Lync 2013 Certificate Count

Similar Messages

• Office web Apps server Lync 2013 Certificate

  Hi,
   I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
  Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?

  It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy.  If you are
  punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
  That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play).  So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
  when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 Certificates for DR Pool

  Hello, I'm kind of new to Lync 2013 so I could use a little guidance.....  
  My question is regarding edge server certificates for my DR site. We have 2 geographic locations, one for Prod, and one for DR in an active/passive arrangement. The pools are paired for resiliency.
  The prod site is up and running, everything is functioning as it should. We recently decided to deploy Lync in DR. The prod site is using sip.x.com in DNS and SRV records for access edge. Knowing that we cannot use the same DNS
  name for the DR pool, I have used sip_DR.x.com. It is recommended to use the same cert for all edge servers. Does that mean I should use the same cert for both pools? If so, should I then add the SAN sip_dr.x.com to my existing UC cert from digicert, and
  import it to all my edge servers in both pools, or should I have a separate cert for DR? Or, would I request a duplicate cert from digicert and generate the request from one of my edge servers in the DR pool?
  Any help you can provide will be greatly appreciated.
  Thank you. 

  The same cert requirement is for all Edge servers in an Edge pool. You can use a new certificate for the DR Edge pool.
  Take a look at Jeff Schertz' blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  "The exact same certificate must be used on all common interfaces across the pool, regardless of whether DNS load balancing or hardware load balancing is utilized.  This means that the original certificate request must provide the ability to export
  the private key as the exact same certificate and private key pair must be able to be exported from one Edge server into all other Edge servers.  This is required so that in the event of a failover any existing sessions can be moved to another server
  in the pool and the data can still be decrypted by the same certificate that was used to encrypt the session just prior to the failover."
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Lync 2013 Certificate

  Hi
  I have Lync 2013
  I have 2 edge servers
  once my internal certificate expired and I make renew for the internal certificate the RTCSRV certificate stopped , how can I solve this issue
  what is the names should the certificate included ( Edge server certificate)
  MCP MCSA MCSE MCT MCTS CCNA

  Absolutely! This is a very common issue with deployments where you have more than one Edge server. The certificate request is usually generated from one of the Edge servers and the resultant certificate is imported on to the other Edge servers. But the
  certificate isn't visible in the certificate Assign wizard as it is missing the private key. The important step here is to export the certificate with the private key before you import it on the other Edge servers.
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you have asked, please mark the thread as answered to aid others when they are looking for solutions to similar problems or queries.
  The opinions expressed here are solely my own and do not express the views or opinions of my employer.

• Lync 2013 certificates

  Hi!
  Is this still a problem? I have the latest Lync phone edition on my Polycom phones.
  https://heavens-reach.com/tag/rsassa-pss/
  https://social.technet.microsoft.com/Forums/lync/en-US/57569652-fa63-4774-be43-464f4086b2fd/issuing-cas-signature-algorithm-changed-from-sha1rsa-to-rsassapss?forum=winserverDS

  Hi!
  I saw that document and as you say it does not really tell if it will work or not.
  I have already switched some of the Lyncservercertificates (mediation and trusted applications) to RSASSA-PSS and they work.
  But the big question is the Lync Phone Edition.
  According to this SHA256 should work:
  http://www.avianwaves.com/Blog/entryid/193/enrolling-an-out-of-date-lync-phone-edition-phone-with-sha-2-signed-ssl-certificates.aspx
  http://blog.schertz.name/2014/10/lync-phone-edition-and-public-certificates/
  And here is some info about it that says it does not work:
  http://uclobby.com/2014/10/06/certificate-re-key-to-change-signature-algorithm-in-lync-server-sha-1-to-sha-2/
  http://xerical.blogspot.se/2015/01/fixed-polycom-certificate-issues.html

