Sunday, August 17, 2014

Lync Edge Certificates

Are you getting problems starting your Edge service role ?

Is your Edge service going crazy about the certificate being not accessible ?
Do you get this dreaded error message from EventID: 14591
Event ID: 14591
Error 0xC3FC7D95 (LC_E_VALIDATION_CERT_NO_KEYEXCHANGE)
Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Fear not, you are not alone, after banging my head against the wall for a few days, rebuilding the Edge server from scratch, and trying out a bunch of different certificate templates; I have finally found the solution...

Although Microsoft Windows is happy with many types of Crypto Providers; alas, Lync on the other hand, only likes the "Microsoft RSA SChannel Cryptographic Provider"

Next time you want to issue a certificate, make sure you choose the "Microsoft RSA SChannel Cryptographic Provider"

To make this more informative, I have added below the certificate template options that should be used for generating Lync certificates...

    • Don't select to publish to AD, as Lync Edge can not access the AD and is not authorized to do so:
      Template - General Tab
      • Choose the Purpose to be "Signature & Encryption" and allow "Private Key to be Exported"
      Template - Request Handling Tab
      • Choose only the "Microsoft RSA SChannel Cryptographic Provider"
      Template - CSP Selection
      • Choose the Application Policies to be "Server Authentication"
      Template - Extensions Tab
      • Choose the Key Usage to be "Allow key exchange only with key encryption"
      Template - Extensions Tab

      Tuesday, July 29, 2014

      Get-CSUserForwards

      I was asked recently to come up with the best way to figure out which users were forwarding their land-line to another number (e.g. mobile) or to another user.

      I came up with the idea of using SEFAUtil to figure out all the currently enabled users' setting.

      # Initialize Variables
      $AllUsers = @()
      $Count = 0
      
      # Define Location of SEFAUtil
      $SEFAUtil = "C:\Program Files\Microsoft Lync Server 2013\ResKit\SEFAUtil.exe"
      
      # Get Application Pool Server to use
      $LyncServer = Get-CsTrustedApplication | ?{$_.ApplicationId -eq "urn:application:sefautil"}|%{$_.TrustedApplicationPoolFqdn}
      
      # Get Lync EV Enabled Users
      $LyncUsers = Get-CsUser | where {$_.EnterpriseVoiceEnabled -eq $true}
      $TotalUsers = $LyncUsers.Count
      
      # Loop for each one and get details
      Foreach ($LyncUser in $LyncUsers){
          $Destination = $Null
          
          #Convert User SIP to lowercase
          $UserSIP = $LyncUser.SipAddress.ToLower().Replace("sip:","")
      
          #Write Progress
          $Count += 1
          Write-Progress -Activity "Processing Users" -status "User $UserSIP" `
              -percentComplete ($Count / $TotalUsers*100)
      
          #Do the magic
       &$SEFAUtil /Server:$LyncServer $UserSIP| Tee-Object -Variable output|Out-Null
      
          #Split the output to lines & convert to an object
          $parts = $output -split "`n"
      
          #Figure Out Destination  
        $Destination = ($parts[4] -split "to: ")[1]
       If ($Destination -eq "") {
          } ElseIf ($Destination -Match "user=phone") {
           # Destination is a number
        $Destination = $Destination.Split("@")[0].Split(":")[1]
       } Else {
        # Destination is a SIP address
              write-output $Destination
        #$Destination = $Destination.Split(":")[1]
       }
      
          #Display information
          $Data = New-Object -Type PSObject -Property @{
              SIP = ($parts[0] -split ": ")[1]
              Name = ($parts[1] -split ": ")[1]
              EVEnabled = ($parts[2] -split ": ")[1]
              SimRing = ($parts[3] -split ": ")[1]
              ForwardTo = $Destination
          }
          $AllUsers += $Data
      }
      

      Your feedback is always welcome.