In my previous two posts (Communicator Automatic Sign-In Part 1 and Part 2) I explored two common pitfalls to make Office Communicator 2007 Automatic Sign-In work with OCS 2007. In this post I explain one last hurdle: ensuring that the client trusts the Certificate Authority (CA) that issued the certificate used on the OCS 2007 server. If the Office Communicator client does not trust the CA that issued the certificate, an error will be displayed on sign-in: “There was a problem verifying the certificate from the server”.
This is often an issue in environments that employ self-signed certificates - especially if the Communicator client is being used in a different AD forest that the issuing CA (e.g. lab environments). A self-signed certificate is a certificate issued by a Certificate Authority (CA) that is generally not well known (e.g. listed as one of the default Certificate Authorities by the major Internet browsers. VeriSign and Entrust are examples of well known CA’s).
Well known CA’s have the advantage of usually being automatically trusted by client computers. You can see the list of trusted CA’s by default on most Microsoft Windows operating systems in the Internet Options (open Internet Explorer and navigate to Tools | Internet Options | Content | Certificates).
Self-sign certificates can be created, issued, and used in an OCS 2007 environment using Microsoft Certificate Services (http://msdn.microsoft.com/en-us/library/aa376539(VS.85).aspx) which ships with Windows Server 2003 and 2000. During installation, Microsoft Certificate Services is given a name, and all certificates issued by that server are signed-by (the Issued-By field on the certificate) a Certificate Authority with this name.
A crucial requirement for Office Communicator clients to work is that the client must trust the CA that issued the certificate being used on the OCS 2007 server the client is connecting to. “Trust” in this scenario equates to the CA being listed as one of the trusted certificate authorities on the client machine.
An easy way to achieve this trust is to import the OCS 2007 server into the client’s certificate store. On most Windows clients this can be easily done by doing the following:
1. Export the certificate on the OCS 2007 server (to a file). Remember the password you assigned to the certificate.
2. Make the file available on the client machine.
3. Double-click the certificate file on the client desktop. This will launch the certificate import wizard.
4. After a series of dialogs there are 2 warning dialogs before the import happens. One dialog is warning that you (the client) are about to trust the CA that issued this certificate.
The client will now trust all self-signed certificates issued by your CA.
Update: in August 2009, Microsoft released an excellent white paper clearly describing the certificate requirements for OCS: Deploying Certificates in Office Communications Server 2007 and Office Communications Server 2007 R2 (the link refers to a collection of OCS documentation – scroll down to find the ”OCS 2007 R2 Deploying Certificates.doc“).
For more information on other OCS client/server client requirements that need to be met, you can find more information on Page 57 of the Microsoft® Office Communications Server 2007 Planning Guide (http://www.microsoft.com/downloads/details.aspx?familyid=723347c6-fa1f-44d8-a7fa-8974c3b596f4&displaylang).
Note: Microsoft KB article 929395 (http://support.microsoft.com/kb/929395) lists partner companies that provide are certificates that meet the requirements to work with OCS 2007 and Exchange 2007.