locked
Certificate Issues on Mobile Client RRS feed

  • Question

  • Hi- We just upgraded from Lync Server 2013 and now have issues connecting our mobile clients (SfB for Android). Upon signing in the user is presented with a security warning: "A Server presented a certificate that could not be verified. Do you wish to continue?"

    We have the same certificates in place that were used for Lync Server 2013 and we had no issues.

    The very bizarre thing is after checking the "Always trust this Certificate" box and clicking on Continue, the user is again presented with a security warning, but this time it's for a certificate that isn't anywhere in the SfB topology. It's actually a wildcard cert that's on my organization's web server.

    So why the certificate warnings, how/why does it see a cert from our web server, and what subject name or SAN needs to be on the cert that's different from Lync Server 2013?

    Any help is greatly appreciated!!!


    You should never, never doubt what nobody is sure about. -Willy Wonka

    Thursday, May 19, 2016 11:08 PM

All replies

  • From which CU do have a make an upgrade to the latest CU?

    The Mobile should always connect through the reverse proxy to the lyncdiscover and lyncdiscoverinternal and access through the public certificate which should always accepted through the mobile.

    https://technet.microsoft.com/en-us/library/hh690030%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

    Connection will than be done through the Lync Edge server and autodiscover for Exchange.


    regards Holger Technical Specialist UC

    • Proposed as answer by Eason Huang Friday, May 20, 2016 6:39 AM
    Friday, May 20, 2016 4:42 AM
  • Hi SteveSmo,

    Would you please tell us if you have the issue on Iphone and Windows Phone ?

    Please try to check the Reserve Proxy certificate which should including the following SANs:

    1.webext.contoso.com

    2.webdirext.contoso.com

    3.dialin.contoso.com

    4.meet.contoso.com

    5.officewebapps01.contoso.com

    6.lyncdiscover.contoso.com

    You can refer to this article for details:

    https://technet.microsoft.com/en-us/library/jj205381(v=ocs.15).aspx

    If you are missing the necessary SAN entry , try to renew the certificate of reserve proxy.

    Best regards

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Friday, May 20, 2016 8:12 AM
  • [Holger]

    Reverse Proxy has public certificate that includes lyncdiscover.mydomain.com, but we've never had lyncdiscoverInternal.mydomain.com as a SAN.

    [Eason]

    We don't have any users with Windows phone. We do have a few with iPhone so I'll check their devices and see if they also get the same security warning. We also have a "webext.mydomain.com" SAN but have never had a "webdirext.mydomain.com" SAN.

    Our FE server does have a self-signed certificate with lyncdisover.mydomain.com and lyncdiscoverinternal.mydomain.com

    There is no Director Pool in our topology.

    Thanx


    You should never, never doubt what nobody is sure about. -Willy Wonka

    Friday, May 20, 2016 4:41 PM
  • Hm, difficult to say what is happened.

    You should use fiddler to trouble shot the mobile device issue, to see which web address will be use and which connection the mobile try to reach.

    http://www.cantoni.org/2013/11/06/capture-android-web-traffic-fiddler


    regards Holger Technical Specialist UC

    Saturday, May 21, 2016 7:46 AM