2012 RDS + Gateway Certificate and and .local domains

Similar Messages

• Certificate for sites & .local domain...

  Running Exchange on a 2008 Small business server.
  My SSL certificate recently expired & when renewing it, I found that I could no longer have an entry for sites or mydomain.local, unless I went with a 1 year certificate, but was also told next year that option was going away all together. 
  Currently, users are getting warnings when opening outlook. Email is working fine, it's just kind of annoying & I'd like to fix it.
  What would be the easiest way to fix this?
  Thanks!

  Very True!
  From Oct 2015, all CAs stop issuing ssl certificate for .local domain names and hostname (NetBIOS names). As per CAB forum regulations this change should be followed compulsory by all Certificate Authorities.
  Work around: For now purchase 1 year SAN/UC certificate and this will keep all your local domains secure. M/w you should change exchange server configuration to stop local domains and hostname. Also you should update all exchange email users to update remote
  server connection hostname like mail.yourdomain.tld

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• RDS - .local domain and external users. Best way to get rid of SSL warnings

  I am evaluating MS RDS as a possible solution for a VDI implementation at the college I work for.  When we setup our AD years ago we set it up as a .local domain.  I am running into issues with the .local machine name on the connection broker for
  external users.  I know for internal domain systems we can setup the self signed .local cert as a trusted root cert to bypass the self signed untrusted warning  but for the bulk of our users which will be using systems external to our domain they
  will get the SSL warning about the self signed certificate when they try to connect to a remote app or a desktop.
  Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would still have the issue with external devices.
  The other option would be to tell our users to click the box to never display the warning message again and to go on or to add the self signed cert to their trusted list.  Of course when ever you ask the user to do something there will be issues.  We
  have also found that in our testing that we can not seem to connect via the web portal with a macbook.  We get an error that there is a problem with the trust relationship with the server after we login and click on an app or a desktop to connect.  We
  have been able to connect with iOS devices.  
  We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.  I think I might have some up with a solution and wanted to
  bounce the idea off of those on this forum.
  If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between the two domains such that users and
  systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?

  Hi AKlein,
  Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would
  still have the issue with external devices.
  Just add the root CA certificate of the internal CA into Trusted Root Certification Authorities store on external clients manually (or through group policy if there is an external domain), then SSL certificate warning would be gone.
  We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.
  Yes, renaming domain is not recommended due to its complexity.
  If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between
  the two domains such that users and systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?
  If you are setting up a new domain with two way trust, then root CA certificate of the internal CA still needs to be distributed manually (or through group policy). If you are setting up a child domain, then enterprise CA would be trusted within the same
  forest.
  As long as there are enough external users and devices to manage, an external private network exists and extra domain management tasks are acceptable, then setting up a new domain is a good choice since domain provides secure boundary.
  Or, you could just create a new site from the other network location, which saves you from creating a new domain, new users and trust.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• RDS Gateway 2012, RemoteApp Displays "A Revocation check could not be performed for the Certificate" via RDWEB

  I have searched through the forums and there are a number of posts that are similar but all the checks they list seem to not apply to this one.
  My current setup is as follows
  All Servers are 2012 R2
  1 x DC server
  1 x RDS Gateway server with RDS Web installed
  1 x Session Host Server
  Certificate supplied by godaddy with 5 names. (included is the name of the RDS Gateway/Web server in the certificate, the internal name of the session host server is not included as the internal names are differnet to the external)
  My tests are as follows
  Navigating to the RDSWEB page from a machine inside the same network (windows 7 sp1) but not on the same domain is fine no errors and logging in and launching any published application is fine with no errors.
  However logging in on another machine that is external from the network (windows 7 sp1) is ok up to the point of launching any of the published apps I get the error about ""A Revocation check could not be performed for the Certificate". this
  prompts twice but does allow you to continue and login and use the app till the next time. If I view the certificate from the warning message all appears to be ok with all certs in the chain.
  I have imported the root and intermediate certs to each of the gateway/rdsweb server and session host server into the computer cert store just to be on the safe side. This has not helped, I have also run the following command from both windows 7 machines
  with no errors on either
  certutil -f –urlfetch -verify c:\export.cer
  I cant seem to see where this is failing and I am beginning to think there is something wrong with godaddy cert itself somehow.
  If I skip rdsweb and just use MSTSC with the gateway server settings then I can login to any machine on the network with no errors so this is only related to launching published apps on the 2012 R2 RDWEB or session host servers.
  Any help appreciated

