Lync

Keep Your Lync Public certificates up to date.

Leave a comment

ssl-certificateHere is one reason why you should cleanup SAN’s in your certificates. Experienced one scenario where a customer moved from one hosting provider to another and was unable to federate after the move. 

This is not about defining these hosting providers in the “hosting provider” configuration in Lync. The reason to do that is if your domain is not defined in the SAN of the edge server certificate more precise the FQDN of the Lync Access server is note the same domain as you sip domain.   Image below shows the configuration .  Two sip domains (domain.sip and Company.sip) are hosted on the provider to the left. Partner1.sip are hosted by the provider to the right. All of these 3 Companies where able to federate.

lynccert1

At some time “domain.sip” moved their Lync solution to the provider at the right hand side. This new provider did the Lync installation by the book. They added an extra SAN to their Lync edge server Public certificate to reflect the New SIP domain. And the required DNS records where update with the new IP addresses.

lynccert2

As we can “see” on the figure above, the hosting provider to the left has removed the “domain.sip” domain from their Lync topology. They have not removed the SAN from the certificate.

At this point users in “domain.sip” complains that they are unable to federate with users in “Company.sip” domain. They can however federate with everyone else.

Logging will return some sort of errors that there is no tag about domain split. At this point we where sure that there has to be something left at the old provider causing this. After some days I remembered that Lync edge server has en entry in eventviewer describing that certain domains has been found by parsing SAN’s from incoming Connections.

Used DigiCerts SSL validator and discovered that the old domain was stil left in the certificate from the old provider. Asked them to clean this up and ……. Yup that was it. Federation is now working.

And yes I tried adding the other ASP as a “hosting provider”  also tried adding all as “allowed domain” , but removing tha SAN was the solution.

Leave a Reply