none
Lync 2010 - internal certificate contradict the company user certificate (that enroll by company Microsoft enterprise CA)

    問題

  •  

    We ran into problem with Lync 2010 certificates that are being issued by the Lync server itself.

    On the company we have wireless network with certificate authentication. However, now that users have Lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to connect wireless network, a popup windows appears and ask the user to choose certificate for the authentication.

    If the users choose the Lync certificate then the authentication fail.  

    What can we do about it?

    Maybe there is a way for LYNC to trust our private CA and not give out its own certificates and STILL use certificate authentication?

    Thanks,

    Asaf

    2012年3月6日 上午 10:01

解答

  • Hi,

    Do you install a enterprise root CA in your domain?

    You need to install a enterprise roo CA and lync internal servers apply the certificate from this CA. Normally, the client PCs are added to the domain, they will get the certificate automatically from CA server.

    Do you mean the popup windows ask certificate to connect wireless network? Maybe the wireless network is configured with a certificate type, please configured it with other authentications type.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2012年3月7日 上午 06:35
  • Hi,

    seems you have mis-configured the Certificate assignment. when you run the certificate wizzard nd get the certificate, you need to assign that new certificate to the deployment. else it'll use it's own certificate.

    Run the Lync setup and certificate wizzard again and make sure that the certificate issued from your internal CA is assigned. not the self signed one.


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )


    2012年3月6日 下午 12:57

所有回覆

  • Hi,

    seems you have mis-configured the Certificate assignment. when you run the certificate wizzard nd get the certificate, you need to assign that new certificate to the deployment. else it'll use it's own certificate.

    Run the Lync setup and certificate wizzard again and make sure that the certificate issued from your internal CA is assigned. not the self signed one.


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )


    2012年3月6日 下午 12:57
  • Hi,

    Do you install a enterprise root CA in your domain?

    You need to install a enterprise roo CA and lync internal servers apply the certificate from this CA. Normally, the client PCs are added to the domain, they will get the certificate automatically from CA server.

    Do you mean the popup windows ask certificate to connect wireless network? Maybe the wireless network is configured with a certificate type, please configured it with other authentications type.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2012年3月7日 上午 06:35
  • I think you would need to turn off certificate authentication on Lync for this to work.

    Lync issues its own certificate for PIN authentication and these are separate to the internal Enterprise CA used to issue certificate to the servers for MTLS encryption.


    Justin Morris | Consultant | Modality Systems
    Lync Blog - www.justin-morris.net
    Twitter: @justimorris
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    2012年3月8日 上午 10:36
  • Hi Justin,

    We can not turn off Lync certificate becuase then we might face problems with the Lync devices (Using certificate authentication), lot of log-in challenges and credentials prompts. Lync desktop/IP phones using certificate authentication might not authenticate to Lync.

    There is no way to enroll the internal certificate using CA?

    2012年3月20日 上午 11:14
  • As far as I'm aware, no. The certificate issued by Lync for authentication is completely isolated to the Lync Server environment and is independent from CA auto-enrollment.

    Justin Morris | Consultant | Modality Systems
    Lync Blog - www.justin-morris.net
    Twitter: @justimorris
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    2012年3月20日 上午 11:18
  • Kindly refer to Sean Xiao
     Answer

    Vote As Helpful>>> Do you install a enterprise root CA in your domain?

    I presume we are referring to internal client connecting over Wireless.

    Ensure that your Lync trust your enterprise root (internal) CA and Lync internal servers apply the certificate from this CA.

    You can actually ensure your "Wireless log in cert" is a SAN with the Lync addresses added to the same cert

    Revoke existing and replace with new SAN (incorporating Wireless and Lync addresses)


    ASSUMPTION: internally issued cert and not public Certificates


    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    2012年3月20日 下午 03:48
  • Hi Asafhh,

    Kindly feedback if you have manage to resolve this

    Thanks


    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    2012年3月23日 下午 04:54
  • Hi Semmyk,


    Regretfully I still didn’t solve it.
    I think the solution will not be from the Lync server.
    I am tring to find a way to bind the wireless authentication with the company user certificate

    Thanks,
    Asaf

    2012年3月27日 上午 09:12
  • You wrote ...

    >>> Maybe there is a way for LYNC to trust our private CA and not give out its own certificates and STILL use certificate authentication?

    >>> I am trying to find a way to bind the wireless authentication with the company user certificate

    Is your Private CA a Microsoft CA?

    Does your Lync (now) trust your private CA

    Is your private CA root certificate install on your Lync servers and vice versa (if Lync cert is not from the same private CA)

    Also, consider a single SAN certificate

    In anycase, being not sure which Wireless platform you are on, however, you might want to bind your certificate to 802.1x

    see this Cisco thread https://supportforums.cisco.com/thread/2014893
    and http://technet.microsoft.com/en-us/library/dd283093%28v=ws.10%29.aspx

     

     


    If this post has been useful please click the green arrow to the left or click "Propose as answer"


    • 已編輯 Semmyk 2012年3月29日 上午 11:29 MS 802.1x
    2012年3月29日 上午 10:54
  • This sounds like the same problem that will be addressed by a hotfix being released in June.

    The issue involves EAP certificates in user store on Win7 client systems conflicting with Lync 2010 certs in same store.

    When EAP Simple Certificate Selection is enabled it enumerates the certs in user store and tries to simplify them based on the Subject Alternate Name (SAN) UPN field value.  If the multiple certificates in the user store had different SAN UPN values, OR if some have no SAN UPN field at all (as in the case of Lync 2010 certs), the simplify algorithm can't reduce to one "grouping", and thus will prompt the user to select the proper cert. 

    (There is no logic that could effectively distinguish between the certs to transparently choose the right one for the user authentication in this case.  Caching the correct manual selection after the first time will help in subsequent authentications.  But the first time there's no way to know)

    The fix takes into account that EAP certs MUST contain a SAN UPN field.  This is per http://support.microsoft.com/kb/814394

    With either EAP-TLS or  PEAP with EAP-TLS, the server accepts the client's authentication when the certificate meets the following requirements:
    • The Subject Alternative Name (SubjectAltName) extension in the certificate  contains the user principal name (UPN) of the user.

    So the change is for EAP authentication service to only enumerate certs in user store that have this field, and discount all others.

    The hotfix should be available in June via http://support.microsoft.com/kb/2710995

    Note this KB won't be published until just before the hotfix release.


    2012年5月30日 下午 05:04
  • Any news on the hotfix?  We have just started deploying both Lync 2010 and Wifi EAP in our organization, and we are experiencing the exact same issue.

    Cheers,

    Julian

    2012年6月7日 下午 02:31
  • Hi Julian,

    This hotfix was released today.

    However, we're still waiting for the KB publish to go live.  We expect this to happen by Monday June 18th.

    At that time you will be able to download the hotfix from here:

    http://support.microsoft.com/kb/2710995

    Thanks

    • 已提議為解答 tfair - MSFT 2012年6月13日 下午 08:49
    2012年6月13日 下午 08:49