You’ve noticed that the Skype for Business Server Access Edge service on your Skype for Business Server 2015 Edge server is stopped and the following error is thrown when you attempt to start it:
Windows could not start the Skype for Business Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487.
Reviewing the event log displays the following errors:
Log Name: System
Source: Service Control Manager
Event ID: 7031
Level: Error
The Skype for Business Server Access Edge service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 180000 milliseconds: Restart the service.
Log Name: System
Source: Service Control Manager
Event ID: 7024
Level: Error
The Skype for Business Server Access Edge service terminated with service-specific error %%-2146762487.
Log Name: Lync Server
Source: LS Server
Event ID: 12303
Level: Error
The protocol stack reported a critical error: code 0x800B0109 (Configuration failure prevented the server from starting up). The service has to stop.
Log Name: Lync Server
Source: LS Server
Event ID: 12303
Level: Error
The protocol stack reported a critical error: code 0x800B0109 (CERT_E_UNTRUSTEDROOT). The service has to stop.
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14623
Level: Error
A serious problem related to certificates is preventing Skype for Business Server from functioning.
Error 0x800B0109(CERT_E_UNTRUSTEDROOT).
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.
Resolution:
Source: LS Protocol Stack
Event ID: 14397
Level: Error
A configured certificate could not be loaded from store. The serial number is attached for reference.
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<Provider Name=”LS Protocol Stack” />
<Level>3</Level>
<Keywords>0x80000000000000</Keywords>
<EventRecordID>154713</EventRecordID>
<Computer>svr-edge-01.ccs.int</Computer>
</System>
<Data>0x800B0109(CERT_E_UNTRUSTEDROOT)</Data>
</EventData>
Attempting to follow the instructions provided by this blog post does not apply to your situation:
However, using the following cmdlets to review the certificates’ serial numbers does not show a match for either:
- A6AC495DE63987EAE958F6506F58377D
- D77385F6056F859EAE78936ED594CA6A (reverse of the serial above)
Set-Location Cert:\LocalMachine\My
Get-ChildItem | FL
Get-ChildItem -Path 6224B3942798530F57A6F9BB560061BAF125DF1F | Format-List -Property *
**The serial for this certificate is 68000000BD4AC93CAEFE91A8BB0000000000BD
Get-ChildItem -Path 379944BB47EE3EE70E7ED9E5908041A5556F69CE | Format-List -Property *
**The serial for this certificate is 7D37586F50F658E9EA8739E65D49ACA6
As I’ve come across a similar problem in the past, I sort of had a feeling that this had to do with a certificate that was missing from the intermediate or root store of the Edge server. To determine this, open the Certification Path of the certificate being used for the Edge interface:
Note that the issuing Certificate Authorities are:
- GeoTrust Global CA
- RapidSSL SHA256 CA
In this environment, the Root certificate GeoTrust Global CA was already in the Trusted Root Certification Authorities but the RapidSSL SHA256 CA was not in the Intermediate Certification Authorities:
I proceeded to obtain the issuing intermediate certificate via RapidSSL’s website:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO28616
Installed the certificate:
Then was able to successfully start the Skype for Business Server Access Edge service: