Time for more Lync/Skype4B troubleshooting!
We had a customer call in the other day. He had an older iPhone (4S, iOS 8) and still used Lync Mobile for iOS. Now, it worked fine when he was on the go (which he was much of the time). But when he tried to log in while in the office, he sees a sign-in error:
One of our Support Engineers went on-site with his iPhone 6 (iOS 9), running Skype for Business for iOS. He tried to connect to their server—and saw the same kind of error!
The Problem: iOS Looks at Internal Certificates and Says “Huh?”
We encountered this error ourselves. Internally, just after building our Lync Server 2013 instance. It’s an issue with the device and Lync/Skype for Business’ internal certificates.
Ordinarily, the Lync Server/Skype for Business Server will send certificates out to devices for authentication. Depending on your location (e.g., which network you’re on), these certificates are deployed as external (outside the local network) or internal (within the local network) certificates.
After version 5.4 of the Lync Mobile iOS client, iOS began having trouble verifying certificate authenticity. It appears to happen much more on internal certificates than externals. As far as we can tell, there is no single cause we can point to.
Even Microsoft isn’t sure. On both of the KB pages mentioning this error:
- Lync Mobile users cannot sign in after they update to client version 5.4 – Microsoft Support
- Users can’t sign in to Lync Mobile on Apple iOS-based devices because of certificate errors – Microsoft Support
They say, “The cause of each message is slightly different, but both errors are caused by the inability to verify the authenticity of a certificate or certification authority.”
Tom Talks UC also talks about it, with a little more detail, but no definite cause. Which is okay—he gets to the important point fast. How to fix it.
How to Install a Root Certificate on iPhone
First, verify you have a trusted root CA (certification authority) installed. Likely you installed this during Skype for Business setup, and it’s fine, but it never hurts to check.
(Reference on certificates during Skype4B Server setup: Install Skype for Business Server 2015 on servers in the topology – TechNet)
The solution to the internal cert error is simple: Install your Root CA certificate on the iPhone.
How? There’s actually several ways.
- Email it over. Attach the certificate file to an email & send it to your iPhone. Tap the cert and you’ll see an installation screen with an Install button. After tapping that, you’ll probably see a warning: “The authenticity of ‘RootCert1’ cannot be verified.” Well, it’s your cert, so it’s OK to install. Tap “Install” and proceed. You should only need to do this once.
- Post the cert file to a private URL for download. Doing this lets you follow the same installation process as emailing. You’ll just use the iPhone’s browser (Safari, by default) to locate & install the root certificate. I recommend using a private, internal-only webpage for this. You don’t want any certificate file available for public download!
- Use the Apple Configurator. I hadn’t actually heard of this before. If you use a large number of Apple devices, the Configurator lets you configure them simultaneously. Like Group Policy on Windows systems. Adding a certificate via an Apple Configurator Configuration Profile automates the installation & deployment.
Which method you use depends on your network setup. We used email, as the customer in question didn’t use Apple Configurator and email was a fast (and successful) way to test.