Home > Lync Server/Skype for Business Server > Lync Users Can’t Download Address Book if Certificate Uses CNG

Lync Users Can’t Download Address Book if Certificate Uses CNG

During the building of a greenfield Lync infrastructure, I ran into a problem where no users could download the address book. But everything related to the certs appeared to be correct. CN and SANs were correct, entire cert chain was valid, private keys were there, certs were in the correct stores and assigned in Lync, services started, etc. I also used Jeff Guillet’s Script to Force Download of the Lync Address Book to help speed up the troubleshooting. A considerable amount of troubleshooting went into the issue, and ultimately required a PSS ticket. After a couple of days of back and forth checking and testing, we narrowed it down.

It turns out that a bug with the CA was causing the certs it was generating to include Cryptography Next Generation (CNG). Web components in Lync, including Address Book & Group Expansion, use .Net 3.5. And .Net 3.5 does not support CNG.

Here’s how to check a certificate for CNG:

Open the Certificates snapin in MMC, and locate the certificate you’d like to inspect. Click on the Details tab and note the serial number:

Certificate serial number

Certificate serial number

Open a command prompt and type the following, using the serial number from above without the spaces:

Certutil -v -store my "<certificate serial number>" >Lync_Cert.txt

Next, open Lync_Cert.txt in notepad and look for “CERT_KEY_PROV_INFO_PROP_ID(2):”
A certificate with CNG will have the following:

CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = le-WebServer2yearv1.0-88442436-55a3-4627-ae3c-3aff914e6153
Unique container name: bdab748e31b2984e0ebe29e7b6839a7f_6418452a-074c-4888-af0e-b969abbc3435
Provider = Microsoft Software Key Storage Provider
ProviderType = 0
Flags = 20
KeySpec = 0

But it should look like this:

CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = le-WebServer2yearv1.0-88442436-55a3-4627-ae3c-3aff914e6153
Unique container name: bdab748e31b2984e0ebe29e7b6839a7f_6418452a-074c-4888-af0e-b969abbc3435
Provider = Microsoft RSA SChannel Crytographic Provider
ProviderType = C
Flags = 20
KeySpec = 1 — AT_KEYEXCHANGE

If the cert has CNG, you must request a new certificate without it.

PSS ultimately confirmed that this was a bug in the CA. We created a new template based on the WebServer template in the CA infrastructure, and generated new certs from that. Once I had correct certs installed, the problem instantly went away.

Hopefully, this might aid someone else having this issue.

  1. Richard
    February 23rd, 2012 at 23:15 | #1

    I had a different certificate-related issue with Lync, and it turned to be that Lync only supports the “sha1RSA” signature algorithm, but in my case the certificate had “RSASSA-PSS” signature algorithm, and this caused the weirdest kind of issues until the certificate was replaced with a must-to-be-working sha1RSA-type. There was no clear supportability statement from MS if “RSASSA-PSS” is a supported certificate or not (to be honest, the supportability statement is a joke in terms of certificates). As I opened a support case at MS, this issue received some headsup, and maybe by the time Wave15 is out (unfortunately MS is very slow at responding to such things) I hope there will be a proper documented way how certificates are supported in Lync 2012 (I hope MS can hire some PKI guru to lecture the document, otherwise it will still suck).

    • Melek
      February 6th, 2014 at 15:44 | #2

      Hi Richard,
      I’m struggling with a strange issue and I think it’s related to the signature algorithm of my certs. I can’t transfer calls, is that what you had?

      regards

      • Pat Richard
        February 6th, 2014 at 15:45 | #3

        No – I had the issue described above.

  2. manoj
    April 20th, 2012 at 08:58 | #4

    hello expert

    my output shows this value. does it correct or wrong? as i have same address book problem.

    CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = cb0c86f32c106a276298b610041c0b50_f3ff0102-7a13-41b1-aeb2-eb665ea697bf
    Simple container name: le-9404cd05-4883-4924-bf81-326c9969a80b
    Provider = Microsoft RSA SChannel Cryptographic Provider
    ProviderType = c
    Flags = 20
    KeySpec = 1 — AT_KEYEXCHANGE

  3. manoj
    April 20th, 2012 at 08:59 | #5

    if it is wrong .. could you please give me the process to regenerate new certifcate. .. i am not much good in certificate part

  4. Will
    March 20th, 2013 at 20:27 | #6

    Sadly, this remains an issue even in Lync 2013. For anyone out there needing help, here is how you can solve this if you don’t already know.

    Go into your domain’s CA and open the Manage Certificate Templates interface. Duplicate the Web Server template. Upon duplication select Windows Server Enterprise 2003 Enterprise instead of 2008. This will give you the correct provider mentioned in the JasonHindson post and the sites he references. Under security tab for the new template add your Lync computer and ensure Enroll is checked. Back in the CA Cert Template right click and select New -> Certificate Template to Issue. Select the new template. On the Lync machine’s MMC cert add-in, machine -> personal when you go to request a certificate you will see the correct template. Remember to add your alternate names for LyncdiscoverInternal, lyncdiscover, your dialin, and meet. That’s it.

  1. October 18th, 2011 at 13:08 | #1
  2. December 9th, 2014 at 10:59 | #2