Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate)

A crucial setting to make automatic Office Communicator sign-in work is ensuring that the correct Subject Name (and possibly Subject Alternative Name) is specified on the certificate which resides on the OCS server where the Communicator client connects (e.g. on the Front-End or Director role). When you look at the Certificate details, the Subject Name is listed as the “Subject” property.

The basic requirement for the Subject Name on the certificate is that it match the DNS FQDN of the hostname that the client is connecting to. For example, if Office Communicator determines that it needs to connect to the FQDN host1.example.com, the Subject Name on the certificate should be host1.example.com.

Note: the actual requirement is that the Common Name (CN) portion of the Subject Name matches the DNS FQDN, but many documents use Subject Name and Common Name interchangably (the Common Name is just the CN portion of the SN).

Certificates also have one or more Subject Alternative Names (SANs) which specify alternate hostname(s) that the host can be known as. Generally speaking, if the correct FQDN does not match the SN, but is listed as one of the SANs, the certificate naming requirement will be satisfied. For OCS clients connecting to an Enterprise pool, the pool name must be the Subject Name.

The primary use for this certificate check is for security purposes. It allows the client to be sure that the server it wants to connect to is indeed that server. Think of a server certificate as a passport for that server – it validates its identity to all the clients that use it.

Two factors can make setting the proper SN confusing:

1. Using OCS 2007 Standard Edition vs. Enterprise.
2. Use of a Director (between the client and OCS 2007 server).

As a general rule, the Subject Name of the certificate should match the fully qualified hostname of the first OCS server the client connects to. If it is an enterprise edition deployment, the Subject Name should be the FQDN of the enterprise pool.

FYI – Hardware Load Balancers (HLBs) do not affect the SN on the certificate. HLBs just pass the connection through to the OCS server.

The following table summarizes the Subject Name requirement on the certificate for different OCS deployments:

Note: For an Enterprise Pool, the Subject Alternative Name (SAN) should include a entry for each supported SIP domain in the format sip.<domain> if you selected either of these options when creating the pool with the Configure Pool Wizard:  1) Configure Clients for Automatic Sign-In, or 2) Configure this pool to redirect sign-in requests.  If you have multiple SIP domains and use the OCS certificate wizard, it will automatically add “sip.domain.com” to the SAN for all supported SIP domains.

In August 2009, Microsoft released an excellent white paper clearly describing the certificate requirements for OCS: Deploying Certificates in Office Communications Server 2007 and Office Communications Server 2007 R2 (the link refers to a collection of OCS documentation – scroll down to find the ”OCS 2007 R2 Deploying Certificates.doc“).

InsideOCS has a free download tool (the Automatic Sign-In Troubleshooting Tool) that will query for all of the automatic sign-in DNS records and show which ones exist, and which one will be used.

For more details all the automatic sign-in process and it’s requirements, see:

• DNS Records and Office Communicator Automatic Client Sign-In
• Automatic Office Communicator Sign-In (Part 1 – The Correct DNS Service Location (SRV) Record)
• Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)