About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2012/05/03

Lync TrustModelData

The Issue

Recently, I had a small issue with Lync 2010 clients objecting to the certificate on the autodiscover.company.com CAS server.

The internal domain in use for SIP was company.local, and the CAS had company.com, although autodiscover.company.local was also on that cert.

Interestingly, we first looked at strict DNS naming, however, that did not appear to be the root cause. A colleague pointed out to me that he thought the TrustModelData might be doing it, so we investigated that route.

The error popped up as soon as autodiscover.company.com (the SMTP domain) was added to DNS. Here is the error :

image

Lync is hardcoded to act on finding Autodiscover, and it immediately attempts to connect to the advertised EWS.  In our case, the SMTP domain does not match the SIP domain (company.com v company.local).

The Fix

As it turns out, there is a registry entry in HKLM to control this behavior – by default this key is populated with a selection of Microsoft Online entries – none of which matched our company.local. We pushed the following registry change with SCCM; GPO was not an option due to XP workstations. 

This option is NOT part of Lync in-band client provisioning, and you can put the entry in either

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\TrustModelData 

OR

HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator TrustModelData

and APPEND your SMTP domain to the list.

SNAGHTMLf6ce697

The precedence for applying these changes is:

(1) In-band provisioning, (2) HKLM, (3) HKCU, (4) Lync option set in client. 

Because of this ordering, we decided on using HKLM for our registry change so that all users of the workstation would get the change.

YMMV.

No comments:

test 02 Feb

this is a test it’s only a test this should be a picture