Hi Everyone, I am experiencing this Kind of issue in my lync2010 infrastructure.

Below is the infrastructure I manage.

Lync 2010 Enterprise Edition

1 sip address

1 fe pool

6 Fes behind 2 HLBs

2 AV servers

2 Directors

4 Med pools

2 edge Servers behind two HLBs

2 reverse proxies

This architecture relies on a resource forest. All the user accounts are disabled in this forest, but enabled in the trusted forest, but enabled on lync application. Computers are in the AD Forest not in the resource forest

The authentication used to sign in to lync is NTLM. so when the users clicks on the save Password flag , after inserting the user and Password credentials to Login, you get the cerfiicate issued from communication Servers stored in the user personal certficate store ,which will expire by Default after 180 days. What I've read in the documents found around the web, is that the certificate should be automatically renewed starting from one month to the expiration date and also that  you should receive a nofication about the certificate is going to expire one week before expiration. In my Situation it doesn't happen, I found out that the cerficate expires without notifying and renewing, and I have to manually delete it,otherwise lync Clients won't sign-in, it remains stuck on the sign in Screen... After removing the expired certificate I was able to sign-in putting the credentials again, and checking the save Password I saw that I got a new certificate issued by communication Server that will expire after 180 days

can someone please explains what is Happening? Is there a way to avoid this, or to resolve the issue? Can  someone tell me how to use a PS script to get a list of user certificates that will expire in a certain date?

Many thanks

Hi,

1. You can enable the notification for certificate expiry by setting the Group policy. You can find this setting under Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto Enrollment
2. You can write a PowerShell script that uses the Get-CsClientCertificate cmdlet to find those certificates about to expire, then use the Revoke-CsClientCertificate cmdlet to remove the certificates.
3. The new certificate should be renew automatically when the old certificate expiry. So please make sure the Lync Server and client update to the latest version and then test the issue again.

Best Regards,
Eason Huang

Hi Eason thanks for answering,please do you know a way to get all users certificate since the get-cscertificate cmdlet doesn't accept piped inputs.

Many Thanks

Hi,

You can use the following Lync Server Management Shell: Get-CsUser | Get-CsClientCertificate to retrieve the client certificates for all your users who actually have client certificates.

Best Regards,

Eason Huang