  Hi,
  1. Please make sure the client PCs have mstsc.exe (6.3.9600) installed.
  2. If you are seeing a name mismatch error, you can set the published name via this cmdlet:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  To be clear, the above cmdlet changes the name that shows up next to Remote computer on the prompt you see when launching a RemoteApp.  You should have a DNS A record on your internal network pointing to the private ip address of your RDCB server. 
  Additionally, in RD Gateway Manager, Properties of your RD RAP, Network Resource tab, you should select Allow users to connect to any network resource or if you choose to use RD Gateway Managed group you will need to add all of the appropriate names to the
  group.
  For example, when launching a RemoteApp you would see something like Remote computer: rdcb.domain.com and Gateway server: gateway.domain.com .  Both of these names need to be on your GoDaddy certificate.
  Please verify the above and reply back so that we may assist you further if needed.  It is possible you have an issue with the revocation check but I would like you to make sure that the above is in place first.
  Thanks.
  -TP
  Thanks for the response.
  To be clear I am only seeing a name mismatch and revocation error if I assign a self signed cert to the session host as advised earlier in the thread by "Dharmesh Solanki", if I remove this and assign the 3rd party certificate I then
  just get the revocation error , I have already ran the powershell to change the FQDN's but this has not resolved the issue although the RDP connection details now match the external url for RDWEB when looking at one of the remoteapp files. The workspace
  ID still shows an internal name though inside this same file. 
  RD Gateway is already set to connect any resource, when connecting using remote app both names (RDCB/RDGateway) show as being correct and are contained within the same UCC certificate. I also already have a DNS entry for the Connection broker pointing to
  the internal ip.
  Do you know if the I need the internal name of the session host servers contained within the same UCC certificate seeing as they are different fqdn's than what I am using for external access ? I resigned the UCC certificate and included the internal name
  of the session host server to see if this would help but for some reason I am still seeing the revocation error. I will check on a windows 8 client pc this evening to see if this gets any further as the majority of the testing has been done on windows 7 sp1
  client pc's
  Thanks

• How to Setup RDS custom property when internal and external domain name space is different

  Hi All
  I am setting up RDS for customer
  My internal domain name is domain.local and my external domain is domain.com
  I came across below PowerShell cmdlets on some blogs because my internal and external name space are different
  Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”
  In above command, remote.domain.com points to which host?
  Is it pointing to RD Session Broker
  OR
  Pointing to RD Session Host servers
  I am not sure what above command will do exactly ?
  Any help will be highly appreciated
  Thanks Best Regards Mahesh

  Hi,
  It all depends who is accessing the RDS Solution.
  If you have a large BYOD or large number of external users, it would be better to use a public certificate.
  Have a look at the following script which will simplyfy the configuration of the RDSH hosts with certificates.
  http://ryanmangansitblog.com/2014/05/20/rds-2012-rdsh-certificate-deployment-script/
  You can use a custom RDP property to hide the Session host names.
  Have a look at the following article on configuring certificates:
  http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2

  Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2
  1. Client Os : Windows 7 Pro
  2. Server OS : Windows Server 2012R2 with RDS broker and RDS Gateway server with 3.part Certificate  with friendly name sky.mti-itservice.no activated.
  The  main problem is following: The RDP logon session never ends
  Any ideas ?
  Regards
  Kenneth Knudsen
  Email : [email protected]
  mvh Kenneth Knudsen MCSE 2003 HP ASE

  Hi Kenneth,
  Here for your case suggest you to configure RDP session time limit so that your user can disconnect\log off once the specific time limit reached.
  You can setup the session time limit in different method.
  1. Open the Server Manager, select Remote Desktop Services.
  2. In Remote desktop Services, in right side you can drop down to collections.
  3. Select the collection which you want to edit the settings.
  4. Under collections Properties, select Task and then Edit Properties.
  5. In Properties dialog box, select Session.
  6. You can find all thetimeout settings under session collection properties; edit according to your requirements and then OK. 
  And apart also by group policy setting as below.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  -  Set time limit for disconnected sessions
  -  Set time limit for active but idle Remote Desktop Services sessions
  -  Set time limit for active Remote Desktop Services sessions
  -  End session when time limits are reached
  Please check which setting suitable for your environment and you can apply for your case.
  [Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2
  https://social.technet.microsoft.com/Forums/en-US/00c2252b-8ec0-489f-8da2-07a434a9b5a2/forum-faq-restrict-number-of-active-sessions-in-rds-2012-and-2012-r2?forum=winserverTS
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 2012 R2 Hyper-V Replica and Cross Domain

  Customer would like to user Hyper-V Replica, but their local site and DR site are different domains.
  I know we need certificate. Is there any guide for this? I didn't find any configuration document, thanks. 

