Lync 2013 / 2010 – Public Edge Certificate missing its private key

Quote

Recently i have seen the issue of your public cert missing its key on import. The situation is when you create the required .req for your public certificate on edge you send the details off to the certificate authority of choice. Once they create and return the .crt file and the necessary trusted root and intermediate certs you import them into the Lync edge server only to find that the ‘sip.<domainname>.com’ cert is missing its private key.?

Why would this be the case when you originally generated the request on the Lync edge server? At this moment the only reason i can see is if another certificate with the same name has previously been imported onto the server. Apart from them i cannot find any other logical reason for why sometimes the newly imported certificate misses the private key.

if you are in this position, the simple fix to the cert is as follows

– On the imported certificate without the private key, double click the cert to show the information associated with it. Click on the details tab and look for the field called ‘Serial’. Copy the serial key into notepad and remove the spaces below the unique code. ie

WAS 5a 12 6e 7e ee 11  AMENDED 5a126e7e11

now still on the edge server open command prompt and type the following

certutil –repairstore my <Amended unique serial number>

eg: certutil –repairstore my 5a12637e11

press enter to commit it.

you will then be presented to information and also confirmation that the update has been successful.

now if you go into the certificate store and refresh you will see the certificate will now have the private key within it.

At this point you can go back to your Lync deployment wizard and assign the public cert to your edge server.

Job Complete

Thanks

Iain S

Advertisements

Lync 2013 – Masking Information from Monitoring Reports – Video Config Guide

Quote

Hello all

This is a video guide on how to change the information in the backend SQL database for Monitoring information which has been added via the Lync CDR records.

In the video scenario what we are wanting to achieve is that some caller information and the certain callee has to be removed from all records within the monitoring database. IE: Say your company has a whistle blowing program were an employee can advise a team of any internal wrong doing within the company. Well this information would be sensitive information of who actually called the whistle blowing number and this could jeopardise the callee.

I hope this helps.

Regards

IainS

Lync 2013 – Move Response Groups from Lync 2010 to Lync 2013

In this blog post are the details whats needed to move you Lync 2010 response group over to Lync 2013. in truth there isn’t much to it really, just a couple of powershell commands.

to start with if you run the Get command to find information from your Lync topology about the response groups.

For Example

Get-CsRGSConfiguration then enter your pool <FQDN of your Lync 2010 Pool> this will bring details back about the Response Group application associated with Lync 2010.

Next Step is to backup the response group information just in case anything goes wrong. In order to back up your Response Groups, you need to make sure you have the Lync 2010 Resource Kit tools installed. After you have the tools installed, within your Lync Management shell, change the directory to where you installed the resource kit and then run:

Import-Module .\RgsImportExport.ps1

This will load the Powershell module so that you can interact with the Response Group service of Lync 2010. The next step is to run the export command in order to export the configuration.

Export-CsRgsConfiguration <service:poolFQDN> -Filename <path and file name for backup>

Example: Export-CsRgsConfiguration ApplicationServer:pool01.northernlync.local -Filename “C:\Lync_NLRgsConfig.zip”

Once this has exported we are now ready to migrate the response groups over from Lync 2010 to Lync 2013

In Lync powershell again we need to run the following commands

Move-CsRgsConfiguration -Source <Lync2010 Pool FQDN> -Destination <Lync2013 Pool FQDN>

eg: Move-CsRgsConfiguration -Source lyncse01.northernlync.local -Destination lync13pool.northernlync.local

Once this is complete, finally run a few commands in Lync Powershell to confirm the migration of the groups

Get-CsRgsAgentGroup  (ensure all the below is now pointing to the Lync 2013 environment 

Get-CsRgsQueue

Get-CsRgsWorkflow

thats it..

 

Lync 2013 – RTCSRV Frontend Service failing to start “showing as starting” PART 2 Certificate Store issue

Hello All

Here we are again for another blog post on a similar issue i posted about previous which was the RTCSRV service on the Lync 2013 front ends not starting.

This particular post is relating to the same RTCSRV service but this specific issue is Windows 2012 / r2 server build centric.

Ok so what was the problem.?? in both Standard and Enterprise edition builds you’ve ran through each element without issue, then you come to starting the services and bam, all of services start apart from the RTCSRV service which sits cycling on ‘starting’, so the first port of call for any issue like this is the event logs. At this point i was expecting the same damn issue with the quorum recovery due to the lync build still being RTM (not patched).

So after a quick glance at the event logs i ran in the updates to the topology. Jan 2014 updates. i then tried again with the service starting, and again it was stuck still cycling on the RTCSRV service. At this point i jumped back to the event logs as I’ve found that following the lync RTM build the information becomes a lot more ‘richer’ in content. As it happens this was the case, there was an error in the logs around certificates.? yet my installation was using an internal CA so why should i be getting these errors?

I checked the Internal CA for correct marking and trust, which all ticked out ok and then my next step was around certificates in general and the way windows 2012/r2 sees them differently. What i mean by this is the certs in the personal, intermediate and trusted root stores on windows 2008r2 server could in some cases be totally wrong and the lync services would start without issue. In Windows 2012/r2, Microsoft has done a lot of work around the certificate stores on the 2012 server build and put a lot more strict requirements within them. for example having a intermediate cert in the trusted root will throw an error in the event log. having duplicate trusts in the root trust will throw an error in the event log. etc etc

so what was the issue in my case. ? it was one i had seen before in a deployment and one which was totally unrelated to Lync and the Lync RTCSRV service. 