• Exchange 2013, Lync 2013, PKI,

  http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx?PageIndex=2&wa=wsignin1.0&CommentPosted=true
  Hi,
  I would like to implement this 2-tier PKI, but for Windows Server 2012 R2 & Windows 8.1 ENT.
  I tried to do the win2013 pki but it failed to validate Exchange 2013 certificate, and a lot more problems, but this article seem very stable and working.
  Just a few questions:
  this is just for test, my setup will be:
  External Domain: test2013.cu.cc   (free cu.cc domain)
                               name servers: NS1.he.net to NS5.he.net
  External Domain: test2013.com (secondary domain, not really needed, from godaddy.com)
                               A   72.252.214.6
                               MX 5 mail2.test2013.com
                     mail2  A  72.252.214.7
                     7        PTR mail2
                     6        PTR test2013.com
  External DNS: dns.he.net (free from he.com. Control all dns stuff for test2013.cu.cc)
            test2013.cu.cc  A  72.252.214.6
                            MX 5 mail.test2013.cu.cc
                            TXT "v=sfp1 mx ipv4:72.252.214.7 mx:test2013.cu.cc mx:test2013.com -all"
                            SPF "v=sfp1 mx ipv4:72.252.214.7 mx:test2013.cu.cc mx:test2013.com -all"
            mail            A 72.252.214.7
          # 72.252.214 rdns (reverse dns use standard octet)
           6                 PTR  test2013.cu.cc
           7                 PTR  mail.test2013.cu.cc
  Internal Domain: test2013.lan
                              A   192.168.0.3
                              NS 192.168.0.3
                              MX  5 mail.test2013.lan
                 mail   A     192.168.0.5
                 DC1     A   192.168.0.3
                 APP1  A   192.168.0.4
                 firewall  A  192.168.0.1
                 lync1    A   192.168.0.6
                lync2    A    192.168.0.7
  Software used:
  Windows Server 2012 R2
  Exchange 2013
  Lync 2013
  VM1 = firewall (clears 5.2)   nic1=72.252.214.6 nic2=72.252.214.7 nic3=192.168.0.1
  VM2 = DC1 (AD/DOMAIN/DNS/DHCP) nic1=192.168.0.3
  VM3 = CA (offline CA) nic1=192.168.0.2 (not connected)
  VM4 = APP1 (Issuing CA) nic1=192.168.0.4
  VM5 = mail (Exchange 2013 CU3) nic1=192.168.0.5
  VM6 = lync1 (Lync 2013 front server) nic1=192.168.0.6
  VM7 = lync2 (Lync 2013 edge server) nic1=192.168.0.7 nic2=72.252.214.8
  How do I setup this infrastructure with all info information provided.
  How to make Exchange 2013 and Lync 2013 live as one on this network.
  How to pass mxtoolbox.com  spf-test, smtp-test, reverse-dns-test  and spam-test.
  How to make Exchange 2013 send all emails immediately, and not put it in draft when you click send.
  How to make exchange 2013 & Lync 2013 certificate from the PKI setup VALID.
  How to make external user access there mailbox using outlook 2013.
  How to make external user access there lync account using lync client & outlook 2013.
  How to fix "Move to DRAF, when click on send" ?

  Hi Fbifido,
  From your description, I would like to clarify the following things:
  1. Exchange 2013 is not supported to run on Windows Server 2012 R2.
  2. For Windows-based users, computers, and services, trust in a CA is established when there's a copy of the root certificate in the trusted root certificate store and the certificate contains a valid certification path. For the certificate to be valid,
  the certificate must not have been revoked and the validity period must not have expired.
  What's more, here is a helpful article for your reference.
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  Besides, in order to avoid confusion and keep track of troubleshooting steps, we usually troubleshoot one issue per thread.
  Hope it helps.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• How do i use Third Party certificates when setting up Lync 2013

  Hi,
  I'm currently installing a trial of Lync 2013 for my company and it has got to the stage of adding in certificates. My company have no wish to add in a Certificate Authority unless its vital, they have asked if its possible to use a third party certificate
  provider. I have no idea how to go about this and would appreciate any help on where to get a certificates from as well as how to import these into Lync.
  Many thanks
  John 

  Yes it is possible. Thankfully Lync makes it very easy. When you deploy Lync one of the steps in the Lync Deployment Tool is to Request and Assign Certificates.
  It's a wizard that will create the CSR for you and basically include all the required names.
  You will however need UCC certificates for most things  (that support multiple Subject Alternate Names) so it may get a little expensive.
  The CA you choose is really up to you, but GoDaddy do some pretty reasonably priced UCC certificates. Digicert is also another commonly used CA
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Can someone lay out exactly what the certificate for UM/Lync 2013 needs to be?