  Hi Sir,
  Please refer to the similar thread :
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/420d239c-0475-480f-aa9c-c094d9ae226b/server-2012-hyperv-replication-cross-site-and-cross-domain?forum=winserverhyperv
  Also the article below is a lab test about hyper-v replica based on certificate :
  https://social.technet.microsoft.com/Forums/en-US/c3e309b6-1d5d-4e52-b859-cf36bd5af47d/forum-faq-how-to-implement-hyperv-replica-in-workgroup-environment?forum=winserverhyperv
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• Gateway server and Management server in SCOM 2012

  What are the main Different between Gateway server and Management server in SCOM 2012?
  I have referred this , is there anything ?
  http://blogs.technet.com/b/momteam/archive/2008/02/19/10-reasons-to-use-a-gateway-server.aspx

  1) Management server can write data , gathered from agent, directly into operations manager database. Gateway server should forward data, collected from managed agent to management server.
  2) In a unturst environment for example workgroup or untrust domain, and you do not want to deploy a certificate to every monitored agent, you should deploy gateway server rather than managment server.
  Roger

• Local domain, IIS Hosting and SMTP issues.

  I have a local domain on Windows server 2012 with dns, dhcp, iis and smtp. (Yes, I am aware of the dangers of these combinations) it is for learning purposes only and not my main pc. 
  My local domain is willow.run and I am hosting a website, the domain for that is machinerylubricant.com I have IIS 8 installed (6.0 also for smtp) 
  My original issue was getting IIS to send an email to localhost through a php script for a contact form hosted on the website. I finally got to where it appears to be sending the contact form info to my drop folder but I ahve no idea how to get that .EML
  file to actually forward to gmail account or even outlook on my computer/server. 
  In the email file (.eml in drop folder) it says "To: *******@gmail.com" as it is supposed to but that email is not making it to the specified gmail account. Also no error messages in the ph logs or the log files for smtp. How would I go about setting
  up a email program to work on the lan with the acual www domain name I own? 
  I am learning everything at once basically, windows server, coding, protocols etc. Please bare with me.

  Rather than answer your specific question, how about I give you the best way to achieve what you're looking for?
  For inbound messages, you want to use the "aliasdetourhost" keyword. Check the documentation for how this is set up.
  For outbound messages, you want to use the "alternate conversion channel"
  When used together, this will achieve what you're looking for, without the looping that you have generated....
  The alternate conversion channel was written up here:
  http://ims.balius.com/resources/downloads/files/AlternateConversion.pdf

• .local domain and autodiscover issues

  I want to preface this by saying I am a new administrator.
  Our SSL cert recently expired, and since .local domains can no longer be on certs, were registered a CA cert with autodiscover.domain.com and mail.domain.com. This new cert was successfully applied, but whenever someones opens their e-mail they get a warning
  about the name on the server not matching the cert. I
  I'm pretty sure this is juts a few DNS records I need to update but I don't know which ones and really need some guidance.
  Thanks for your time.

  So what you are saying is that his current DNS for company.com (which his internal users use for external access) needs to be duplicated internally, then modified to support his internal email access?  I've set up many systems where internal DNS and
  external DNS hosted the same name, and it is far from simple as "a new zone takes less than a minute to create".  How do you handle internal access to external sites (which is currently working just fine with his external DNS)?
  To answer your question, my recommendation is that his internal clients use AutoDiscover to gain their internal settings. Keep in mind that while the Exchange server may be in the .local domain, the SMTP domain they host is a .com domain. And since his servers
  are in a domain, any domain-attached Outlook client will be able to access the mailbox successfully.
  Just create a new DNS record pointing to the external host.  Or get a new domain name that doesn't have external websites, then create a new DNS zone for that.
  Alright, so with your recommendation - he updates his clients to use Autodiscover, which they are likely already using, to gain internal settings.  And then what do you configure the internal URLs as?  
  For example - Autodiscover.
  You set the AutoDiscoverServiceInternalURI to servername.domain.local -> he still gets a cert prompt every time he opens Outlook.
  You set the AutoDiscoverServiceInternalURI to mail.domain.com to match the certificate -> Now ALL autodiscover requests from all clients are going out to the internet, then back into the Public VIP.  
  Same with EWS.  And this is assuming he's using RPC/TCP rather than HTTP.  So then he's either going to get prompts for cert every time he opens outlook and checks OOF or mailtips, or all internal clients are going to use the external VIP for Autodiscover
  and EWS. 

