Microsoft Lync Server Certificates: What's New & Tips

Like its predecessor, Microsoft OCS, Microsoft Lync Server 2010 relies heavily on PKI certificates to allow servers to verify their identity in TLS connections with clients, and in mutual TLS (MTLS) connections to other servers.

Unlike OCS, certificates cannot be viewed or managed directly in the management console. Nowhere in the Lync Control Panel can you view the certificate details by right-clicking on the properties of a Lync server role.  They are not present in the new Lync Topology Builder either.


Viewing Certificates in Lync Server

There are two primary ways to see which certificates are in use on a particular Lync server, and the associated certificate details:

  1. On any Lync server role, run the Lync Server Deployment Wizard, click on “Install or Update Lync Server System”, and run Step 3: Request, Install or Assign Certificates. This will bring up the Certificate Wizard which will list and manage all the certificates on this Lync server. You can also request a certificate from an internal CA, or assign an existing certificate from this wizard.
  2. Use the PowerShell cmdlet Get-CsCertificate from the Lync Management Shell.
    • TIP:  you need to view all properties on the certificate objects returned to see the SAN’s.  You can do this with a Get-CsCertificate | fl –property *

Note: by default, a Standard Edition Lync Front-End server will use 3 certificates to support sign-in and internal and remote access to Web Services (formerly known as Web Components):

  1. Default Certificate: the certificate used for clients to logon to the Front-End
  2. Web internal certificate:  this certificate is used for HTTP/HTTPS requests to the internal Web Services (including Simple URLs).
  3. Web external certificate: this certificate is used when remote clients (outside the firewall) access the web services via the reverse proxy.

In many cases you can use the same certificate for different purposes.

Tip – if you need to quickly and remotely see the details of a particular port on a Lync (or OCS) server, you can use my Remote UC Troubleshooting Tool (RUCT) V1.  The “Certificate Information” tab allows you to remotely query any port and retrieve all of the certificate information including the certificate chain.


New Subject Alternative Name (SAN) Entries Required

Most Lync certificate requirements are similar to OCS.  One significant difference is the requirement to add the FQDN’s of the Simple URL’s on the certificates used for the Internal and External Web Services.

For example, if your SIP domain is example.com, and you have configured the Simple URL’s to be https://meet.example.com, https://dialin.example.com, and https://admin.example.com, the SAN on the certificate used on the Internal and External Web Services needs to have:

  • meet.example.com
  • dialin.example.com
  • admin.example.com

Note: in addition to the Simple URL’s, you also need a SAN entry for the external facing web services: webext.example.com.

The Web Services will run on a either Front-End server or a Director. If you have configured multiple Simple URL’s for Meetings, Dial-in, and Administration, you need to add the FQDN of all the Simple URLs.


TIP – In the Lab – Watch those Time Zones

If you installed Lync in a lab environment, and your first sign-in experience yields the infamous “There was a problem verifying the certificate from the server”, check the time-zone(s) on your lab machines before you chase down more potentially complex certificate issues.

As you can see in the screen shot below, this certificate in my lab was invalid because  the “valid from” date was a date in the future!

Lync Invalid Certificate

Sure enough, my DC and had an incorrect time zone – which was not obvious because the clock settings (time) were correct; just the time zone was incorrect.

It was happy Lync’ing after I set the time zone correctly and re-issued and re-assigned the certificate on the Lync Front-End.


Additional Information

Microsoft TechNet articles on Lync Server Certificate Requirements:

  • Certificate Infrastructure Requirements (http://technet.microsoft.com/en-ca/library/gg398066.aspx)
  • Certificate Requirements for Internal Servers (http://technet.microsoft.com/en-us/library/gg398094.aspx)
  • Certificate Requirements for External User Access (http://technet.microsoft.com/en-us/library/gg398920.aspx)

The Microsoft Lync PowerShell blog has a good post with information on Get-CsClientCertificate and Revoke-CsClientCertificate: http://blogs.technet.com/b/csps/archive/2010/11/16/haikudefault.aspx.

