Haiku #80

That's alright, sir. We

Don’t need your name and password.

CS client certs.


To be honest, we're not sure if we're supposed to be blogging about this, but we are so excited that we just had to tell someone. To make a long story short, we recently saw a prototype of the next version of Microsoft Lync and to say that this upcoming version is the coolest thing that we have ever seen in our entire lives would be a major understatement. (And we've seen practically all the episodes of Mystery Science Theater 3000.) Here are just a few of the features that might very well find their way into the next version of Microsoft Lync:


·         The interface for the next version of Lync will be done entirely in 3D. (3D glasses sold separately.)

·         Microsoft Lync will be fully-integrated with Facebook; in fact, if you play the game Farmville, Lync will automatically manage your farm for you.

·         If you have a Twitter account, each time you start Microsoft Lync a message box will appear that says, "I noticed that you have a Twitter account. Are you sure you don't want me to delete that for you?"

·         In the Standard Premium Enterprise Home Edition of Microsoft Lync, your presence information will take into account your horoscope for that day. If you have a webcam, Lync will factor in whether or not you're having a bad-hair day.

·         You will still be able to communicate with users who have instant messaging accounts on MSN, Yahoo!, and AOL. In addition to that, you will also be able to communicate with the dead. (Séance-mode license sold separately.)

·         Versions of Microsoft Lync will be released for Windows Phone 7; iPhone; Android; androids; the Commodore VIC-20; the telegraph; smoke signals; semaphore flags; most 4-slice toasters (except those that can toast bagels); carrier pigeons; and tin cans tied together with a piece of string. (String sold separately.)


We don't know about you, but we can hardly wait!


Note. Well, now that you mention it, today is April 1st. Why do you ask?


While we wait for these new features to be added to Microsoft Lync (and we should point out that it could be a little while before these features actually are added to Microsoft Lync), we thought we'd take a look at one of the really cool features that's already present in Microsoft Lync.


Note. No, sorry, that does not include the forthcoming Charades Mode, in which you stand in front of your computer and act out the message you want to send, just like in the game charades. Microsoft Lync tries to guess what it is you want to say, and then sends an instant message based on that guess.


There are still a few kinks that need to be worked in that one.


Instead, what we thought we'd talk about today are the two CsClientCertificate cmdlets: Get-CsClientCertificate and Revoke-CsClientCertificate. If you're wondering what a client certificate even is, well, we'll tell you: client certificates provide a way for users to be authenticated by Lync Server 2010 without having to type in a user name and password. Instead, users simply present the system with an X.509 certificate. (Of course, this can't be just any certificate; among other things, the certificate must have a subject name or subject alternative name that identifies the user.) To be authenticated, users with a valid certificate only have to type in a PIN number; that, of course, is much easier than somehow trying to enter an alphanumeric user name and password using, say, you're cell phone.


Make sense? We thought it would. So if that's what client certificates are, then what are the CsClientCertificate cmdlets for? Well, the purpose of the Get-CsClientCertificate cmdlet should be fairly obvious: it returns information about the client certificates that have been issued to a user. Want to know which client certificates have been issued to Ken Myer? No problem:


Get-CsClientCertificate –Identity "Ken Myer"


While we're here, we should probably mention that, while Get-CsClientCertificate actually works quite well, the cmdlet does contain a very misleading error message. For example, suppose you misspelled Ken Myer's name when calling Get-CsClientCertificate:


Get-CsClientCertificate –Identity "Ken Myr"


If you do that, the error message you get back will read like this:


Get-CsClientCertificate : Cannot find user in Active Directory with the following SAM account name: "Ken Myr"


That error message implies that you're supposed to use Ken Myer's SamAccountName when trying to retrieve his client certificate. Unfortunately, though, that error message is wrong; using Ken Myer's SamAccountName isn't going to work:


Get-CsClientCertificate –Identity "kmyer"


Get-CsClientCertificate : Cannot find user in Active Directory with the following SAM account name: "kmyer"


We know of at least one person who wasted several years of his life trying to get Get-CsClientCertificate to work with a SamAccountName. It's not going to happen. Instead, use Ken Myer's Active Directory display name or his SIP address or even his user principal name when calling Get-CsClientCertificate. Just don't use his SamAccountName.


Incidentally, Get-CsClientCertificate does take pipelined feedback, which means you can run commands like this one, which retrieves the client certificates for all your users who actually have client certificates:


Get-CsUser | Get-CsClientCertificate


And this one returns information about all the users who have a client certificate due to expire before September 1, 2011:


Get-CsUser | Get-CsClientCertificate | Where-Object {$_.ExpirationTime –lt "9/1/2011"}


Note. Will Get-CsClientCertificate continue to work after we release Caffeine-Free Diet Microsoft Lync? We'll have to get back to you on that one.


Revoke-CsClientCertificate also has a pretty good aptronym (a name that describes what it actually does); after all, the cmdlet is used to revoke client certificates. For example, if you want to revoke Ken Myer's client certificate all you have to do is run a command like this one:


Revoke-CsClientCertificate –Identity "Ken Myer"


You say you want to revoke all your client certificates? Sure; why not:


Get-CsUser | Revoke-CsClientCertificate


Note that Revoke-CsClientCertificate doesn't actually harm the certificate itself; for example, it won't remove a certificate from your phone. Instead, it simply tells Lync Server that the certificate in question can no longer be used to authenticate you.


That's all we have for today. We'll continue to keep you posted on the next version of Microsoft Lync; our understanding is that this next version will not only be localized into the usual set of languages, but will also be released in Klingon, Na'vi, and Hobbit. Txantsan!


Disclaimer. Even though Microsoft has a great sense of humor, Microsoft has absolutely no sense of humor whatsoever. Therefore, we should remind everyone that today is April 1st; that means you shouldn't believe everything that you read in the daily Lync Server PowerShell haiku.


Which, now that we think about it, is also pretty good advice for April 2nd, April 3rd, April 4th, April ….


Skip to main content