Communicator Phone Edition doesn’t work with PKI SHA2
Posted by Mino on April 12, 2009
Although I was really going nuts in this case but in the end I was really happy with the information i have learnt from the security side. I spent like 2 nights till 4 AM trying just to figure out one thing
“Why the Hell this Phone is not able to login”
Ok , if you read my previous Post on the Phone edition update error “0x2ee7/0 ” you will notice I was able to successfully update the firmware of the phone to the latest R2 .
I have the below Environment:
· OCS 2007 R2 Front End on windows 2008
· OCS Backend on SQL 2008 running on windows 2008
· PKI running on windows 2008
Communicator clients are working just fine and everything is just as it should be… everything but the Communicatory Phone edition.
Whenever I try to login, it shows the phone is doing the following loop of actions:
· Locating Domain Controller
· Downloading Certificate
· Installing Certificate
· Connecting to office communications Server
And then the loop starts again …
1. I made sure that the certificate is well published in the Active Directory
2. I made sure of all naming conventions on the OCS
3. I made sure of the Security rights from the CA to download the Certificate chain over the http web enrolment page
In the end I made trace using wireshark to see exactly how it connects:
· The phone shows right connection to the NTP , DNS, DHCP records
· Locates the right CA and communicates with it and it gives Authorized back signal
· Then it tries to communicate with the OCS Server
· Then all of a Sudden the Connection is dropped
I have contacted Microsoft senior consultants in that they both double checked with me all the settings and they had no clue why it was doing that but what they were sure of is that the phone doesn’t like the root CA for some reason.
So we got back to the Security Architecture Consultant from Microsoft who has built this PKI , he gave us a clue that we have Root CA and beneath it is the Issuing CA .
The design of this PKI is based on encryption 4096 and using Algorithm SHA256RSA , we asked Microsoft Development team about whether this phone edition does support that PKI setting specially that it is running Windows CE and it appeard that SHA2 is only supported on XP SP3 or later and Windows 2003 SP1 or later . But no one from the Development team had any confirmed information .
So I installed another PKI with encryption 2048 and using Algorithm SHA1 not SHA2 , replaced all certificates on the OCS Server with another one from the new PKI and….
Voila, the Phone is working in no time .
Lesson Learnt : Too much of security will kill you , if you can’t make up your mind 😀
Mino - The UC Guy 
Jeremy Marut said
I was excited to see this post because we have an identical architecture and we’re experiencing an identical loop with downloading and installing the certificate. However, the solution was a downer because I found we are already using 2048 with SHA1.
What I’m finding is that while the phone gets past the “contacting time service” prompt on initial boot, the time and date are incorrect. I think this invalidates the cert that the phone downloaded. The phone will then loop getting and installing what essentially is an expired certificate.
As difficult as everyone said the R1 phones were to update, I wish these newer phones allowed you to get into the OS to check on the time server settings or validate what we think the issues are. Our Microsoft pilot contacts don’t want to put in the time to fix a Nortel issue and the Nortel pilot people aren’t that hot on putting in time on a Microsoft pilot…
Iamsuffering said
Jeremy, I am running into the same issue as you (Have SHA1 but the phones will not register and get the expired certificate issue). Were you able to get past this, and if so, what did you need to do?
Thanks
Polycom CX700 – certificate issue « Louis UC Blog said
[…] a logn resarch, I found only mino facing the exact same problem. and bingo! the root certificate of this particular company was SHA2 @ 4096 bits. As the Polycom […]