Self Signed Certificates Issued to Phone Devices - causes additional certificate authentication pop-ups for other certificate dependent services. RRS feed

  • Question

  • Hi there,

    I've just configured a pilot Lync2010 pool with the eventual intention of deploying lync handsets across the organisation.

    Everything seems to work great, delighted with the polycom hardware (cx600).

    However, when i sign into Lync, and my device retrieves a certificate (that seems to be deposited in my personal cert store as well), this certificate causes problems with:

    -EAP wireless

    -EAP authentication to the vpn

    What happens is when i connect to wireless i now have to choose between my lync cert and the company cert, the lync cert is not trusted as is not issued by a trusted authority (clearly). This isnt a big deal to me but extra prompts are a major deployment blocker for my users!

    Is there no way to get Lync to use certificates issued from our enterprise CA as opposed to it's own, then we'd have a single personal certificate for all these services?

    Using DHCPUtil.exe i have pointed my device at my ent CA, but it still gathers a self-signed cert from the lync server.

    I dont believe i'm the only person to run into this issue: http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/8358d4b1-9d55-40bf-bb7e-c09e0cb90327/. I don't want to disable cert authentication either as it'll cause numerous pop-ups/prompts etc.

    Any advice appreciated.


    Thursday, May 12, 2011 3:44 AM


All replies

  • Really? Is this only a problem for me? Does noone else use 802.1x for wireless or certs for vpn access alongside lync?
    • Proposed as answer by tfair - MSFT Wednesday, May 2, 2012 3:50 PM
    • Unproposed as answer by tfair - MSFT Wednesday, May 2, 2012 3:50 PM
    Monday, May 16, 2011 2:27 AM
  • Wednesday, May 18, 2011 9:23 AM



    User certificate used by clients for Certificate Authentication is issued by Lync Server It self and there is no way to change this.



    Microsoft Unified Communications Team
    • Proposed as answer by Santosh_More Tuesday, August 16, 2011 3:00 AM
    • Unproposed as answer by Jimmerb Friday, December 2, 2011 1:01 AM
    Tuesday, August 9, 2011 9:46 AM
  • Jimmerb,

    You are not the only one with this issue.

    Santosh, this is not a acceptable answer. I have opened a ticket with Microsoft to resolve this issue. EAP-TLS should not select self signed certificates but it does. Simple Certificate selection presents the latest certificates that have the correct EKU (client auth), if it sees certificates from different groups you get the popups when trying to connect to wireless.


    Thursday, November 3, 2011 7:36 PM
  • Hi MRinner,

    Great to hear it, i spoke with a Lync MVP at the UK Techdays in May on this and he gave a similar response to Santosh - please do keep me posted on any response you have from MS as I'm not willing to compromise security or convenience for my users for these devices, much as they seem great.



    Friday, November 4, 2011 1:01 AM
  • Hi All,

    Off the back of a different issue i spoke to a few people at Microsoft in India, and although they couldnt tell me when this will be fixed, they did acknowledge it was a significant issue and are working on a fix/modification to behaviour. I'll post back here when i have more information.



    Friday, November 11, 2011 2:22 AM
  • I've mailed MS in india on this 5 times with zero reply, i am calling polycom about this now and see if they've found anyway around this hugely irritating shortcoming.
    Monday, January 30, 2012 3:14 AM
  • The problem occurs due to EAP Simple Cert Selection (SCS) algorithm comparing Subject Alternate Name UPN values between the two user certificates.  Lync self-signed certificates do not include a SAN UPN.  In creating "certificate groups" SCS considers no SAN UPN value a separate identifiable group from a certificate that does include one.

    When multiple certificate groups result from SCS the GUI to is invoked for the user to select the proper certificate, for there is no possible intelligence SCS can incorporate to decide between the two.

    However, a hotfix for this is currently targeted for June 2012.  As EAP *requires* a SAN UPN field (per KB 814394), the new logic will only apply the SCS algorithm against certificates with one.

    We don't yet have a KB for this, but I'll add one here upon release.

    If anything changes I will update this thread.

    • Proposed as answer by tfair - MSFT Wednesday, May 2, 2012 3:58 PM
    • Edited by tfair - MSFT Wednesday, May 2, 2012 4:01 PM
    Wednesday, May 2, 2012 3:58 PM
  • Many thanks - looking forward to seeing the fix!


    Thursday, May 3, 2012 1:18 AM
  • In the meantime, if you disable cert authentication - the issue does go away, but i know this breaks some other functionality and can cause SBA's to not work etc.
    Thursday, May 3, 2012 1:19 AM
  • Any update on the KB release date for this?

    I only ask as i've been waiting on a fix to this issue for more than a year  :-)



    Monday, June 11, 2012 2:24 AM
  • Jim,

    An official hotfix is now available for this issue:


    • Proposed as answer by tfair - MSFT Wednesday, June 13, 2012 8:42 PM
    • Marked as answer by Jimmerb Monday, June 18, 2012 1:08 PM
    • Edited by tfair - MSFT Monday, June 18, 2012 11:10 PM
    Wednesday, June 13, 2012 8:42 PM
  • Many thanks - works perfectly!
    Monday, June 18, 2012 1:09 PM
  • You are welcome.  Glad to hear this :)
    Monday, June 18, 2012 11:08 PM