This is one of the best guides available for OCS and Lync certificate requirements: Office Communications Server 2007 and 2007 R2 Certificate Guide.doc.

A great blog post about the use of wildcards in Lync server certificates: Wildcard Certificates in Lync Server.

Share and Enjoy:
  • Twitter
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • LinkedIn
  • MySpace
  • Reddit
  • Technorati

10 comments to Microsoft Lync Server Certificates – What’s New & Tips

  • Hi Shelly,

    Your question got caught in the SPAM filter for comment moderation and I didn’t see it until now.

    Your question is a good one, and it depends on your environment. You could likely use a single certificate *internally* for the following (which meets most of your requirements):

    1] The simple URLs (dialin, meet, admin)
    – the FQDN of each simple URL should be listed as a SAN

    2] Automatic Lync client login (the DNS SRV record could point to sip.lync.com)
    – normally this points to the internal pool name; sip.company.com will work though

    3] A/V and WebConf
    – I believe you will need the FQDN of where your web services reside (see the Web services properties on your pool in the Topology Builder).

    4] Internal Lync Mobility
    – you will likely require LyncdiscoverInternal.company.com and lyncdiscover.company.com

    The golden rule for the Subject Name (SN) is that whatever hostname your automatic logon internal DNS SRV record resolves to should be an exact match for the SN or you’ll get certificate issues on client logon.

    Your ‘lyncextweb’ reference refers to a Lync external service, and the certificate requirements on the Edge are different and you will likely require a seperate certificate for that.

    If you still have questions, this is good topic to expose to a wider expertise on the Microsoft Lync Forums at http://social.technet.microsoft.com/Forums/en-CA/category/ocs.

    Also see these Technet articles: 1] Certificate Requirements for Internal Servers (http://technet.microsoft.com/en-us/library/gg398094.aspx) and 2] Certificate Requirements for External User Access (http://technet.microsoft.com/en-us/library/gg398920.aspx).

    Hope this helps,
    Curtis

  • shelly

    Hi Curtis,
    Nice blog..can i use a single certificate for all the URL’s (sip,av,webconf,lyncdiscover,dialin,meet,lyncextweb) with sip.lync.com as the SN?

    Thanks.

  • anoopcv

    how to create following certificated for Cisco VCS integration .
    1.root CA certificate , private key & server certificate

  • Manoj Charaya

    need help on – how to generate Certificate request for External and Internal (CWA)communicator web access in Lync 2010 which is collocated on the front end (Standard Edition), we do not have a split brain DNS for internal and external users.
    Also would like to have step-by step information on how to publish the external and internal CWA URL thru TMG 2010

  • Good question Mike, this has come up in several forums/threads.

    Here is the latest answer I have seen from credible sources:

    A wildcard in the Subject Name (SN) technically works in a pure Lync 2010 deployment. It is not supported by Microsoft however because there are known interop issues with OCS 2007 R2, OCS 2007, and LCS 2005. This holds true for the External facing Edge. It is supported on the Internal facing Edge (but not a big benefit since the cert on the internal Edge is usually issued by an internal CA).

    Wildcards are supported in the Subject Alternative Name (SAN) for some scenarios such as supporting the Lync Simple URLs.

    Worthy of a blog post at some point :-)

    Feb 15, 2010 Update - here is a really good recent post on this subject by MVP Jeff Schertz: http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/.

  • Mike Pagan

    Is it supported to use wildcard certificates for a Lync deployment or one SAN cert (to rule them all)? Not that I don’t like to spend my customer’s money but if I can reduce the number/cost of certificates I think it’d be a good thing.

    Mike

  • Thanks Dr. Rez! Great facebook page.

  • Thanks Dennis,
    I was trying to highlight just the need for the additional Simple URL SAN entries since that is completely new in Lync, but I added a reminder note for the external web services entry – which is also needed to expose the address book and distribution group expansion to external (aka remote) clients.

    Curtis

  • Nice post – You miss the SAN for External Web Services in your example though e.g. webext.example.com

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>