About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2012/05/03

Lync TrustModelData

The Issue

Recently, I had a small issue with Lync 2010 clients objecting to the certificate on the autodiscover.company.com CAS server.

The internal domain in use for SIP was company.local, and the CAS had company.com, although autodiscover.company.local was also on that cert.

Interestingly, we first looked at strict DNS naming, however, that did not appear to be the root cause. A colleague pointed out to me that he thought the TrustModelData might be doing it, so we investigated that route.

The error popped up as soon as autodiscover.company.com (the SMTP domain) was added to DNS. Here is the error :

image

Lync is hardcoded to act on finding Autodiscover, and it immediately attempts to connect to the advertised EWS.  In our case, the SMTP domain does not match the SIP domain (company.com v company.local).

The Fix

As it turns out, there is a registry entry in HKLM to control this behavior – by default this key is populated with a selection of Microsoft Online entries – none of which matched our company.local. We pushed the following registry change with SCCM; GPO was not an option due to XP workstations. 

This option is NOT part of Lync in-band client provisioning, and you can put the entry in either

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\TrustModelData 

OR

HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator TrustModelData

and APPEND your SMTP domain to the list.

SNAGHTMLf6ce697

The precedence for applying these changes is:

(1) In-band provisioning, (2) HKLM, (3) HKCU, (4) Lync option set in client. 

Because of this ordering, we decided on using HKLM for our registry change so that all users of the workstation would get the change.

YMMV.

No comments:

Technical Consulting

Something went through both of my brain cells today. And to keep a long story short, it centers on your approach to the question – whatever ...