Lync Server Federation with Microsoft.com: Root Certificate Change


On June 8th, 2013, for Office Communications Server and Lync federation with Microsoft.com, Microsoft will replace the root certificate on the federation edge server from a GTE CyberTrust root to a Baltimore root.

By that date, any SIP domain federated with Microsoft must have the respective edge server’s trusted root certificate store updated with the Baltimore root certificate. Any edge server which does not trust the new Microsoft.com certificate by June 8, 2013 will be unable to connect to Sipfed.microsoft.com, thereby impacting federation with the Microsoft.com SIP domain. IM and presence will fail, as will A/V for any user within the federated SIP domain when attempting to reach a user in the Microsoft.com SIP domain.

Author: Jon McClary, Microsoft Service Engineer

Technical Reviewers: Rob Pittfield, Conrad Mouton

Published: May 9, 2013

Product version: Office Communications Server 2007, Lync 2010, Lync 2013

IMPORTANT NOTE   If you have installed the latest updates, you are already covered. In fact, if you are running Microsoft Support diagnostics, you won’t encounter this issue. 

Microsoft will make a certificate change on June 8, 2013, which could potentially affect federation with the Microsoft.com SIP domain. This applies only to SIP domains that are federated with Microsoft.com. The certificate applied to the Microsoft Lync Access Edge server, sipfed.microsoft.com, is nearing its expiration. The new certificate will use the Baltimore CyberTrust Root Certificate, which will require that federated partners’ Access Edge servers trust the new root.

The potential for impact is to SIP and A/V communication with Microsoft.com for any user in an affected federated SIP domain.

Here’s what you need to know to continue to communicate with the Microsoft.com SIP domain.

1. Verify whether the Baltimore CyberTrust Root certificate is already trusted—as is likely if the server has the most recent Microsoft Updates installed.

2. Open the certificate snap-in for the local machine in the Microsoft Management Console (MMC) on the federating edge server.

3. Verify whether the Baltimore CyberTrust Root is in the trusted root certificate authorities, as shown in Figure 1 below. The expiration date is May 12, 2025.

Figure 1. Verifying that Baltimore CyberTrust Root is in trusted root certificate authorities

If this trusted root certification authority exists here, your work is done. If this root certification authority is not trusted, you must import that certificate as a trusted root per your operating system version, as detailed in this Support topic: Windows Root Certificate Program members.

To enable continued communication with users in the Microsoft.com SIP domain, you must ensure that the Baltimore CyberTrust Root certificate is trusted by Office Communications Server and Lync Access Edge servers that are federated with the Microsoft.com SIP domain.

Additional Information

About the Author

Jon McClary has been a Service Engineer with the Microsoft Lync Server team since 2008, supporting Office Communications Server, Lync Server, and Lync Online. He has a total of 12 years on the Microsoft campus and in 2009, earned Microsoft Certified Master (MCM) status for Office Communications Server 2007 R2. Jon’s specialties include TCP/IP networking, UC, infrastructure, and cloud services.

Lync Server Resources

We Want to Hear from You

Keywords: OCS, Lync, Federation, Access Edge, Certificate, sipfed.microsoft.com

Comments (3)
  1. MIK says:

    Hello Jon,

    We are running windows server 2003 R2 X64 standard edition with service pack 2 & Office communicator 2007 R2.

    I've checked & found that our edge server is holding root CA from Baltimore CyberTrust Root & the Validity date is also matching with the one provided in the above snapshot. But, The purpose listed on the general page is just as below three, Rest of the three are missing.

    MY cert has:

    ————

    1. Ensure the identity of the remote computer.

    2. Protects E-mail Messages.

    3. All issuance policies.

    Missing from my cert:

    ———————-

    1. Proves your identity to a remote computer.

    2. Ensure software came from softer publisher.

    3. Protect software from alteration after publication.

    Request you to please suggest on this scenario, whether its going to work with the EDGE server without these purpose(s) from the CA certificate.

    Regards,

    MIK

  2. gurpreet says:

    http://ikaef.org/

    kali, sikaran, kalisikaran, fma, arnis, escrima, eskrima, punong, guro, ikaef, international, federation

    Thank you for this informative post.

  3. Anonymous says:

    Lync Server Federation with Microsoft.com: Root Certificate Change – NextHop – Site Home – TechNet Blogs

Comments are closed.