Friday, September 23, 2011

MOC 2007 R1 or R2 client throws the error: “Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.”

Problem

You have OCS 2007 R1 deployed in your environment and began noticing MOC (Microsoft Office Communicator) clients display a notification:

image

… labeled:

Cannot Synchronize Address Book

image

… with the error message:

Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.

clip_image001

Solution

After verifying that I was able to:

  1. Browse the https://poolFQDN/ URL without being issued a certificate warning
  2. Download a .lsabs file from the URL https://poolFQDN/abs/int/handler
  3. View the Invalid_AD_Phone_Numbers.txt from the URL https://poolFQDN/abs/int/handler/Invalid_AD_Phone_Numbers.txt

… I realized that I was informed of the internal Certificate Authority being upgraded.  Although the keys from the decommissioned CA were restored onto the new CA, I had a feeling that perhaps the MOC client was still trying to contact the old CA because the pool was still using a certificate issued from the old CA.

After reviewing the pool’s certificate attributes, I had a thought that perhaps the MOC client (through Internet Explorer’s engine) was trying to contact the decommissioned CA to retrieve the certificate revocation list.  I remember coming across an article a year ago that showed how to modify the registry to skip a CRL check so after a bit of searching, I managed to find the instructions.

Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Key: CertificateRevocation

Type: REG_DWORD

Options: 1 (turn on) or 0 (turn off)

image

Note how the registry key’s value is 1 (turned on):

image

So I proceeded to turn it off:

image

image

Signing out and back in did not remove the notification but closing and re-launching the MOC client did: 

image 

So what part of the certificate tipped me off?  Here are the details to the CRL Distribution Points field:

[1]CRL Distribution Point

     Distribution Point Name:

          Full Name:

               URL=ldap:///CN=Contoso%20Ltd,CN=CERT01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Contoso,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint

               URL=http://cert01.Contoso.internal/CertEnroll/Contoso%20Ltd.crl

 image

The server named cert01 no longer existed because the new certificate authority is now named cert02.  Hope this post helps anyone out there who may encounter the same problem as I did.

No comments: