Lync + Exchange certificate

Similar Messages

• Lync 2010 Certificate renewal via MMC

  So I have been trying to find the answer to this and haven't had any luck digging through the forums. I am going to be renewing my Lync 2010 certificates next week. However, I am trying to find out if its possible to use the Certificate Manager via the MMC
  to renew the certificate for the Lync server. This is a certificate from an internal CA and I would be right clicking the certificate and select "All Tasks>Advanced Operations>Renew This Certificate With The Same Key". Would this option work
  for renewing the Lync 2010 Certificate? or does it absolutely have to happen via the Lync Deployment Wizard? 
  Thank you all for any insight on this.
  Emmanuel Fumero Exchange Administrator

  Will the Lync PS renew the existing certificate or will it request a new one the same was the Lync Deployment wizard does? I have noticed that the Lync deployment wizard tends to pull all the existing data the previous certificate uses.
  Emmanuel Fumero Exchange Administrator

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• Lync client certificate error

  How can I troubleshoot certificate issues on Lync internal usage?
  We have CA in our domain environment. Lync server successfully requested and assigned 4 certificates from CA. (actually one certificate for own 4 needs).
  All computers by default group policy achieved root CA certificate. And almost all sign in to lync without problems. But there are few computers which can't sign in followed with certificate problem. 
  So, at problem computer I opened certificate snap-in using MMC. Then I watched in trusted root certificate container for our root CA certificate. And it exists!
  So, I manually exported Lync certificate from CA server, and manually imported it to problem computer to trusted root certificate authorities. - It haven't solved the issue.
  I also tried to join lync by other accounts - no help. 
  I deleted all unused or self-signed certificates from problem computer, deleted all certificates from untrusted publisher container. - doesn't help
  I reinstalled lync client, tried another versions. - doesn't help

  What error did you get when you failed to sign in?
  Have you error sign in on these computer successfully?
  Check if you have Lync user certificate issued by Lync Server in user’s Personal certificate store.
  Check if the same issue exists when sign in with different Lync accounts.
  The following is a blog about Lync client authentication, it is useful for your further troubleshooting.
  http://blogs.technet.com/b/nexthop/archive/2012/11/28/lync-2010-client-authentication.aspx
  Lisa Zheng
  TechNet Community Support

• RESOLVED On Premises (intranet use only) Exchange Certificate Help (Please)!

  I apologize in advance for what may end up being a very silly issue.
  I have racked my brain and read and searched and I still can't seem to find the answer to my question.
  I have an in house Exchange server that is only accessible internally. We do not have external clients (laptops/tablets/etc) and all computers stay on premises. Most of our clients use OWA to access email. Everything has been working fine up until about
  2 weeks ago when everybody started getting a certificate error. I have tried every thing I can find to fix this issue to no avail. It seems the thumbprint of the certificate is different each time I visit the exchange server (https://exchange/owa). So I can
  install the certificate which works for a few minutes and then it prompts me again. When looking at the thumb print of each instance, everything seems to be exactly the same with the exception of the thumbprint.
  My first question, is do I still need to go through a CA even though this server is not accessible via external IP?
  Where are my clients getting the certificate they are trying to install because they do not match the certificate that is installed on the Exchange Server.
  Thank you in advance for anybody that can steer me in the right direction to getting this resolved.
  I support this site remotely so any additional info can be provided but there might be a small delay.

  First, thank you for taking the time to respond.
  "I'm going to assume that you have some sort of PKI infrastructure with in your environment."
  I'm not sure I do. This project landed in my lap a few years ago. This particular client is my only client
  with exchange. I have limped my way though to this point but I'm afraid I'm just not clear on what it is I actually need.
  We are running Exchange 2013 on a Server 2008 box. Everything worked fine up until about 2 weeks ago. I have no idea what changed.
  I think my biggest problem is my lack of understanding of where the client is pulling the certificate when I access the intranet site. I don't understand why the certificate (whether valid or not) isn't matching the certificate within IIS/Exchange admin.
  Hi,
  I think you can check your certificate information and provide the information here for more help. Please run the following command in Exchange Management Shell:
  Get-ExchangeCertificate | fl
  Additionally, since the certificate issue occurs when accessing Exchange server from OWA, please check the OWA configuration in your Exchange:
  Get-OwaVirtualDirectory | FL Identity,*Authentication*,*url*
  Generally, the namespace used in the OWA URL should be included in the Exchange certificate which is assigned with IIS service.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Lync + Exchange on Same Server?

