Sunday, August 17, 2014

Lync Edge Certificates

Are you getting problems starting your Edge service role ?

Is your Edge service going crazy about the certificate being not accessible ?
Do you get this dreaded error message from EventID: 14591
Event ID: 14591
Error 0xC3FC7D95 (LC_E_VALIDATION_CERT_NO_KEYEXCHANGE)
Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Fear not, you are not alone, after banging my head against the wall for a few days, rebuilding the Edge server from scratch, and trying out a bunch of different certificate templates; I have finally found the solution...

Although Microsoft Windows is happy with many types of Crypto Providers; alas, Lync on the other hand, only likes the "Microsoft RSA SChannel Cryptographic Provider"

Next time you want to issue a certificate, make sure you choose the "Microsoft RSA SChannel Cryptographic Provider"

To make this more informative, I have added below the certificate template options that should be used for generating Lync certificates...

    • Don't select to publish to AD, as Lync Edge can not access the AD and is not authorized to do so:
      Template - General Tab
      • Choose the Purpose to be "Signature & Encryption" and allow "Private Key to be Exported"
      Template - Request Handling Tab
      • Choose only the "Microsoft RSA SChannel Cryptographic Provider"
      Template - CSP Selection
      • Choose the Application Policies to be "Server Authentication"
      Template - Extensions Tab
      • Choose the Key Usage to be "Allow key exchange only with key encryption"
      Template - Extensions Tab
      1 comment:
      Labels: , ,

      Tuesday, July 29, 2014

      Get-CSUserForwards

      I was asked recently to come up with the best way to figure out which users were forwarding their land-line to another number (e.g. mobile) or to another user.

      I came up with the idea of using SEFAUtil to figure out all the currently enabled users' setting.

      # Initialize Variables
$AllUsers = @()
$Count = 0

# Define Location of SEFAUtil
$SEFAUtil = "C:\Program Files\Microsoft Lync Server 2013\ResKit\SEFAUtil.exe"

# Get Application Pool Server to use
$LyncServer = Get-CsTrustedApplication | ?{$_.ApplicationId -eq "urn:application:sefautil"}|%{$_.TrustedApplicationPoolFqdn}

# Get Lync EV Enabled Users
$LyncUsers = Get-CsUser | where {$_.EnterpriseVoiceEnabled -eq $true}
$TotalUsers = $LyncUsers.Count

# Loop for each one and get details
Foreach ($LyncUser in $LyncUsers){
    $Destination = $Null
    
    #Convert User SIP to lowercase
    $UserSIP = $LyncUser.SipAddress.ToLower().Replace("sip:","")

    #Write Progress
    $Count += 1
    Write-Progress -Activity "Processing Users" -status "User $UserSIP" `
        -percentComplete ($Count / $TotalUsers*100)

    #Do the magic
 &$SEFAUtil /Server:$LyncServer $UserSIP| Tee-Object -Variable output|Out-Null

    #Split the output to lines & convert to an object
    $parts = $output -split "`n"

    #Figure Out Destination  
  $Destination = ($parts[4] -split "to: ")[1]
 If ($Destination -eq "") {
    } ElseIf ($Destination -Match "user=phone") {
     # Destination is a number
  $Destination = $Destination.Split("@")[0].Split(":")[1]
 } Else {
  # Destination is a SIP address
        write-output $Destination
  #$Destination = $Destination.Split(":")[1]
 }

    #Display information
    $Data = New-Object -Type PSObject -Property @{
        SIP = ($parts[0] -split ": ")[1]
        Name = ($parts[1] -split ": ")[1]
        EVEnabled = ($parts[2] -split ": ")[1]
        SimRing = ($parts[3] -split ": ")[1]
        ForwardTo = $Destination
    }
    $AllUsers += $Data
}

      Your feedback is always welcome.

      No comments:
      Labels: , , , , ,
      Subscribe to: Posts (Atom)