CMS Wildcard Certificate With Skype for Business


When testing Cisco Meeting Server (CMS) in a lab environment utilising a wildcard certificate (CN:*.sfblab.assured.io) for the callbridge I discovered that Skype for Business (SfB) would not accept inbound calls, however, SfB clients could make outbound calls to the CMS successfully. Subsequent research revealed that there is a known problem noted in the Acano FAQs here: Calls to Lync fail to connect and the error shown in Lync logs show “The peer is using a wildcard certificate but did not identify itself with a NEGOTIATE request”.

When investigating logs on the SfB Front Edge Pool (FEP), the error message encountered is:

Text: The peer is using a wildcard certificate but did not identify itself with a NEGOTIATE request

The complete SfB message:

TL_ERROR(TF_CONNECTION) [pool\sfb]116C.1A90::02/01/2018-00:03:08.802.000024EC (SIPStack,SIPAdminLog::WriteConnectionEvent:SIPAdminLog.cpp(394)) [3272978270] $$begin_record

Severity: error

Text: The peer is using a wildcard certificate but did not identify itself with a NEGOTIATE request

Peer-IP: 192.168.44.122:51824

Transport: TLS

Result-Code: 0xc3e93d69 SIPPROXY_E_CONNECTION_UNKNOWN_SERVER

Data: fqdn="*.sfblab.assured.io"

$$end_record

A screenshot of the snooper window showing the message:

cms-wildcard-certificate-with-skype-for-business/cms-wildcard-certificate-with-skype-for-business-01.png

The certificate must be replaced with a new one that does not utilise a wildcard in the common name field as a workaround. E.g. the callbridge Fully Qualified Domain Name (FQDN).