Thanks to Yomi for helping out. Hopefully you have been nice to him. Apparently today I was worthy.
Do you have:
- SfB 2019/2015 on-premises?
- Empty root domain with child domain that has the user accounts?
- Domain.com and ad.domain.com?
- Internal PKI for internal functions; public PKI for public-facing functions?
- Multiple SIP domains?
- Domain.com, aa.domain.com, someotherdomain.com, someotherdomain2.com, (I had 15 of these)
- Surface hubs that appear to be V1 devices?
- Mine reported themselves as 10 (built 15063) with all current updates. This will be a bit tricky as all the guidance from google-fu shows different screens that what I had. But you can probably read between the lines a bit and still be successful.
- Setup the user account as normal – full Exchange mailbox, setup same to handle calendar auto enroll, etc.
- Non-expiring passwords highly desired but not required (you have to change the PW on the device each time the user account changes PW)
- Enable that email account as SfB user. EV not required, but they need to be account as described in various guides… full mbx, full calendaring, etc.
The issue at hand:
- Surface logs in as device admin, finds Exchange account and logs in. Any attempt to login as SfB account results in either a refusal to do anything (you got the SIP domain wrong) or it just spins.
- For the first one, check your spelling.
- For the second, it turns out to be two issues:
- First, the cert being presented by the SfB internal services is PRIVATE, so therefore a non-domain device/user (like a Surface)(Windows Team – the core O/S on a Surface cannot join domain) does not have the Trusted Root Cert from the internal PKI CA, so it refused to connect.
- In my case, ZERO additional information – no error message, no nothing… just the spin. Bummer.
Fix:
- You need to tell the Surface to like/trust both the SIP domain name AND the domain the server itself resides within.
- Ex: sip domain of domain.com, server domain of ad.domain.com
- And you need the trusted root loaded onto the Surface.
- Easier said than done.
To fix the first one:
- Get into the settings (requires device admin)
- All Settings| Calling and Audio|configure domain name
- You can enter multiple names comma separated
- Restart to have it take effect
- Download via Windows Store the “Windows Imaging and Configuration Designer.
- With my squeaky new Zbook, the our corp store barfed on delivering what it said we owned. But, there is another source also:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
- I did choice #2/3, and then installed JUST the one tool needed as noted in the link.
- From there, get a copy of the Trusted Root Cert, and then follow these instructions:
- Next, restart the Surface.
Finally. Enjoy the goodness.
YMMV