  Ok, so I spent 480 minutes on my cell phone dealing with this same problem with MS a few weeks ago and they fixed it without telling me exactly what was wrong.  I'm doing another Lync 2013 install and still can't get it to talk to UM.
  I need to know the following:
  Does the cert for the Exchange 2013 UM services need to be issued from the CA or do I use one of the existing Exchange certs?
  What does the subject name need to be?
  What needs to be included in the SANs?
  After the cert is created, do any changes need to be made to the Lync server, or is the cert simply assigned to the UM roles via Exchange Admin Center, restart UM services, and it works?

  You can issue the cert from an internal CA or use a self signed cert as long as it's trusted by Lync.
  The subject name should be the server's FQDN.
  Nothing else really needs to be a SAN unless you're assigning this cert to a service outside of UM, for example if you needed it to also have a webmail.domain.com or autodiscover.domain.com for the CAS role.
  Your best bet is to just let the Exchange certificate wizard create it for you, and nothing really needs to change on the Lync server side, but when you bring the services up you might want to do it during off hours.  I've seen an issue where for the
  UM server takes a moment longer to get up to speed and rejects calls sent at it for 15 or so minutes.  But, it should just work. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Certificate Requirement for Lync 2013 Standard Edition

  I have successfully run the setup of lync 2013 standard edition now I am stuck due to certificates required for lync 2013. when I generate a csr. it show the subjected urls for that.
  hostname.domain.com
  sip.domain.com
  diali.domain.com
  meet.domain.com
  admin.domain.com
  lyncdiscover.domain.com
  lyncdiscoverinternal.domain.com
  im.domain.com (External URL)
  so if I go for 3 party CA then I need 8 certicate only for internal lync. As I also need to connected federated partner and external user so I need Edge for again I need 3 more certificates
  web.domain.com
  a/v.domain.com
  sip.domain.com
  now when I go for these certificate it quit costly and I didn't understand why such certifcates required. can anyone help me to fix such requirement.
  Or, what are the necessary url to which I buy 3 party CA rest leave as it is.
  I also want to deploy Edge with single adopter as we have only one network so can anyone assist me to proceed it further.
  Talha Faraz Malik

  To save on the cost of your third party certificates, I would deploy an internal certificate authority to sign certificates for your internal front end.   For your third party certificate, you would only need the SANs for the edge and for your
  reverse proxy and as Edwin said, this can be a single cert with multiple SANs.
  For example, for your edge you would need:
  sip.domain.com
  web.domain.com
  You would not need A/V as this role does not require a SAN on your certificate.  On the same certificate, which you could also use on your reverse proxy, you'd likely want the following FQDNs.
  lyncdiscover.domain.com
  im.domain.com (your external web services FQDN)
  meet.domain.com
  dialin.domain.com
  You may also want to consider your internal web services FQDN and include the following so third party mobile devices can connect without needing a certificate installed:
  im_internal.domain.com (your internal web services FQDN)
  lyncdiscoverinternal.domain.com
  I'm sure that's not entirely clear yet, so feel free to ask more questions or what the purpose of each is. 
  When you say Edge with a single adapter, you mean a single adapter in a DMZ or internal?  You definably want two NICS, both in separate DMZs, but I've managed to get the edge working with a single adapter in a DMZ before.  What you don't want is
  the edge in your internal network.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 Client CA certificate just disappears?

  We have a Lync 2013 deployment going on, using a 3rd party Lync Server infrastructure, and Lync 2013 clients on Win7 PC's - the 3rd party has sent us an SSL certificate to install into the Trusted root certification authority store, which we are doing via
  group policy. This is all fine, except that, periodically, these Certificate seem to be deleted from the clients certificate store.
  can anyone offer us a steer on this certificate disappearing ?
  Thanks.

