So you recently deployed Lync Server 2013 and managed to deploy Office 2013 Web Apps (or also known as WAC) server that facilitates PowerPoint sharing. The users are happy because now they can share PowerPoint decks with animations and videos with Lync 2013.
The next day, one user reported that he is unable to share and view PowerPoint presentation with the following error message:
"There was a problem verifying the certificate from the server. Please contact your support team”.
This user is using a non-domain-joined (workgroup) machine and obviously he has imported the internal Root CA certificate to his machine since he is already able to sign in to Lync Server 2013 and start a conference.
A suggestion from Beta Support engineer was to disable “Check for server certificate revocation” in Internet Explorer and conveniently the problem is resolved.
Whilst the solution is deemed sufficient in this scenario since it is only affecting one user, in an environment with many non-domain-joined (workgroup) machines this solution is not acceptable.
Upon further investigation, it was found that when validating WAC server certificate using CERTUTIL –URLFETCH –VERIFY “WAC.cer” from the non-domain-joined (workgroup) machine, the result is the following:
The result of certificate verification shows that the certificate only contains LDAP target for its AIA and CDP extensions, and verification is failing because non-domain-joined (workgroup) machine does not have access to the LDAP target.
Digging deeper to this problem, it is found that the Root CA used within the organisation is an Enterprise Root CA (AD-integrated), and by default AIA and CDP extensions are set to LDAP target only. HTTP target is defined, however it is not enabled:
To provide non-domain-joined (workgroup) machines with alternative target to perform CRL check properly, then HTTP target must be enabled for the AIA and CDP extensions. This can be done by simply enabling the highlighted options (above). Note that by default the HTTP target depends on “Certificate Authority Web Enrollment” role services to be enabled as it is pointing a virtual directory that is created upon installation of Certificate Authority Web Enrollment.
After making the changes at Active Directory Certificate Services (ADCS) side, reissue the CRL by executing CERTUTIL –CRL from the ADCS server. Then, WAC server certificate must be re-issued (request a new certificate to be used for WAC server).
Validate the new WAC certificate from the non-domain-joined (workgroup) machine, and the result will look like the following:
Once verified, install and reconfigure WAC server to use the new certificate, and PowerPoint sharing will work without requiring changes to the Internet Explorer security setting.