none
certificates issued by communications server for client authentication

    Question

  • Hi,

    we ran into problem with those certificates, that are being issued by the lync server itself.  In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice). However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?

     

    Thanks!

    Monday, January 24, 2011 9:10 AM

Answers

  • you are absolutely right, they will have 2 certificates on there machines,

    the issue is that there's no way to modify the Lync server configuration so he can use the internal CA Certificates.

    and if you disable the certificate authentication you will face problems with the lync devices, lot of log in challenges and credentials prompts. so it is not recommended to disable it.

    I think that you should find a way to configure custom signature on the clients for the office documents and users can use these signatures .

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Wednesday, January 26, 2011 2:09 PM

All replies

  • Hi,

    can you please post more details regarding your configuration ? you are saying that the Lync Server has CA installed on it  ?

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Monday, January 24, 2011 10:01 AM
  • Hi,

    No, LYNC server does not have CA installed. However, every user gets installed a certificate issued by:communications server. Issued to user's sip address.

    If i delete the certificate, it gets reinstalled. The only way to get rid of this certificate is to delete it and then disable certificate authentication on the registrar and webservice.

    Monday, January 24, 2011 11:12 AM
  • This is weird,

    I didn't experience this behaviour before, when you say that you disable the the certificate authentication on the registrar and webservice , can you give me more details about where you are doing that ?

    as far as i know there shouldn't be any kind of client certificate authentication on the Web Services

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Tuesday, January 25, 2011 8:00 AM
  • Lync server control panel:

    Security->Registrar and Web Service.

    "enable certificate authentication"

    Tuesday, January 25, 2011 8:38 AM
  • Ok now i got your point sorry for the delay,

    this is has nothing to do with the Lync Server, these settings are applied by default, and actually the Lync server is trusting your internal CA since is it a running on a domain member machine which already have your internal Root CA installed as a trusted root certification authority.

    does your users have another client certificates installed on there machines user accounts else then the one that is issued by the lync Server ?

     if you issue client-Certificates from your internal CA they can used for document signining

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Tuesday, January 25, 2011 1:20 PM
  • hi,

    yes they do. but here is the problem-  users do not check where that certificate was issued from when signing the document...So LYNC user has 2 certificates issued to his email address (which is used as well for sip address), one comes from communication server, other- from our internal CA.

    Wednesday, January 26, 2011 8:19 AM
  • you are absolutely right, they will have 2 certificates on there machines,

    the issue is that there's no way to modify the Lync server configuration so he can use the internal CA Certificates.

    and if you disable the certificate authentication you will face problems with the lync devices, lot of log in challenges and credentials prompts. so it is not recommended to disable it.

    I think that you should find a way to configure custom signature on the clients for the office documents and users can use these signatures .

    regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Wednesday, January 26, 2011 2:09 PM
  • Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT the Lync (server).

    Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication??? Not the first though, SCCM and OSD is another example....

    However, are you saying that Lync communication can’t be used without certificate authentication, without the user being spammed with credential prompts?

    Trying to get clarification on this…

     

    Wednesday, February 1, 2012 11:01 AM
  • It can. just turn off the cert authentication in the security section on the control panel.

    you will need cert auth only if you have these desktop phones:

    http://technet.microsoft.com/en-us/library/gg413090.aspx

     

     

    Wednesday, February 1, 2012 1:16 PM
  • Ok, thanks for clearing that. So from a Lync server/client perspective there is no way of using cert auth, only utilizing issued certs from an internal PKI for the client to server communication, if cert auth is needed that is?
    Wednesday, February 1, 2012 9:30 PM
  • i guess so. hope that would change in the future LYNC versions
    Thursday, April 12, 2012 7:23 AM
  • We have gone to the cloud with Lync, the only thing we have is an internal dirsync server and a couple adfs servers. We continue to receive these pop ups regarding expired certificate. They're only 8 hour issued Certs according to Microsoft. How in the hell do you stop this cert warning from coming up all of the time (at least daily). It is more of a bother, as it doesn't cause any issues with sync and performance of Lync.

    Sunday, June 17, 2012 11:00 PM
  • did you manages to sort this out by any chance? our internal CA signature certs are being brushed aside in preference of the 'communications server' issued ones. we can manually select the correct one, but it's annoying.

    Mark

    Wednesday, June 18, 2014 10:42 AM
  • Same Issue, is there any way to fix this issue ?
    Thursday, October 22, 2015 7:47 AM
  • Going to necro an old thread but I found this one during my issues with the same problem and think I found a fix. This is more for the Always On VPN in case others stumble upon this doing a similar search with issues between the Communications Server certificate and the Client Authentication certificate.

    In the Always On VPN connection, go to properties. Security tab, EAP properties. Smart card or other certificate configure,use a certificate on this computer, click advanced, check 'certificate issuer' and choose all your root and sub ca's. Click ok and ok until you save it out. Doing this, it ignores issuers that aren't my CA's and connects right up now. I hope this helps someone as this one was a real brain teaser.


    • Edited by Rogeld Friday, January 19, 2018 8:54 PM more info added
    Friday, January 19, 2018 8:49 PM