Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Xadean's Empirical Musing > Posts > CMS Replication (XDS) Not Working Between Front End & Edge Servers After Disabling Weak Protocols & Ciphers
February 27
CMS Replication (XDS) Not Working Between Front End & Edge Servers After Disabling Weak Protocols & Ciphers

Microsoft Case #: 13231981

Created on: Thursday, February 21, 2019

Support request number: 119022124001575

Product: Skype for Business Server 2015 (on-premises)

Issue: CMS Replication (XDS) Not Working Between Front End & Edge Servers After Disabling Weak Protocols & Ciphers

Description: Output of "Get-CsManagementReplicationStatus" shows false in UpToDate field for all Edge Servers in the on-premises deployment following execution of "Invoke-CsManagementStoreReplication" PS cmdlets. LastUpdateCreation shows a date in July 2018 of last year. Skype for Business (SFB) Control Panel showing red X next to Edge Servers in Topology. After capturing a debug trace of the replication process with CLSLogger tool, observed the following error message:

TL_WARN(TF_COMPONENT) [FEPoolNAME\FEServerNAME]1E14.0AA8::02/15/2019-19:29:20.931.00002004 (XDS_File_Transfer_Agent,FileTransferTask.CopyFilesFromReplicaUsingWcf:filetransfertask.cs(755)) (0000000002FFC0E0)[FileTransferTask(6, 2/15/2019 11:26:49 AM): {TASK_NOT_STARTED, fromReplica, [FEServerNAME.fqdn, HttpsWebService, 4443], 0}] Failed to copy files from replica. Exception: [System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https:// FEServerNAME.fqdn:4443/ReplicationWebService. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Also noticed the following error messaging after executing "Get-CsPoolFabricState -PoolFQDN FEPoolName.FQDN" PS cmdlet:

PS C:\Users\xahmasi> Get-CsPoolFabricState -PoolFqdn FEPoolName.FQDN

Get-CsPoolFabricState : An error occurred while receiving the HTTP response to

https:// FEServerName.FQDN /LiveServer/UserPinManagement/FabricManagement/. This could be due to the service endpoint

binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server

(possibly due to the service shutting down). See server logs for more details.

At line:1 char:1

+ Get-CsPoolFabricState -PoolFqdn FEPoolName.FQDN

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (:) [Get-CsPoolFabricState], CommunicationException

+ FullyQualifiedErrorId : Error getting fabric state. For details, see inner exception.,Microsoft.Rtc.Management.H

ADR.FabricState.GetOcsPoolFabricStateCmdlet

Root Cause: The Windows Communications Framework (WCF) does not by default use TLS 1.1 or 1.2.  Instead, it uses TLS 1.0 and RC4 ciphers (specifically TLS_RSA_WITH_RC4_128_SHA).  These weak protocols (i.e. SSL 2.0/3.0 and TLS 1.0) and ciphers (i.e. RC2, RC4, DES, and 3DES) had been disabled due to governance compliance.

Resolution: In order to fix, under following keys for all the version key listed like V1.0, V2.0.50727,v3,v4.0.30319, create key "SchUseStrongCrypto" (type DWORD, value 1):

HKLM\software\Wow6432Node\Microsoft\.NETFramework\

HKLM\software\microsoft\,NETFramework\

After adding this key to and rebooting all Edge / Front End Servers and executing invoke-CsManagementReplicationStatus, the UpToDate status on all Edge / Front End Servers is showing True and there is a green check next to all Edge  / Front End Servers in the Skype for Business Control Panel under Topology.

Reference(s): https://blogs.msdn.microsoft.com/benjaminperkins/2014/11/04/using-tls-1-2-with-wcf/

 

 

 

Comments

Re: CMS Replication (XDS) Not Working Between Front End & Edge Servers After Disabling Weak Protocols & Ciphers

Thanks -- spent hours googling for a replication issue and this was the answer. Not found anywhere else!
 on 3/21/2020 8:11 PM

Applied same security hardening for Edge servers only

Applied same security for Edge servers only - Do we need to still apply the reg key fix for front end server or only my Edge servers where security has been hardened.
 on 10/10/2020 12:31 PM

Add Comment

Title


Body *


CAPTCHA *

 

Attachments