Wednesday, December 1, 2010

Federating with everyone.

In order to use federation with OCS, OCS R2 and Lync you must obey this:

  • The certificate must be issued by an approved public CA that supports subject alternative name. For details, see Microsoft Knowledge Base article 929395, "Unified Communications Certificate Partners for Exchange Server and for Communications Server," at

This is a short list of official certificate providers :

Now in reality (and if you don’t need to be in a fully supported configuration) you just need a certificate that is issued back to a root certificate that you know everyone has. So assuming you might be federating with partners using OCS, OCS R2 or Lync Server 2010 we can assume their edge is running Windows 2003, Windows 2003 R2, Windows 2008 or Windows 2008 R2. So to narrow down your requirements you want a certificate that we know is installed by default on those platforms. In theory on Windows 2008 the root certificates are supposed to auto download on demand – however it seems OCS R2 doesn’t demand them, so they don’t get downloaded Sad smile. Ok… so this is now quite a short (and getting shorter) list. So if you encounter weirdness that you can federate with some partners but not others then chances are that their certificate is issued by a root cert not installed in your system.

So as a certificate buyer, you really should buy a cert from an officially approved vendor. That said, after a bad experience with federation using GoDaddy certs, in my lab, I use (in an unsupported manner – as I use a single CN and don’t list any SAN’s) a RapidSSL cert from ServerTastic for $13.00 per year for a single domain cert – conveniently its issued from a root cert by GeoTrust / Equifax, which is far more prevalent than GoDaddy. I have had no issues since using this cert.

As a federating partner, if you want to expand your scope to ‘cheap’ federation partners, try installing the latest root certificate package hereafter reading the warnings here .

No comments:

Post a Comment