A tip for enjoying communicator Phone Edition with Office Communications Server…
It’s fairly well documented that you may have some problems logging into a Tanjay/Polycom CX700/Nortel/WhatEverYouWantToCallit communicator Phone Edition if you try to login like this:
Sign-in Name: matt.mcgillen@corp.contoso.com
UserName: matt.mcgillen@corp.contoso.com
So the docs say to not log in with the UserName as I show above. It says to use it in this format:
Sign-in Name: matt.mcgillen@contoso.com
UserName: CORPmatt.mcgillen
I did that dutifully. And to be fair, that’s always worked for me when I’ve tried it. But this time around it wouldn’t log in… It kept failing with "Cannot validate the certificate because the domain is inaccessible" or something like that. That error message might lead you to believe that it’s a problem publishing the cert. Which is what I thought. I followed Jens’ advice in his blog (which appears to be also verbatim in the new Deploying Phone Edition guide). The short version of the cert deal is to go to the Server that is your CA and run this command:
certutil -f -dspublish <Root CA certificate in .cer file> RootCA
For example:
Certutil –f –dspublish c:rootcert.cer RootCA
Now to double check, you can fire up ADSIEdit (if you don’t have it, install the Windows Server support tools) And browse the domain in the following structure:
CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<tld>.
In ADSIEdit, you can open the object that’s in the Certification Authorities and view the properties. Check the dNSHostName property and make sure it’s the name of the CA
Unluckily for me, I ran through all these steps and it was still failing to log in, telling me that the domain is inaccessible. I was absolutely convinced that it wasn’t a problem with the cert.
I thought that maybe it was down to the version of Phone Edition (it was still the Beta – don’t ask why it wasn’t update… I’m still too mad about the OCS Software Update Service to talk about that right now). But I checked and it failed on phones that had the most current version of the firmware.
Then I thought that it was because the users were logging into the phone with accounts that were in a different forest (OCS was deployed in a resource forest). So to mitigate that, I tried logging in with an account in the OCS resource forest. That didn’t fix it either.
So I tried that and it didn’t work either. I was really sad.
Then, for giggles, because I was at that stage, I logged in like this:
Sign-in Name: matt.mcgillen@contoso.com
UserName: corp.contoso.commatt.mcgillen
Now this is absurd. I’ve never logged in using the DOMAINUSER format and specified the FQDN of the domain. Well – yeah… Apparently that’s what you do if you want the Tanjay to download the root cert and be able to log in to OCS.
Sadly/Interestingly/Maddeningly: once you’ve logged in like that & downloaded the root cert and everything is joyful, you can actually use the CORPmatt.mcgillen format for subsequent logins!!
Well anyway- once we were all logged in, things worked well, voice quality was great, and I then was reminded why I actually really, really, like the Tanjay phones.
