Microsoft Case #: 13231981
Created on: Thursday, February 21, 2019
Support request number: 119022124001575
Product: Skype for Business Server 2015 (on-premises)
Issue: CMS Replication (XDS) Not Working Between Front End & Edge Servers After Disabling Weak Protocols & Ciphers
Description: Output of "Get-CsManagementReplicationStatus" shows false in UpToDate field for all Edge Servers in the on-premises deployment following execution of "Invoke-CsManagementStoreReplication" PS cmdlets. LastUpdateCreation shows a date in July 2018 of last year. Skype for Business (SFB) Control Panel showing red X next to Edge Servers in Topology. After capturing a debug trace of the replication process with CLSLogger tool, observed the following error message:
TL_WARN(TF_COMPONENT) [FEPoolNAME\FEServerNAME]1E14.0AA8::02/15/2019-19:29:20.931.00002004 (XDS_File_Transfer_Agent,FileTransferTask.CopyFilesFromReplicaUsingWcf:filetransfertask.cs(755)) (0000000002FFC0E0)[FileTransferTask(6, 2/15/2019 11:26:49 AM): {TASK_NOT_STARTED, fromReplica, [FEServerNAME.fqdn, HttpsWebService, 4443], 0}] Failed to copy files from replica. Exception: [System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https:// FEServerNAME.fqdn:4443/ReplicationWebService. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Also noticed the following error messaging after executing "Get-CsPoolFabricState -PoolFQDN FEPoolName.FQDN" PS cmdlet:
PS C:\Users\xahmasi> Get-CsPoolFabricState -PoolFqdn FEPoolName.FQDN
Get-CsPoolFabricState : An error occurred while receiving the HTTP response to
https://
FEServerName.FQDN /LiveServer/UserPinManagement/FabricManagement/. This could be due to the service endpoint
binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server
(possibly due to the service shutting down). See server logs for more details.
At line:1 char:1
+ Get-CsPoolFabricState -PoolFqdn FEPoolName.FQDN
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-CsPoolFabricState], CommunicationException
+ FullyQualifiedErrorId : Error getting fabric state. For details, see inner exception.,Microsoft.Rtc.Management.H
ADR.FabricState.GetOcsPoolFabricStateCmdlet
Root Cause: The Windows Communications Framework (WCF) does not by default use TLS 1.1 or 1.2. Instead, it uses TLS 1.0 and RC4 ciphers (specifically TLS_RSA_WITH_RC4_128_SHA). These weak protocols (i.e. SSL 2.0/3.0 and TLS 1.0) and ciphers (i.e. RC2, RC4, DES, and 3DES) had been disabled due to governance compliance.
Resolution: In order to fix, under following keys for all the version key listed like V1.0, V2.0.50727,v3,v4.0.30319, create key "SchUseStrongCrypto" (type DWORD, value 1):
HKLM\software\Wow6432Node\Microsoft\.NETFramework\
HKLM\software\microsoft\,NETFramework\
After adding this key to and rebooting all Edge / Front End Servers and executing invoke-CsManagementReplicationStatus, the UpToDate status on all Edge / Front End Servers is showing True and there is a green check next to all Edge / Front End Servers in the Skype for Business Control Panel under Topology.
Reference(s):
https://blogs.msdn.microsoft.com/benjaminperkins/2014/11/04/using-tls-1-2-with-wcf/