Sunday, July 10, 2011

Lync Phone Edition and third party Root CA Authority

As a Network Administrator, I often check variety of server and application logs to verify the health of the environment. Today I‘ve noticed that the Aastra 6725ip phone in my office (connecting to my home lab's Lync deployment via public internet) never updated the firmware to the latest – “4.0.7577.250”. Strange indeed… 

Now I remembered that the phone never downloaded the Address Book either. Why would that be? I have deployed reverse proxy with certificate from StartSSL, which is included in the Root CA Authority of Windows OS. The functionality was verified and external users could successfully connect to a meeting organized by user.

Quick reference to the TechNet article revealed the sad truth – while StartSSL is present on Root CA store of Windows, it is not in Lync Phone Edition.

Now what?!? Looks like the certificate I use on TMG provides only half of the functionality… or does it? If you think of it, my internal Domain Root CA is not presented in the Phone Edition store either, and yet a phone connected to the LAN works. This is, because according the article, “First, the device searches for Active Directory Domain Services (AD DS) objects of the category certificationAuthority. If the search returns any objects, the device uses the attribute caCertificate. That attribute is assumed to hold the certificate, and the device installs the certificate.

The root CA certificate must be published in the caCertificate for Lync Phone Edition.”

So, what if I use “certutil -f -dspublish RootCA” and publish the StartSSL Root CA in my pKIEnrollmentService store? The assumption is that AFTER I connect a device for first time on a LAN network and sign in, all certificates in the Domain Certificate Authority will be downloaded to the device (including StartSSL Root CA) and later, when I take the device on Public Internet, as long as it is not reset to “factory defaults”, where the Certificate Store will be restored to original state, the phone will trust my Reverse Proxy and it should download updates, address book etc. Needless to say, my lab Exchange server also uses StartSSL for OWA service and so, this integration should function as well.

One way to find out - I have already downloaded StartSSL Root CA to my domain controller...

 …and will use the above command to publish it.

As we can see, the certificate was added. I should expect to find it in the phone edition store after resetting it and sign in again.

After some digging through the SELog, I found the following line:

For now, I will “assume success” as well and take the device to my office tomorrow to examine the result. Also, a quick look at just joined to domain workstation shows that StartCon (StartSSL) Root CA is present in the local Trusted Root Certification Authorities i.e. downloaded automatically along with the Domain Root CA.

As usual, this example is for testing purposes only. A caution and careful consideration is necessary if/when the Administrator decides to push third party Root CA via Active Directory Certificate Services.

07/13/2011 Update:
As a Proof Of Concept – it worked as expected. The phone, looged over Internet, did promptly update the firmware and rebooted. HOWEVER, this method should not be used in production environment. To me it looks like Phone Edition Update is an image based and firmware upgrade replaces everything (including the local Certificate Store) thus rendering our exercise above inapplicable in production environment.


Chris Norman said...

Nice post Drago. I had a question about this just recently.

Drago said...


I could not test today from the office – first day after vacation… you know how it is. In any case (success or failure), I will report once get some results.

Adrien said...

Unfortunately, Aastra phone did not benefit from your workaround.
They don't load the new CA, and thus they can't connect to Exchange at all.

Has Microsoft any idea on when they will include the same CA in the trusted roots for Lync, Exchange and Lync Phone?

Drago said...

If when you say “the same CA”, if you are referring to StartSSL, there is one simple answer: never. By default, Windows server 2008 and later has very limited Trusted Root CA upon installation. An extended list (where StartSSL is included) is offered via Windows Update Service.

Mobile devices are whole different story. I am not sure what are the limitations (if any), but you have noticed that only top lever Root CA are included. Lync Devices are pretty much the same…

A list of Public Authorities for Lync Phone Edition devices can be found here

Anonymous said...

I was wondering where the SELog is that you referred to?