Lync Users Can’t Download Address Book if Certificate Uses CNG
During the building of a greenfield Lync infrastructure, I ran into a problem where no users could download the address book. But everything related to the certs appeared to be correct. CN and SANs were correct, entire cert chain was valid, private keys were there, certs were in the correct stores and assigned in Lync, services started, etc. I also used Jeff Guillet’s Script to Force Download of the Lync Address Book to help speed up the troubleshooting. A considerable amount of troubleshooting went into the issue, and ultimately required a PSS ticket. After a couple of days of back and forth checking and testing, we narrowed it down.
It turns out that a bug with the CA was causing the certs it was generating to include Cryptography Next Generation (CNG). Web components in Lync, including Address Book & Group Expansion, use .Net 3.5. And .Net 3.5 does not support CNG.
Here’s how to check a certificate for CNG:
Open the Certificates snapin in MMC, and locate the certificate you’d like to inspect. Click on the Details tab and note the serial number:
Certificate serial number
Open a command prompt and type the following, using the serial number from above without the spaces:
Certutil -v -store my "<certificate serial number>" >Lync_Cert.txt
Next, open Lync_Cert.txt in notepad and look for “CERT_KEY_PROV_INFO_PROP_ID(2):”
A certificate with CNG will have the following:
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = le-WebServer2yearv1.0-88442436-55a3-4627-ae3c-3aff914e6153
Unique container name: bdab748e31b2984e0ebe29e7b6839a7f_6418452a-074c-4888-af0e-b969abbc3435
Provider = Microsoft Software Key Storage Provider
ProviderType = 0
Flags = 20
KeySpec = 0
But it should look like this:
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = le-WebServer2yearv1.0-88442436-55a3-4627-ae3c-3aff914e6153
Unique container name: bdab748e31b2984e0ebe29e7b6839a7f_6418452a-074c-4888-af0e-b969abbc3435
Provider = Microsoft RSA SChannel Crytographic Provider
ProviderType = C
Flags = 20
KeySpec = 1 — AT_KEYEXCHANGE
If the cert has CNG, you must request a new certificate without it.
PSS ultimately confirmed that this was a bug in the CA. We created a new template based on the WebServer template in the CA infrastructure, and generated new certs from that. Once I had correct certs installed, the problem instantly went away.
Hopefully, this might aid someone else having this issue.
I had a different certificate-related issue with Lync, and it turned to be that Lync only supports the “sha1RSA” signature algorithm, but in my case the certificate had “RSASSA-PSS” signature algorithm, and this caused the weirdest kind of issues until the certificate was replaced with a must-to-be-working sha1RSA-type. There was no clear supportability statement from MS if “RSASSA-PSS” is a supported certificate or not (to be honest, the supportability statement is a joke in terms of certificates). As I opened a support case at MS, this issue received some headsup, and maybe by the time Wave15 is out (unfortunately MS is very slow at responding to such things) I hope there will be a proper documented way how certificates are supported in Lync 2012 (I hope MS can hire some PKI guru to lecture the document, otherwise it will still suck).
Hi Richard,
I’m struggling with a strange issue and I think it’s related to the signature algorithm of my certs. I can’t transfer calls, is that what you had?
regards
No – I had the issue described above.
hello expert
my output shows this value. does it correct or wrong? as i have same address book problem.
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = cb0c86f32c106a276298b610041c0b50_f3ff0102-7a13-41b1-aeb2-eb665ea697bf
Simple container name: le-9404cd05-4883-4924-bf81-326c9969a80b
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
Flags = 20
KeySpec = 1 — AT_KEYEXCHANGE
if it is wrong .. could you please give me the process to regenerate new certifcate. .. i am not much good in certificate part
Sadly, this remains an issue even in Lync 2013. For anyone out there needing help, here is how you can solve this if you don’t already know.
Go into your domain’s CA and open the Manage Certificate Templates interface. Duplicate the Web Server template. Upon duplication select Windows Server Enterprise 2003 Enterprise instead of 2008. This will give you the correct provider mentioned in the JasonHindson post and the sites he references. Under security tab for the new template add your Lync computer and ensure Enroll is checked. Back in the CA Cert Template right click and select New -> Certificate Template to Issue. Select the new template. On the Lync machine’s MMC cert add-in, machine -> personal when you go to request a certificate you will see the correct template. Remember to add your alternate names for LyncdiscoverInternal, lyncdiscover, your dialin, and meet. That’s it.