• Eric Marsi

SFB: Lync Phone Edition Devices not registering after changing from a SHA1 Cert to a SHA256 Cert

Updated: Jun 10, 2019

When creating a lab environment for my recent Lync/Skype migration session at Comms vNext, my goal was to have a SHA256 and a SHA1 certificate authority (CA) for the environment. This is due to the fact that many older environments that run Lync 2013 are usually running Windows Server 2012. If the PKI infrastructure was created around the same time, chances are that the root certificate and all subsequent certificates are SHA1 based.


One Issue that I came across was that after applying the latest CU (CU8 and CU9 have this change from my testing (other older CU's may have this change as well)) to the 2015 pool, any users using a Tanjay or Aries phone would no longer register to the pool. If I migrated the user account to the Lync 2013 pool which had a certificate from a SHA1 CA, the users would be able to sign into their phones. If I moved the same users to the 2019 pool which had a certificate from a SHA256 CA, the users would be able to sign in as expected.


I suspect that due to security weaknesses with the SHA1 hashing algorithm, this is deliberate change and one in a good way. The only time that this could be an issue is that if an environment is not running the last release of Lync Phone Edition. Earlier releases of this software do not understand a SHA256 certificate and will be in a login loop upon signing in.


Make sure that if when updating to the latest CU, your environment has the latest phone updates applied beforehand. It may be worth looking into replacing these older devices with other Skype for Business variants. Lastly, I would highly suggest building a new SHA256 PKI and replacing certificates with a SHA256 certificate.


You may be wondering, how do I tell what type of certificate is being used for internal services? Follow the below steps to determine what hashing algorithm is used in your environment:


Option 1: View the certificate from the local server

On a Front-End server that is part of the pool in question, open the Lync or Skype for Business Deployment Wizard

Once in the Deployment Wizard, click "Install or Update Lync/Skype Server System"

Click "Request, Install or Assign Certificates"

Once the Certificate Wizard opens, select the default certificate and then "View"

Once the "View Certificate" window opens, click the "View Certificate Details" button

In the Certificate Properties window, click "Details"

Under the Fields, find the signature algorithm and this will display whether this is a SHA1 or SHA256 hashed certificate


Option 2: View certificate from a remote computer

Browse to a simple URL from a internal computer such as https://dialin.domain.com

Click on the lock or HTTPS portion next to the URL, then view certificate

In the Certificate Properties window, click "Details"

Under the Fields, find the signature algorithm and this will display whether this is a SHA1 or SHA256 hashed certificate

If you have any questions, feel free to comment below or contact me.


Subscribe to My Newsletter

  • Twitter Social Icon
  • LinkedIn Social Icon

© 2019 UCIT Blog by Eric Marsi