>
</Event>
One of the first troubleshooting steps I attempted was from the following blog post:
Attempting to follow the instructions provided by this blog post does not apply to your situation:
http://www.lyncexch.co.uk/lync-edge-january-2014-cu-update-issue/
However, using the following cmdlets to review the certificates’ serial numbers does not show a match for either:
- A6AC495DE63987EAE958F6506F58377D
- D77385F6056F859EAE78936ED594CA6A (reverse of the serial above)
Set-Location Cert:LocalMachineMy
Get-ChildItem | FL
Get-ChildItem -Path 6224B3942798530F57A6F9BB560061BAF125DF1F | Format-List -Property *
**The serial for this certificate is 68000000BD4AC93CAEFE91A8BB0000000000BD
Get-ChildItem -Path 379944BB47EE3EE70E7ED9E5908041A5556F69CE | Format-List -Property *
**The serial for this certificate is 7D37586F50F658E9EA8739E65D49ACA6
Solution
As I’ve come across a similar problem in the past, I sort of had a feeling that this had to do with a certificate that was missing from the intermediate or root store of the Edge server. To determine this, open the Certification Path of the certificate being used for the Edge interface:
Note that the issuing Certificate Authorities are:
- GeoTrust Global CA
- RapidSSL SHA256 CA
In this environment, the Root certificate GeoTrust Global CA was already in the Trusted Root Certification Authorities but the RapidSSL SHA256 CA was not in the Intermediate Certification Authorities:
I proceeded to obtain the issuing intermediate certificate via RapidSSL’s website:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548
Installed the certificate:
Then was able to successfully start the Skype for Business Server Access Edge service:
7 Responses
Thank you so much, we had exactly the same issue due to missing intermediate certificate.
I had the same issue at a customer site, could not find the intermediate certificate anywhere for the External Edge certificate. I resolved it by exporting the certificate as .P7B including all the certificates in the certification path. Then I was able to open the exported file and then import the Intermediate certificate and select the Intermediate folder path. After that Access Edge could start.
Hi,
I have environment:
Front End Server working fine internally,however after deploy Edge Server i face issue while starting "Skype for business Access Edge Service" not started.
The Error Snap is attached for better clarification and also Event Logs that I received as I try to start Service.
Need Support on urgent basis
Obrigado, resolveu meu problema.
Old post, but described and fixed my problem exactly.
Just wanted to say thank you!
This comment has been removed by the author.
It's still relevant!
Thanks for the post!