A recent blog article shows how to easily deploy a Polycom SIP Phone running UCS 4.1.0 firmware in a Lync environment, but in the event that the device is unable to successfully sign in to the Lync server then this is typically a TLS communications problem most often attributed to a certificate trust failure.

Lync Registration Failure

If registration of the device fails to the Lync Server the first thing to check is the device logs which are accessible through the phone’s built-in web management interface.

Check Device Logs

• Open the web management interface by simply connecting to the IP address of the phone from in a web browser, provide the Admin password (default value is ‘456’) and browse to the Diagnostics > View & Download Logs menu.

000928.720|cfg  |4|00|Prov|Unknown suboption received for DHCP option 43
000928.720|cfg  |4|00|Prov|Invalid STS-URI: ‘http:///anon’
000930.280|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘sipinternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘sipinternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘sipexternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘sipexternal.polycomcsna.com’ found no records.
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.457|sip  |4|00|MakeTlsConnection: SSL_connect error 1
000930.457|sip  |4|00|MakeTlsConnection: connection failed error -1

The log excerpt above shows what happens when the device is unable to locate the Lync Server certificate provisioning service due to missing or incorrectly configured DHCP Option 43 values.

Check Certificate Store

• To validate that the root certificate was not successfully downloaded press the physical Home button and then tap the following menu items: Settings > Advanced > Administration Settings > TLS Security > Custom CA Certificates and then scroll down to the bottom of the list to the Application CA 6 container.

• To perform the same check using the web management interface instead browse to the Settings > Network > TLS menu and check that the Application CA 6 container is blank.

Import Root Certificate

In this scenario the device was not able to automatically download a root certificate and thus cannot establish a secure TLS connection to the Lync Server to begin the registration process.

In the event that this prerequisite configuration is not available or the phone is unable to successfully import the root certificate chain then the certificate(s) must be provided to the phone manually.  Understand that the automatic download process simply uses the last Application CA 6 container as it is the least commonly used container and should prevent conflicts when multiple cert chains are loaded into the device at one time.  When importing certificates manually any of the available Application CA containers can be used; the examples below will utilize Application CA 1.

There are two different processes available for manually providing a root certificate or chain of certificates to the device, either by importing an XML configuration file which contains the certificate hash(es) or by hosting a certificate file on a web server and simply pointing the device to the URL to import it.

XML Method

The approach is basically the same process as documented for the previous 4.0 release by using an XML configuration file, but the file will only contain the few parameters specific to the certificate and not all of the other parameters that used to be required for the older version.

• Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

• Create a new XML file as instructed in the previous article, but instead only include the following two parameters: “sec.TLS.customCaCert.1” and “sec.TLS.profileSelection.SIP”..  Save the file (e.g. cert.cfg).

<?xml version=”1.0″ encoding=”utf-8″?>
<!–UCS 4.1 Lync Certificate Import File–>
<lync>
  <cert sec.TLS.customCaCert.1=”” sec.TLS.profileSelection.SIP=”ApplicationProfile1″ />
</lync>

If a different container is desired simply update the last digit in the sec.TLS.customCaCert.1 parameter to a value of 1 through 6 to coincide with one of the six Application CA containers.  In addition change the digit in the ApplicationProfile1 value for the second parameter to match.  For example, to store a certificate in container 3 update the configuration as shown below.  This approach may be needed to import a chain of multiple certificates in some environments.

• Using the web management interface browse to the Utilities > Import & Export Configuration menu and expand Import Configuration.

• Click Choose File and then locate the XML configuration file created in the previous step (e.g. cert.cfg) and then select Import.

• If performed correctly, and the user credentials are still stored in the phone then the device should automatically register to Lync within a matters of a few seconds.

Web Server Method

There is also an alternative approach to importing the certificates on the phone that doesn’t require using these XML configuration files as shown above.  Instead the certificate hash file(s) would be placed on a standard web server that the phone can connect to and then the certificate can be imported manually from the web management interface using a URL.  This process is simpler than dealing with the XML configuration file and provide a single distribution point for importing the certificate.

• Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

• Copy the newly created certificate text file (e.g. RootCA.cer) file to an accessible web server directory.  In this example the default root directory (wwwroot) for IIS on a Windows Server was used.  Typically a Lync Server itself cannot be used in this fashion as authentication is required for even HTTP connections to the server, so the default IIS installation on another Windows server was used which allowed for anonymous HTTP connections.

• Test anonymous HTTP access by connecting to the file’s URL (e.g. http://dc.schertz.local/RootCA.cer) using a web browser.  The contents of the plain text file should be displayed as shown in the following screenshot.

• Open the web management interface and browse to the Settings > Network > TLS menu.  Select the desired Application CA container and enter the same URL to the certificate file that was used in the previous step ((e.g. http://dc.schertz.local/RootCA.cer).

• The Install button should activate once a properly formatted URL is entered.  Click Install and then device should report that the SSL certificate was successfully installed.  If the user credentials were already entered into the device and the Lync Base Profile previously selected then the phone will immediately attempt to register to the Lync Server.

If the certificate authority is multi-tiered, meaning there is a Root CA and one or more subordinate Issuing CA then the entire chain may need to imported into the phone, depending on which CA issued and signed the certificate that was used on the Lync Servers.  If loading only the root CA certificate into the device does not resolve the registration failure then try also loading any other CA certificates in the same chain.

Using the web server process previously shown multiple certificates can be imported into separate containers as depicted below.