  Hi,
  Agree with Anthony, it shouldn’t be the issue from Lync server side. Please check if there are any AD group policy to clear certificate from clients periodically.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 FE server certificate - different domain name

  Hi,
  I am implementing a small Lync infrastructure with the following components in a Resource Forest - Account Forest type implementation with a bi-directional Trust between the two forests:
    1 x Lync 2013 FE Standard,   1 x Mediation server  and  1 x Office Web App server
  Both AD forests have their PKI CAs, the certificate on the FE server is signed by the CA from the Account domain. All servers and workstations have both Root certificates implemented.
  User’s SIP domain name (account forest) is different from the FE server (resource forest) domain name.
  Question: When internal users sign-in to Lync they get a warning prompt as follows:
  “Lync cannot verify that the server is trusted for your sign-in address. Connect anyway?”
  Users can select to connect and everything functions correctly, however, I would like to get rid of the warning message at the beginning.
  Any idea what may be wrong, is something missing on the certificate ?
  Thanks for your help,
  Luca

  You can try to edit the internal web services FQDN and ensure your other populated DNS records point to a FQDN that matches the sip domain, or use the TrustModelData workaround here:http://support.microsoft.com/kb/2833618
  Here are a couple extra articles that dive in to what's happening: http://terenceluk.blogspot.com/2013/04/signing-into-lync-2013-client-presents.html?m=1
  http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync Edge 2013 Certificate Assign (again!)

  Hi,
  I recently posted a similar topic on the forum (Lync
  Edge 2013 Certificate Assign). The issue was related to certificate assignation. I solved it, but I needed later to change my certification authority, and so change the certificate assigned to the public Edge interface. Trying this, I encountered a new
  (different) problem with my new certificate, so I am back here to try to find a solution.
  As said, I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognized authority (Comodo).
  Whenever I imported the certificate in the store via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificates on the Lync deployment tool interface, so that I cannot assign
  it to the External Edge interface.
  I tried to import it with Digicert (which allow me to solve my previous importation problem, but not this time...) with no more result.  I tried to import it from cer format, or crt format, results are the same.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. If I look at the certificate icon, I see the little key in the icon, so it sounds like I have the private key available.
  Any help would be greatly appreciated!
  Thank you very much for your help.
  EDIT: when running the digicert tool "Test Key", the result is the following : " the private key was successfully tested" and "revocation check for certificate chain failed". Does it give any clue ?

  I had the feeling I did everything fine too...!  This is maybe a silly question, but I try anyway: do you think it be possible that I cannot choose the imported certificate by the Lync Deployment assistant because the assistant does not recognize the
  public name of the computer? I mean, I could add the internal interface certificate because the computer recognized its local name (edge.local.domain). But it seems he doesn't know its Internet FQDN (lync.mydomain.com) which is mentionned in the topology.
  It does not explain why I could previously add the wilcard certificate, so I think my remark is silly, but I am kind of lost....
  Thank you anyway for your messages.
  EDIT: when I try to use powershell to assign manually my certificate, i got an error message telling that the command execution failed because [my certificate thumbprint] is not in the store or not approved. It is true that I had some intermediate certificate
  provided by Comodo, but I installed all of them in the store via mmc>Certificate, both in trusted root CA and intermediate CA. Maybe I miss a location ?

• Lync 2013 edge server request certificates

  I am deploying Lync 2013 edge server, how to get the certificate request file[certificate
  signing request (CSR)] on setp 3: Reques,install or Assign Certficates. 
  i need your help!
  Thanks!

  Agree with Jason.
  On the Certificate Request File page, type the full path and file name to which the request is to be saved.
  After you get Certificate Request File, you need to submit this file to your CA (by email or other method supported by your organization for your enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it
  is available for import.
  Check how to set up certificates for the internal edge interface at
  http://technet.microsoft.com/en-us/library/gg412750.aspx.
  Check how to set up certificates for the external edge interface
  http://technet.microsoft.com/en-us/library/gg398409.aspx.
  Lisa Zheng
  TechNet Community Support

• Lync 2013 mobile client. Can't verify the certificate from the server. Please contact your support team

  We upgraded Lync Server 2010 to Lync 2013.
  Users are able to login on desktop clients but unable to connect on mobile client. We get following error message:
  Can't verify the certificate from the server.
  Please contact your support team

  Please check the Root CA is installed on your mobile device.
  Can you sign in externally?
  Please check you have updated the DNS records for Lync mobile autodiscover service.
  Lisa Zheng
  TechNet Community Support