Problem
You have OCS 2007 R1 deployed in your environment and began noticing MOC (Microsoft Office Communicator) clients display a notification:
… labeled:
Cannot Synchronize Address Book
… with the error message:
Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.
Solution
After verifying that I was able to:
- Browse the https://poolFQDN/ URL without being issued a certificate warning
- Download a .lsabs file from the URL https://poolFQDN/abs/int/handler
- View the Invalid_AD_Phone_Numbers.txt from the URL https://poolFQDN/abs/int/handler/Invalid_AD_Phone_Numbers.txt
… I realized that I was informed of the internal Certificate Authority being upgraded. Although the keys from the decommissioned CA were restored onto the new CA, I had a feeling that perhaps the MOC client was still trying to contact the old CA because the pool was still using a certificate issued from the old CA.
After reviewing the pool’s certificate attributes, I had a thought that perhaps the MOC client (through Internet Explorer’s engine) was trying to contact the decommissioned CA to retrieve the certificate revocation list. I remember coming across an article a year ago that showed how to modify the registry to skip a CRL check so after a bit of searching, I managed to find the instructions.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key: CertificateRevocation
Type: REG_DWORD
Options: 1 (turn on) or 0 (turn off)
Note how the registry key’s value is 1 (turned on):
So I proceeded to turn it off:
Signing out and back in did not remove the notification but closing and re-launching the MOC client did:
So what part of the certificate tipped me off? Here are the details to the CRL Distribution Points field:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=Contoso%20Ltd,CN=CERT01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Contoso,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://cert01.Contoso.internal/CertEnroll/Contoso%20Ltd.crl
The server named cert01 no longer existed because the new certificate authority is now named cert02. Hope this post helps anyone out there who may encounter the same problem as I did.
No comments:
Post a Comment