Lync Mobile iOS Certificate Errors

I ran into an issue (which I didn't with Android and WP7) where I was unable to login to the iPad and iPhone iOS Lync client. It turns out this error was two separate certificate errors. The first was immediately upon signing internal to the domain (because my Apple devices did not trust my internal CA). The second (internal or externally) was an issue with the intermediate certificate not being present on my KEMP Hardware Load Balancer.

Internal Root Certificate

The error I was seeing on my iPad was "Can't connect to the server. It might be unavailable. Also please check your network connection, sign-in address and server addresses". Again, the WP7 and Android devices were not experiencing this issue! (As a side, the Android devices did realize there was an untrusted certificate but I had the option of saying it was okay and move on. Eventually I simply emailed myself the root and intermediate certificates which installed with a simple click).

 

My Internal CA is comprised of a Root, Intermediate, and an Issuing CA yet the Apple devices only seem to care about the root. To add the certificate to the device, the Apple iPhone Configuration Tool is used. It is true that you could send yourself an email with the certificate, but I have found that the device does not fully trust that method. If you do not already have the Configuration Tool (it is not part of iTunes) download it from Apple here. There is a Mac version of the tool as well but I will show the Windows version.

Once the application is installed, launch the tool and navigate on the right to Configuration Profiles.

 

In the upper-right click New to create a Configuration Profile. The Configuration Profile can be used to set and configure all types of settings; however, I am only interested in adding a trusted root certificate to the device. Start by naming the profile. In my example, I have named it BriComp Root Certificate and set my unique identifier to com.bricomp.cert.profile. Complete the General settings by entering your company name and optionally a description.

 

Next, navigate down the list to the certificate icon labeled Credentials and click Configure.

 

After clicking Configure a list of certificates found on your local computer will be displayed. Assuming your computer trsuts your internal LAN certificates your root certificate will be shown here. Scroll to the correct certificate and click OK.

 

The certificate will be shown in the Credential window and all changes are immediate (i.e. there is no 'save' option). For small/single installs connect your device to your computer using the USB cable. The device will be displayed in the Configuration Tool under DEVICES. Select the device and then the Configuration Profile Tab.

 

You will notice there is an option to install the profile directly. Click Install to begin the process. On your device, a Install Profile window is shown where you must click Install followed by Install Now confirming the installation of the Root Certificate. If you have a passcode you will need to enter it and then click Done.

 

For mass installs, you can export the configuration profile using the tool and email it to all that need it.

External Certificate Error

Once I got past my internal certificate issue I was then receiving the error "Can't verify the certificate from the server. Please contact your support team".

 

This error was the same inside and outside my network but again, only on my Apple iOS devices. Puzzled for days I nearly gave up when I thought maybe...just maybe the Hardware Load Balancer needed the intermediate certificate loaded for DigiCert - the issuer of my web services external certificate. This is an easy process and if you followed my past blog on configuring the KEMP HLB for Lync this step may be required as well.

In the KEMP LB web configuration page navigate to Certificates | Intermediate Certs.

 

In this section you have the option of managing the intermediate certificates on your Load Balancer. Click Add New to display the New dialog. Here you need to paste the public certificate DigiCertHighAssuranceCA-3.cer into the text box and provide a name. The certificate can be downloaded from DigiCert's website athttps://www.digicert.com/digicert-root-certificates.htm. Save the file to your local computer and open it with Notepad. The certificate will look like a text file that is created when you are requesting a new certificate for yourself. Copy and paste the entire content unaltered into the KEMP website and name the certificate DigiCertHA3.
 

Click Add to complete the installation of the Intermediate Certificate.  That's it - once the LB trusts the DigiCert Intermediate and your device trusts your internal CA your client will be able to login.