Group Chat R2 Certificates–To add client auth or not?

A recent customer issue had the question asked of why a new certificate with Client Authentication in the Enhanced Key Usage (EKU) in addition to Server Authentication fixed an issue for the Group Chat Administration Console connecting successfully. I took a screen shot of my Group Chat Server Configuration for the Machine Wide settings where I only had a certificate with Server Authentication to simply say that I didn’t think it was required.

Further research showed that Mark from the Three UC Amigos shows the first suggested fix to be for adding a certificate with the Client Authentication to the EKU field - https://blogs.technet.com/b/ucedsg/archive/2009/05/22/i-am-having-problems-getting-group-chat-administrator-console-working.aspx

None of the Group Chat documents include instructions or notes on requiring this, but the R2 Certificate guide* does have Certutil instructions and a note supporting the need. Having reviewed the R2 Certificate document with Rick Kingslan, and not recalling this and certainly not experiencing it in my lab, I asked if he knew anything more. He shared that he has seen it a few times but nobody has figured out why it is not consistent. If a customer has the issue or can provide reliable steps to reproduce we would be interested in troubleshooting further.

If you encounter such an issue, follow Mark’s steps and if that fails contact support so we can investigate and provide a fix or documentation update.

TomL LCSKid

* The OCS 2007 R2 Deploying Certificates.doc can be downloaded as part of the server documentation download page, url here: https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e9f86f96-aa09-4dca-9088-f64b4f01c703