In a previous blog post I wrote about provisioning Exchange mailbox accounts and Skype for Business meeting rooms accounts for Skype Room Devices such as the SurfaceHub and the Skype Room Systems V2 that is already available today. During my initial setup of a Polycom MSR Skype Room System V2 device, even after following the steps in the previous blog post, the device can register and sign-in successfully to a Skype meeting room account that is homed online on Office365. However, using an account that is homed on-premise, I could not get the device to sign in successfully. This blog posts walks through the error encountered and how I managed to resolve the issue
Sign-in failures related to hash algorithms on certificates are rather difficult to detect as the logs don't really show any direct information that points to the correct problem. In my case, the SRS V2 device was able to sign into Exchange online but it will be stuck at a "Sign-in failed" error message as shown above which is using an Skype for Business on-premise account. There are ways to get the logs from the SRS V2 device by following this Technet article but in my case the log files yielded no useful information. On the Skype for Business Server, we can do a CLS logging and looking at the snooper trace, we can see that the error message shown is "Invalid Credentials":
Obviously testing the account credentials on a SFB Client I was able to login successfully so the issue had to be something else. However, when I tried to navigate the FE Pool certificate provisioning service using a Chrome browser, I got a "NET:ERR_CERT_WEAK_SIGNATURE_ALGORITHM" error and Chrome would refuse to enter the website at all. (on IE this error is not evidently shown):
After exhausting other possibilities of why my SRS V2 device was not able to sign-in such as DNS records etc., I recalled reading about SHA-1 certificates being deprecated by mid-2017 as explained in this Technet article. As I was still using Windows Server 2012 as the domain controller and CA server that issued certificates to my Skype for Business Pool about 2 years ago, there was a very likelyhood that the default certificates used on the FE Pool was still using SHA-1 hash algorithm. I could easily verify this by going to the Skype Deployment Wizard, running Setup and the Certificate Wizard again to view the current certifcate. True enough, my FE Pool was using a SHA-1 certificate as shown below:
 |  |
Obviously, we want to request and install new certificates for our FE Pool that uses the newer SHA-256 hash algorithms but how do we update our Windows Server 2012 CA to do that? A quick search on the internet provided this Technet article which is pretty much aimed at upgrading the CA to use Key Storage Provider (KSP) instead of the older (Cryptographic Service Provider) CSP and then configuring the CA to issue SHA-256 certificates over SHA-1. The entire process is rather complex had not necessary to repeat here since it is already described in detailed in the TechNet article. The main objective is to get the CA to use KSP and we can verify this by running the certutil -store my <CA Name> cmdlet as shown below:
Following through the steps in the Technet article, in Step 10 of the article, we use certutil on the CA Server to change the registry setting so that the server uses SHA-256 instead of SHA-1 as shown below:
Next we need to renew the existing Default Certificates on our Skype for Business FE Pool which are still using SHA-1 certificates. This is relatively straightforward process by simply running the Deployment Wizard and re-running the Request, Install or Assign Certificates Wizard as shown below:
Simply follow the wizard to request and assign a new Default certificate for the FE Server:
Once the process is completed, we can go back to view the newly assigned Default certificate and verify that it is indeed using SHA-256 hashing algorithm as shown below:
We have to stop and restart the FE service for the certificate to take effect. And then repeat for all the other FE servers in the pool. Once done, we can navigate back to the certificate provisioning service https://<WebServicesFQDN>/certProv/certProvisioningService.svc using Chrome browser and verify that we can now successfully login.
Going back to the SRS V2 device, we can now login successfully. Of course, its important to mention that the Root CA certificate must be manually imported into the SRS V2 device if not joined to the domain. The steps to install the root CA certificate can be found in this TechNet article. Hopefully, this blog post serves to be useful to anyone facing login problems on the SRS V2 machine that may be caused by old Skype for Business FE Pool certificates using SHA-1
Going back to the SRS V2 device, we can now login successfully. Of course, its important to mention that the Root CA certificate must be manually imported into the SRS V2 device if not joined to the domain. The steps to install the root CA certificate can be found in this TechNet article. Hopefully, this blog post serves to be useful to anyone facing login problems on the SRS V2 machine that may be caused by old Skype for Business FE Pool certificates using SHA-1
RSS Feed