Group Chat Certificate issues - again


  • I am also having a problem logging into the Group Chat Admin console with the "Cannot sign in because Group Chat cannot connect to the chat room server." message.

    Can someone please answer definitively the certificate requirements for the Group Chat server and how to fulfill them? I can't find a single web site (Microsoft or otherwise) that either gives all the information or even gives the same information. I shouldn't have to go any further than the MS documentation to get a successful install.  But when I have to crawl the web and still get conflicting information it becomes very frustrating very fast.

    Please tell me:

    Do you require both Server and Client Authentication in the EKU?  If yes, what certificate template do I use and what to I use to request it?  LCSCMD.EXE?  The OCS Server Console certificate wizard?  The Windows 2008 Certificate Enrollment Wizard? 

    If the answer is the OCS Server Console Wizard, it defaults to a Web Server template which only includes the Server Authentication EKU.  How is that supposed to work?  Same with the LCSCMD.EXE app.  I can get a Server/Client Auth cert using the Win2K8 enrollment wizard but it doesn't want to give me a SAN of my OCS pool.  That's my next question.


    Does or doesn't the certificate require a SAN of your OCS pool?  I get a different answer every time I do a search.  If it does, see my above question.  What tool do I use to request it that will also give me a Server/Client EKU?


    I've tried it all.


    Please do not point me to another piece of Technet documentation or or  None of these sites have helped.



    Monday, June 07, 2010 9:10 PM

All replies

  • Ok, I think I have finally got a certificate that should work for Group Chat.  I ended up modifying the "Web Server 2008" certificate template to include the Client Authentication EKU and used lcscmd.exe to request a certificate using that template with the /template parameter.


    So the cert has a subject name of the Group Chat server, SAN for the OCS pool and both the Server and Client Authtentication EKU.


    However, I STILL get "Cannot sign in because Group Chat connect to the cat room server."  when trying to log in with the Admin console.


    I am logged onto the server with the OCSChat user and using the OCSChat ID for the admin console.  I set the OCSChat account as a superuser at installation.

    • Proposed as answer by JovaAUS Tuesday, August 17, 2010 5:04 AM
    Tuesday, June 08, 2010 6:18 PM
  • I have found that right-clicking your Front End Server's FQDN in the OCS admin console, and then using the Certificates wizard there, is a great and easy way to get the right kind of certificates, with SANs, with the ability to export the private key, etc. Make sure you do not click Assign Now when doing the last step of that wizard.

    Then go to an MMC, add the Certificates (Local Computer) add-in and then export the cert from the Front End server.

    Thom Foreman, MCSE, MCSA, MCTS
    Wednesday, July 07, 2010 4:37 AM
  • Hi! I am having a similar issue that is NOT being able to login to Lync Group Chat Admin Tool, I added the Web Certificate Template in my CA and enabled Domain Admins to Enroll the Certificate.

    Then I duplicated that Web Server Template to Enterprise Server 2003 level and added Client and Server Authentication, and named it Lync Server.

    Finally using the CA website I requested a new certificate for Group Chat Server using this new Lync Server template. The generated certificate had Client and Server authentication as well as the corresponding private key.

    Alas the Admin Tool refuses to sign in :-(

    Any help is appreciated!

    Favad Q
    Sunday, September 18, 2011 6:22 PM
  • Did you ever get anywhere with this I am having exactly the same issue and it is infuriating.
    Tuesday, October 23, 2012 12:10 PM