• 2012 TS Gateway and UDP

  I have a 2012 TS gateway for remote access for our Session Host server.
  The TS gateway is on the LAN and the Firewall forwards request from our external IP on to the TS Gateway, in the past 2008 and R2 we have just had 80 and 443 open  and it works fine, as it still does on 2012.
  I want to enable the 2012 UDP option 3391 so I asked our ISP to also open the UDP port 3391 both ways.
  Now RDS doesn't work properly, I can see in the TS Gateway monitoring that clients are connected http and usually 2 UDP connections, The Client when you click on the connection button we get connection is good or excellent and UDP is enabled.
  From the Client end the best way to explain the experience is things will work smoothly for a while then hang if you try to resize windows it takes a while to do, what is really interesting is if you set of a video in a portion of the screen this will continue
  to stream ok whilst the rest fails to redraw correctly.  Also interestingly if you move the Windows Media Player around the video moves around flawlessly but the surround stays where it was originally.
  Turn off UDP and things go back to normal, I would like UDP to work because on constrained connections the experience isn't brilliant.
  Is there anything I'm doing wrong should I ask for established related through the firewall? is there anything I can look at to see how I can improve this. 
  If I force an internal client to connect to the Gateway the UDP experience is absolutely fine. 
  Its a bit frustrating that I can only test this issue remotely.
  Any help would be appreciated, as the information on the internet is scanty
  Thanks Gordon.

  I have a 2012 TS gateway for remote access for our Session Host server.
  The TS gateway is on the LAN and the Firewall forwards request from our external IP on to the TS Gateway, in the past 2008 and R2 we have just had 80 and 443 open  and it works fine, as it still does on 2012.
  I want to enable the 2012 UDP option 3391 so I asked our ISP to also open the UDP port 3391 both ways.
  Now RDS doesn't work properly, I can see in the TS Gateway monitoring that clients are connected http and usually 2 UDP connections, The Client when you click on the connection button we get connection is good or excellent and UDP is enabled.
  From the Client end the best way to explain the experience is things will work smoothly for a while then hang if you try to resize windows it takes a while to do, what is really interesting is if you set of a video in a portion of the screen this will continue
  to stream ok whilst the rest fails to redraw correctly.  Also interestingly if you move the Windows Media Player around the video moves around flawlessly but the surround stays where it was originally.
  Turn off UDP and things go back to normal, I would like UDP to work because on constrained connections the experience isn't brilliant.
  Is there anything I'm doing wrong should I ask for established related through the firewall? is there anything I can look at to see how I can improve this. 
  If I force an internal client to connect to the Gateway the UDP experience is absolutely fine. 
  Its a bit frustrating that I can only test this issue remotely.
  Any help would be appreciated, as the information on the internet is scanty
  Thanks Gordon.
  Hi everyone
  This is funny, but just the same I experienced yesterday.
  The same issues i have now since i opened 3391 ono my firewall, to provide UDP connections.
  My 3 Server Setup:
  RDGW, RDCB, RDWEB (2012)
  RDSH1 (2012)
  RDSH2 (2012)
  I cannot exatly say when the disconnections are happening, but they are unreliable.
  When i block UDP Port on my firewall everything is normal again.
  It cannot be a network issue, i can reproduce this problem on different vSphere platforms.
  @Ryan Mangan
  Hey Ryan
  Regarding your suggestion on GP-Settings for Remote-FX, these policies are both not configured.
  As i understand, there is no need to configure them.
  Regards
  Ajdin

• SCOM 2012 R2 Gateway installation error and no System Center Management server after install

  Hi,
  I have installed SCOM 2012 R2 Gateway and I got an error 25372 error at the start of the install. It still installs though. However I have no system center management service running in services but I can see healthservice.exe is running.
  Why am I not seeing the system center management service?
  Thanks.

  Using gateways with certificates is always a bit complicated because there are several things that needs to be configured correctly.
  DNS: The MS and the GW server need to be able to resolve each others FQDN. you can adjust the hosts files if needed.
  Traffic is only TCP 5723 from the gateway to the MS. You can test this with the telnet client.
  Certificates:
  http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/
  The gateway server should NOT be in pending management. Remove it from here before running the approval.
  You should start by making sure DNS and the 5723 port are functioning because that is probably where the problem is.
  Please remember, if you see a post that helped you please click (Vote As Helpful" and if it answered your question, please click (Mark As Answer).

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us