Share via


Group Chat R2 Certificates–To add client auth or not?

A recent customer issue had the question asked of why a new certificate with Client Authentication in the Enhanced Key Usage (EKU) in addition to Server Authentication fixed an issue for the Group Chat Administration Console connecting successfully. I took a screen shot of my Group Chat Server Configuration for the Machine Wide settings where I only had a certificate with Server Authentication to simply say that I didn’t think it was required.

image

Further research showed that Mark from the Three UC Amigos shows the first suggested fix to be for adding a certificate with the Client Authentication to the EKU field - https://blogs.technet.com/b/ucedsg/archive/2009/05/22/i-am-having-problems-getting-group-chat-administrator-console-working.aspx

None of the Group Chat documents include instructions or notes on requiring this, but the R2 Certificate guide* does have Certutil instructions and a note supporting the need. Having reviewed the R2 Certificate document with Rick Kingslan, and not recalling this and certainly not experiencing it in my lab, I asked if he knew anything more. He shared that he has seen it a few times but nobody has figured out why it is not consistent. If a customer has the issue or can provide reliable steps to reproduce we would be interested in troubleshooting further.

If you encounter such an issue, follow Mark’s steps and if that fails contact support so we can investigate and provide a fix or documentation update.

TomL LCSKid

* The OCS 2007 R2 Deploying Certificates.doc can be downloaded as part of the server documentation download page, url here: https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e9f86f96-aa09-4dca-9088-f64b4f01c703

Comments

  • Anonymous
    August 27, 2010
    We had this type of problem with desktop sharing not working unless client auth was get on the front end servers. We found out that calling support that it was a issues with having tom many certs on our client machines . we end up needing to add a registry key to the front end server to stop the a checking to the certs from the client side