In the trusted root folder all certificates have to have a matching subject and issuer name or again an error would be thrown.. AND also having such an issue will stop the RTCSRV from starting for Lync.!!! crazy you might say.!

***What does Microsoft say about this.. Below

this is the event error in question

so to find this out there is a simple powershell command to run to identify this mismatched information on the trusted root certs.

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\temp\certinformation.txt”

Once you have the information from your txt file, jump over to MMC and the certificate store and locate these certs in the root CA and move them to the intermediate store. Once you completed this close powershell and reopen to recycle the powershell information and rerun the command again. This time around you should have no information in your txt file.

Now if your running Standard edition simply start your fronted services.. If your running the enterprise edition, i would personally run the quorum recovery command to bring your fronted into sync, this will also start the services.

Thats it. i hope this has help other out 

 

 

 

 

 

Lync 2013 – Force the Lync client to always ‘show User Picture’ – video guide

Quote

Good Morning

This blog post and video guide describes how to force the Lync 2013 client to always show the end users Lync picture even after the user might have changed the setting not to show the picture.

pic1

To but a little bit of background around this, as with Lync 2010, Lync 2013 does not have the ability to block or stop a user from deselecting the option of showing their Lync picture.  This picture element is something I’m asked many times while working with customers.

I know this is something which we all would like as a option but as of today and as far as I’m aware this isn’t something close to Microsoft’s heart in fixing or providing a solution.

Also to confirm there isn’t any policies you can assign OR and registry setting to can associate to block the user changing their setting. So what solution and where is this setting stored….. Well its not in the xds database and actually its started within the front ends rtclocal database.

So to confirm before you go any further in the blog, I’m pretty certain that this solution will be one thats unsupported from Microsoft and also one that as we are going to change the rtclocal will be seen as a ‘borderline’ hack. Also i would like to point out I’ve ran this within my lab without issue for sometime, however i would suggest you test it within your lab area before you embark on using it in your production environment. <remember I hold no responsibility> 🙂

Ok no the small print is out of the way, what is the fix.. ?? Within the rtclocal there is a table called publishedstaticinstance which has a field that holds a massive binary value. As part of the challenge is to convert the binary into something thats readable and something we can update

pic2

Under the covers what this binary code states is DisplayADPhoto true/false.

So as part of the update we change for the status and update accordingly when the status is false.

As this is running on rtclocal, the way the guide runs this is via a scheduled task running a .ps1 powershell command. Also the SQL only checks the last 15 minutes of changes to reduce locks and database processing. Also the scheduled task I’ve created runs every 15 minutes so with the two you will never be out of sync with what a user is doing. (you could run this script more regular than every 15 minutes but given the requirement i think 15 is a good medium to use).

As for the SQL command some thanks go out to the tech net community as understanding the converts within the SQL was a slight challenge.

PS1. Script

function Enable-UserPhotos ($Domain, $OffSet) {(Get-CsPool (Get-CsComputer “$(hostname).$Domain”).Pool).Computers | % {Invoke-Sqlcmd -Query “update rtc.dbo.PublishedStaticInstance Set Data = CONVERT(image,convert(varbinary(4000),REPLACE(convert(varchar(4000),convert(varbinary(4000),Data)),'<displayADPhoto>false</displayADPhoto>’,'<displayADPhoto>true</displayADPhoto>’))) where [LastPubTime] >= DATEADD(mi,-$($OffSet),getdate()) AND convert(varchar(4000),convert(varbinary(4000),Data)) like ‘%<displayADPhoto>false</displayADPhoto>%’;” -ServerInstance “$($_)\RTCLOCAL”}
} Enable-UserPhotos -Domain ‘your domain name here’ -OffSet 15

KEY TAKEAWAYS

Remember the script is changing the rtclocal database on the fronted and this will be seen as not supported by microsoft.!

Video guide below.

Thanks!

Iain Smith

Lync 2013 – Ferrari Virtual SBC ‘Video’ Installation Guide against SIP trunk from PureIP

Quote

Hello All

Following the news from Ferrari that the new Virtual SBC OfficeMaster Gateway was available as a trial, i thought i would take the opportunity of deploying and configuring the gateway with connection to my SIP trunk via Provider PureIP.

Instead of the normal line by line installation guide, this time around I’ve completed a video guide of the actual installation and also the call testing.

The video was recorded using software, cam studio and the audio was captured using a Plantronic Blackwire 710 headset

Details about the Ferrari Electronics company can be found here http://www.ferrari-electronic.com/en/products/officemaster-gate.html 

For a trail installation of the Ferrari Office Master gateway you need to contact Ferrari at info@ferrari-electronic.de

Details about SIP trunk provider PureIP can be found here. http://www.pure-ip.co.uk

Key takeaways for me was the gateway is different to other vendor gateways whereas with the Ferrari appliance you complete the configuration via a GUI rather than a webpage portal to the appliance. The configuration was straight forward and nothing to taxing. One thing of interest to me was the gateway can work in a single NIC mode or in dual NIC mode for hand off between NICs. (Similar to how an Lync Edge server hands over from the internal NIC to the External NIC).

Also i think there is a wording issue on the tabs while setting up the routing as one tab says ‘Calls from ISDN’ when in fact it should say ‘Calls to ISDN’.

All in all, i was really pleased with the setup and installation of the gateway, and i look forward to getting my hands on the new physical appliance being released in Q1 2014.

Below is the the video installation setup.

Thanks Iain Smith – NorthernLync