Wow, I can’t believe I last published something about lync/skype in December of 2015!
Today I am writing about something that I personally cannot find anywhere on the internet.
What happens with SHA1 Domain Root CA Certificates in Skype for Business in the year 2018 – almost 1 month before the one year anniversary of the March 2017 Initial browser trust updates?
There are numerous issues which I have experienced in the last month for which I am yet to officially find a trigger, I have an open case with Microsoft for this, however since logged it has yet to be picked up by anyone despite being escalated again as recently as this morning.
Note – right now today 2018/03/05 – This is the only article on the entire internet that you will find that relates SHA1 to Issues experienced on Skype For Business. I do not know why.
Example Clients Experience:
Users complain about not being able to see their own or other users presence in Skype For Business as seen here by a collegue at work:
Investigations revealed our internal IT had somehow missed a single frontend server which was still running a SHA1 certificate internally – external users did not experience the same issue. Also internal users did not get any certificate warnings on their Skype Clients.
Once updated to a non SHA-1 internal root ca certificate the issue went away.
Other reported client issues experienced:
- Users having trouble signing into Response Groups.
- Users having issues joining meetings.
- Meeting URL does not exist for online meetings.
- Users who have been in the enviroment can host and join meetings but new users. meetings just result in a blank page which eventually errors out.
- Users cannot make external calls.
- Users cannot sign on.
- Trusted Applications connections to the Skype/Lync Enviroment fail.
Now very interesting and strange thing I need to just mention quickly, I have other enviroments right now running SHA1 certificates that are not affected yet, but from experience I can say that once they start being affected they just do not stop and only gets worse every single day until this is addressed and repaired. So don’t wait till your customer’s enviroment falls over – start dealing with this right now and prevent a potential outage…
I will update this article with some more pictures detailing this when available, in the interim the obvious question is what can be done about this?
First – Confirm you do indeed have this issue caused by SHA1:
1. Confirm internal Root CA is signed by a SHA1 certificate.
2. Confirm the certificate on your skype/lync server is a sha1 issued certificate also.
3. Your Skype/Lync Server enviroment runs Server 2012R2 ( 2008 and 2008R2 does not yet complain about trusting SHA1 certificates for some unknown reason)
If your answer to all of these is yes – then you can safely assume SHA1 is the cause of the issues you are experiencing.
Official Documentation from Microsoft related to this:
“Today, we intend to do more to warn consumers about the risk of downloading software that is signed using a SHA-1 certificate. Our goal is to develop a common, OS-level experience that all applications can use to warn users about weak cryptography like SHA-1. Long-term, Microsoft intends to distrust SHA-1 throughout Windows in all contexts. Microsoft is closely monitoring the latest research on the feasibility of SHA-1 attacks and will use this to determine complete deprecation timelines.”
Note: Whilst you will not find it stating officially anywhere that internal certificates are affected it is only logical that neither the skype client nor any other browser on your machines would be able to differenciate between being internal and seeing an internal certificate versus being external and seeing an external certificate. So lets just assume SHA1 is not trusted and move on.
There are numerous articles on how to upgrade your root ca internally to SHA-2 of SHA-256 and I cannot personally present any preferred articles right now so I will add some good URL’s that I have used soon.
I am going to keep a counter below so I can keep track of how many times this issue comes up and it turns to be something unrelated and how many times it comes up and it is in fact SHA1 causing this. I am starting with my own current count of 5, leave me a note and I will add your count to the lists:
Customers affected found to be SHA1 related by myself: 5
Customers affected found to be SHA1 unrelated by myself: 0
Community customers found affected by a SHA1 certificate : 0
Community customers found not affected by a SHA1 certificate: 0