  I'm attempting to build a test infrastructure Active Directory + Lync + Exchange. After installing Lync on my Exchange Server,
  I was unable to connect to Exchange. I don't know for sure that I was able to connect to Exchange before I installed Lync though. Rather than go through the installation process again, I'm hoping if someone can tell me for sure if Lync 2010 and Exchange 2010
  can exist on the same server.

  I'm fairly sure from previous discussions with our infrastructure guys that this is a big no-no (I thought about doing the same), although can't find any evidence to back up this assertion!
  This ServerFault
  question might help you with a possible workaround - its for OCS 2007 R2, but may apply to Lync too
  You might get a better response asking this specific question on serverfault, given that it's more infrastrucure than dev related

• Lync 2010 Certificate Renew Downtime

  Hello,
  Recently I was made the Lync Admin so I wont lie I have very little knowledge about Lync. I am about to have several of the Lync server certificates expire so I am in the process of renewing them. Before proceeding and using the Certificate Wizard to renew
  my Lync certificates I would like to know if there is any kind of downtime the users will experience. Do any of the servers require a reboot or does a specific service require a restart? All certificates that are being renewed are issued by an Internal CA.
  P.S - I've looked through the forums and done my research just can't seem to come across this particular topic.
  Thank you,

  Hi there,
  Yes you will need to restart the Lync services after you replace the certificates.
  If you have multiple FE's you can minimize the downtime to users, however there may be periodic disconnects as the services are stopped on a node and the client reconnects to the next available node.
  I'd recommend scheduling downtime to do this. The actually downtime should be minimal (just the amount of time it takes to run Stop-CsWindowsService and Start-CsWindowsService
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Exchange certificate error

  Hi Guys,
  I am in the process of upgrading my exchange 2007 to 2013. i now have setup a 2013 server successfully. However, i seem to be having problems with my exchange certificate. Everytime i open my outlook it comes up with the dialogue gox below
  The old server is still in the envirnoment so i was thinking its certificate is the one being picked up. could this be that the CAS is still on the old server? if yes, how to i transfer it. if otherwise, please assist.
  Regards,
  BJ

  Hi,
  I suggest try to re-create profile to refresh the caches for testing.
  If doesn't work, please try to check following checkpoints:
  1. Open IE and browse RPC URL, https://mail.domain.com/rpc, to examine the certificate.
  2. Install the trusted root certificate.
  3. Disable the 3rd party add-in or the 3rd party browser add-in.
  More details to refer following KB:
  Error message when Outlook tries to connect to a server by using an RPC connection or an HTTPS connection: "There is a problem with the proxy server's security certificate"
  https://support.microsoft.com/kb/923575?wa=wsignin1.0 
  Also provide an FAQ for your reference:
  Checklist for Exchange Certificate issues
  https://social.technet.microsoft.com/Forums/en-US/fa78799b-5c55-4c71-973b-0e186612ff6f/checklist-for-exchange-certificate-issues?forum=exchangesvrgeneral
  Thanks
  Mavis Huang
  TechNet Community Support

• OIF-do I need to exchange certificate,keys if using selfsigned certificate?

  I have setup OIF federated authentication and it works between SP and IdP. I think I'm using self-signed certificates.
  With my setup, I did not have to exchange certificate between SP and IdP, however, my customer (IdP side) told me that I need to exchange with them the self-signed certificates and public key/private key.
  Do I need to exchange self-signed certificates and public key/private key between SP and IdP or only third party CA signed certs need to be exchanged?
  Also, to exchange certificate, I thought I just need to add it through "Trusted CAs and CRLs" in EM, but I'm not sure how to exchange public key/private key?
  Thanks

  I got "exchange certificate" working by enable certificate validation and adding IdP's certificate to SP or vice versa. the configuration was done through "Trusted CAs and CRLs" in OIF EM.
  However, I'm not sure what "public key needs to be exchanged" means. Could you please tell me what to do? or, are you saying public key is part of certificate and it exchanged by exchangeing certificate?
  Thanks

• Netbios names on exchange certificates

  Hi, 
  Is it not best practice to include the server netbios name in the SAN on the Exch 2013 SSL cert? Also is it even supported as I see some suggestions that netbios names on exchange certs is not often supported by online certificate authorities.
  Thanks 

  Hello,
  Since the certificate SAN name can be seen by public. If any security issues are not cared, it’s fine to add it to the SAN name.
  More information and best practices for Exchange Certificate in:
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Assign the same service to two different Exchange certificates?

