On June 8th, 2013, for Office Communications Server and Lync federation with Microsoft.com, Microsoft will replace the root certificate on the federation edge server from a GTE CyberTrust root to a Baltimore root.

By that date, any SIP domain federated with Microsoft must have the respective edge server’s trusted root certificate store updated with the Baltimore root certificate. Any edge server which does not trust the new Microsoft.com certificate by June 8, 2013 will be unable to connect to Sipfed.microsoft.com, thereby impacting federation with the Microsoft.com SIP domain. IM and presence will fail, as will A/V for any user within the federated SIP domain when attempting to reach a user in the Microsoft.com SIP domain.

Author: Jon McClary, Microsoft Service Engineer

Technical Reviewers: Rob Pittfield, Conrad Mouton

Published: May 9, 2013

Product version: Office Communications Server 2007, Lync 2010, Lync 2013

IMPORTANT NOTE   If you have installed the latest updates, you are already covered. In fact, if you are running Microsoft Support diagnostics, you won’t encounter this issue. 

Microsoft will make a certificate change on June 8, 2013, which could potentially affect federation with the Microsoft.com SIP domain. This applies only to SIP domains that are federated with Microsoft.com. The certificate applied to the Microsoft Lync Access Edge server, sipfed.microsoft.com, is nearing its expiration. The new certificate will use the Baltimore CyberTrust Root Certificate, which will require that federated partners’ Access Edge servers trust the new root.

The potential for impact is to SIP and A/V communication with Microsoft.com for any user in an affected federated SIP domain.

Here’s what you need to know to continue to communicate with the Microsoft.com SIP domain.

1. Verify whether the Baltimore CyberTrust Root certificate is already trusted—as is likely if the server has the most recent Microsoft Updates installed.

2. Open the certificate snap-in for the local machine in the Microsoft Management Console (MMC) on the federating edge server.

3. Verify whether the Baltimore CyberTrust Root is in the trusted root certificate authorities, as shown in Figure 1 below. The expiration date is May 12, 2025.

Figure 1. Verifying that Baltimore CyberTrust Root is in trusted root certificate authorities

If this trusted root certification authority exists here, your work is done. If this root certification authority is not trusted, you must import that certificate as a trusted root per your operating system version, as detailed in this Support topic: Windows Root Certificate Program members.

To enable continued communication with users in the Microsoft.com SIP domain, you must ensure that the Baltimore CyberTrust Root certificate is trusted by Office Communications Server and Lync Access Edge servers that are federated with the Microsoft.com SIP domain.

Additional Information

About the Author

Jon McClary has been a Service Engineer with the Microsoft Lync Server team since 2008, supporting Office Communications Server, Lync Server, and Lync Online. He has a total of 12 years on the Microsoft campus and in 2009, earned Microsoft Certified Master (MCM) status for Office Communications Server 2007 R2. Jon's specialties include TCP/IP networking, UC, infrastructure, and cloud services.

Lync Server Resources

We Want to Hear from You

Keywords: OCS, Lync, Federation, Access Edge, Certificate, sipfed.microsoft.com