Although I was really going nuts in this case but in the end I was really happy with the information i have learnt from the security side. I spent like 2 nights till 4 AM trying just to figure out one thing
“Why the Hell this Phone is not able to login”
Ok , if you read my previous Post on the Phone edition update error “0x2ee7/0 ” you will notice I was able to successfully update the firmware of the phone to the latest R2 .
I have the below Environment:
· OCS 2007 R2 Front End on windows 2008
· OCS Backend on SQL 2008 running on windows 2008
· PKI running on windows 2008
Communicator clients are working just fine and everything is just as it should be… everything but the Communicatory Phone edition.
Whenever I try to login, it shows the phone is doing the following loop of actions:
· Locating Domain Controller
· Downloading Certificate
· Installing Certificate
· Connecting to office communications Server
And then the loop starts again …
1. I made sure that the certificate is well published in the Active Directory
2. I made sure of all naming conventions on the OCS
3. I made sure of the Security rights from the CA to download the Certificate chain over the http web enrolment page
In the end I made trace using wireshark to see exactly how it connects:
· The phone shows right connection to the NTP , DNS, DHCP records
· Locates the right CA and communicates with it and it gives Authorized back signal
· Then it tries to communicate with the OCS Server
· Then all of a Sudden the Connection is dropped
I have contacted Microsoft senior consultants in that they both double checked with me all the settings and they had no clue why it was doing that but what they were sure of is that the phone doesn’t like the root CA for some reason.
So we got back to the Security Architecture Consultant from Microsoft who has built this PKI , he gave us a clue that we have Root CA and beneath it is the Issuing CA .
The design of this PKI is based on encryption 4096 and using Algorithm SHA256RSA , we asked Microsoft Development team about whether this phone edition does support that PKI setting specially that it is running Windows CE and it appeard that SHA2 is only supported on XP SP3 or later and Windows 2003 SP1 or later . But no one from the Development team had any confirmed information .
So I installed another PKI with encryption 2048 and using Algorithm SHA1 not SHA2 , replaced all certificates on the OCS Server with another one from the new PKI and….
Voila, the Phone is working in no time .
Lesson Learnt : Too much of security will kill you , if you can’t make up your mind 😀