  I'm not sure who once set this up. So I was wondering why 2 certificates both got the smtp service

  Hi I was wondering what happens when you assign the same service to 2 exchange certificates? I couldn't really find anything on this. Hope someone here got an answer. thanks!
  This topic first appeared in the Spiceworks Community

• Public certificate for lync/exchange

  Hi guys,
  I need to buy public certificate for lync 2013. Shall I include SAN name for my Office web apps(OWA) too ? which currently included in my Exchange SAN certificate.
  anyone has good links on configure lync with existing exchange 2013 ? and also link to configure lync edge in order for external access. our plan to use windows 2012 R2.
  this is 1st time for me to configure lync and I need help. thx

  Hi Developer_75,
  Agree with Thamaraw, You can include all SAN records in to a single certificate.
  And there are some links for your reference.
  Integrating Microsoft Lync Server 2013 and Microsoft Outlook Web App 2013
  Configuring Microsoft Exchange Server 2013 Unified Messaging for Microsoft Lync Server 2013 voice mail
  Configuring the use of high-resolution photos in Microsoft Lync Server 2013
  Lync External Access
  Best regards,
  Eric

• Office web Apps server Lync 2013 Certificate

  Hi,
   I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
  Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?

  It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy.  If you are
  punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
  That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play).  So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
  when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Exchange certificates and services setup for internal and external clients access on separate domains.

  I have the following on my local network.
  Server DomainA -> Small Business server 2003/Exchange 2003
  Server DomainB -> Windows 2008 R2/Exchange 2013
  Clients Domain A ->  Windows XP/Outlook 2003
  Clients Domain B -> Windows 7/Outlook 2007/2010
  Problem:  I want clients from DomainA to log into Exchange on DomainB on the same local network.
  I need to know how to setup the DNS on both domains and the certificates on the DomainB Exchange server
  to accept the connection from the PC on domainA.   All connections from clients on domainB to server on domainB
  work correctly but when adding accounts to Outlook 2003/2007 on domainA clients I am getting certificate errors.
  I have purchased certificates for mail.domainb.com and autodiscover.domainb.com but I dont know how to get 
  the clients on domainA to recognize those external URL's of the exchange server (with the certificates bound to them) from the internal network. Hence I get domain errors.
  I am getting issues when a client on DomainA tries to add an Outlook mail profile to connect to the Exchange on DomainB
  Any suggestions on how to set this up?
  thanks

  Domain A & Domain B are two separate AD Forests?
  Users in Domain A either need mailbox-enabled user accounts that are in DomainB or a linked mailbox in Domain B to utilise the Exchange Server in DomainB. In either case with the help of the autodiscover service user can use the services in ExchangeB. 
  If the client machines are member of domainA and you are trying to access ExchangeB you will then need to leverage a custom XML file for autodiscover and force the Outlook client to use this file. 
  <?xml version="1.0" encoding="utf-8"?> 
  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> 
    <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> 
      <Account> 
        <AccountType>email</AccountType> 
        <Action>redirectUrl</Action> 
        <RedirectUrl>https://autodiscover.domain.com/autodiscover/autodiscover.xml</RedirectUrl> 
      </Account> 
    </Response> 
  </Autodiscover>
  Then you need to configure the client machine to query that XML file by adding the following registry key:
  Refer to XML file
  for Outlook 2007:
  HKCU\Software\Microsoft\Office\12.0\Outlook\Autodiscover
  for Outlook 2010:
  HKCU\Software\Microsoft\Office\14.0\Outlook\Autodiscover
  STRING_value <your_namespace> = path to XML file
  you can find more information in the following link.
  Controlling Outlook Autodiscover behavior
  http://blogs.technet.com/b/kristinw/archive/2013/04/19/controlling-outlook-autodiscover-behavior.aspx
  CK