none
CX700 cannot login after a certificate change

    Question

  • Hi,

    After we update our internal certificate on out Lync std server the cx700 clients cannot login on reboot. Once cert is changed back they login ok, any ideas?


    Celtic
    • Moved by Noya LauModerator Friday, February 03, 2012 11:37 AM (From:Enterprise Voice and Telephony)
    Wednesday, January 04, 2012 11:10 AM

All replies

  • We have similar issues, and it all stems from the result of our Active Directory NETBIOS name being different than our Active Directory DNS name.  This is officially referred to as a disjoined namespace.  This might be the issue you're running into, or it might not.

    What we have had to do to guarantee seamless updates is require our users to enter their UPN in the username field in the Lync Phone Connection dialog box when a user logs on to a IP Phone (w/PC) for the first time.  So instead of netbios\jdoe, they must use jdoe@domain.com.  Using this method guarantees the phone contacts Active Directory correctly and results in the internal root CA certifcate always being downloaded and installed without issue.


    Trevor
    Wednesday, January 04, 2012 8:38 PM
  • Trevor,

    You can also use domain.com\jdoe as the username format and that should also work in your environment.  Yes it looks odd, but it is valid.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    Thursday, January 05, 2012 3:05 AM
  • Hi,

    The only way we could get the cx700 to logon in end was do a hard reset on the phone. Dont know this is required?

    btw Our dns and netbios names are the same


    Celtic
    Friday, January 06, 2012 11:48 AM
  • In our environment we haven't had any of those issues that I know of.  We only have about 45 CX700s deployed; all the rest are CX600s (around 140 or so...and increasing).  I will say that we've had some odd issues with CX700s and it seems that the CX600s are much more reliable overall (not to mention a whole lot cheaper).

    I re-read your original post and it seems I might have misunderstood...  So you're saying when you change the certificate used by the front-end services on the Lync server itself, the phones can't login after that?


    Trevor
    Friday, January 06, 2012 2:11 PM
  • Yes exactly,

    The phones login fine to Lync. Both have latest updates. When I renew the internal Microsoft cert the cx700 fails to login unless I revert to old cert... The only way to get them to login was to hard reset each cx700.... bit of a pain

    Thanks for all replys


    Celtic
    Friday, January 06, 2012 5:21 PM
  • Hi Celtic,

    Because your Lync Server deployments use internal certificates, there is a need to install the root CA certificate from the internal CA to the device. It is not possible to manually install the root CA certificate on the device, so it needs to come from the network. Lync Phone Edition is able to download the certificate by using two methods, for details, see this document.

    In addition, here’re some common issues with IP Phones. Have a check. And hope helps.


    Noya Liu

    TechNet Community Support

    Monday, January 09, 2012 3:08 AM
  • Hi Noya,

    The root cert is already installed on these devices as they are working no problem until the cert is changed on the Lync Server. The new cert being installed on the Lync Server is from the same internal root authority.


    Celtic
    Monday, January 09, 2012 4:42 PM