There’s certainly no lack of information out there regarding issues with wildcard certificates in various situations with Exchange and, increasingly, Lync. Jeff Schertz recently posted a good article on the topic as it relates to Lync. It’s worth adding another tidbit to his information, which is that a wildcard certificate on Exchange Web Services will cause Lync Phone Edition not to connect to Exchange. If you look at the log files from the phone you’ll see something like this (irrelevant parts of the log have been removed):
INFO :: NAutoDiscover::DnsAutodiscoverTask::PopulateAutodiscoverUrlsFromDnsSrv: SRV record found for record, _autodiscover._tcp.domain.com, value, mail.domain.com.
INFO :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: Trying url, https://mail.domain.com/autodiscover/autodiscover.xml
INFO :: WebServices::CSoapTransport::OpenNewInternetHandle: Connecting using INTERNET_OPEN_TYPE_PRECONFIG flag
WARN :: WebServices::CSoapTransport::OpenAndSendDummyRequest: HttpSendRequest failed. Server=mail.domain.com, Path=/autodiscover/autodiscover.xml
ERROR :: WebServices::CSoapTransport::GetHttpHeaders: Failed to send a dummy request: hr=0x80072f06, url=https://mail.domain.com/autodiscover/autodiscover.xml
INFO :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: GetHttpHeaders failed with 0x80072f06
WARN :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: Exception with this url. hr=0x80072f06
The error code I highlighted is ERROR_INTERNET_SEC_CERT_CN_INVALID, meaning that the CN (subject) of the certificate is not valid.
Be aware that this doesn’t cause any problems with the regular Lync client, only Lync Phone Edition. As you probably guessed, the solution is to replace that wildcard certificate with a regular certificate that contains the EWS FQDN in either the subject or subject alternative name field.
Hello Mike, we have a customer running Lync with Exchange 2010 and the wildcard certificate on Exchange. I have seen the same behavior as you describe here in this blog. But when I view the CELogs I cannot find the lines that you describe in the blog. Where can I find these logs that you describe?
With regards,
Jelle Balk
Posted by: Jelle_balk | 04/29/2011 at 03:32
Jelle,
Those logs came from a special debug version so I got the files via ftp directly from the phone, but this should be the same log that goes up to the server. Are you using readlog.exe to convert the log to text?
In any case you can be sure that you'll hit this problem if your customer is using a wildcard certificate with EWS.
Mike
Posted by: Mike Stacy | 04/29/2011 at 08:25
Hi Mike,
does this limitation of Lync phone devices -not able to understand wildcard name- apply to the UM certificate as well?
Posted by: Richard Pasztor | 05/17/2011 at 12:40
I haven't tested that specifically but it probably would not have an impact due to the way UM communication is handled from the phones. However, I retain the stance that in general you should avoid wildcard certificates. For the UM role I would recommend using an internally generated certificate with the appropriate subject name.
Posted by: Mike Stacy | 05/19/2011 at 11:03