cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mobile Apps, internal use, certificate warnings

Benoit Machiavello
Copper Contributor

‎Jun 20 2017 10:07 AM

‎Jun 20 2017 10:07 AM

Mobile Apps, internal use, certificate warnings

Hi,

 

We are currently deploying Skype for business mobile apps for internal use.

 

Before that, the use of mobile apps was mostly external. No problem...

 

But it appears that by using applications internally, users receive many warning related to the fact that internally, certificates are signed by the Active Directory Certification Authority.

 

In BYOD scenario, we can deploy our root CA to device, not a problem, but for some population, mobile are only used as "mobile Lync Phone", and when you deploy root CA to android phones, you are required to set an unlock code. This is not compatible with the intended use. 

Is there a way to prevent this ? After a lot of reading I have find a discussion saying that you have to redirect ALL https connections like meet.domain.com, including desk phones, windows clients, etc..., to reverse proxy, like that it's our public certicates that are presented to mobile.

 

This seems to me completely absurd and at least not optimized

 

So what is the good practice for Mobile Apps using internally with internal certs from ADCS ?

 

Thanks

Labels:
4,118 Views
0 Likes
28 Replies
Reply
28 Replies
Benoit Machiavello

‎Jun 21 2017 11:46 PM

‎Jun 21 2017 11:46 PM

Re: Mobile Apps, internal use, certificate warnings

So I just do the test.

 

From my mobile, on corporate wifi, if I go with the browser to : https://pools4bpriws.domain.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain.com, I have an error 401 unauthorized, with the public cert from globasign...

 

 

0 Likes
Reply
Erwin Bierens

‎Jun 22 2017 11:12 PM

‎Jun 22 2017 11:12 PM

Re: Mobile Apps, internal use, certificate warnings

Sounds perfect. What happens when you try to login the client from the mobile device?

0 Likes
Reply
Benoit Machiavello

‎Jun 23 2017 12:14 AM

‎Jun 23 2017 12:14 AM

Re: Mobile Apps, internal use, certificate warnings

certificate warning :(

prompt for an internal cert

0 Likes
Reply
Benoit Machiavello

‎Jun 23 2017 12:38 AM

‎Jun 23 2017 12:38 AM

Re: Mobile Apps, internal use, certificate warnings

But it's "normal" if it try to connect to https://lyncdiscoverinternal.domain.com, it will get certificate warning.

 

what I don't understand is why is it trying to connect to this internal url if mobile phone use external connection first...

 

When I look for the log, first connection are going to lyncdiscover.domain.com...But why after that it try lyncdiscoverinternal.domain.com

 

 

0 Likes
Reply
Benoit Machiavello

‎Jun 23 2017 12:46 AM

‎Jun 23 2017 12:46 AM

Re: Mobile Apps, internal use, certificate warnings

it seems that we receive first an answer for lyncdiscoverinternal.domain.com 

 

06-23 07:31:55.391 9235 INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp:412 CUcwaAutoDiscoverGetUserUrlOperation::onEvent received.  Status = S_OK (S0-0-0), url = http://lyncdiscoverinternal.domain.com/

 

then after from lyncdiscover.domain.com

06-23 07:31:55.525 9235 INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp:412 CUcwaAutoDiscoverGetUserUrlOperation::onEvent received.  Status = S_OK (S0-0-0), url = http://lyncdiscover.domain.com/

 

0 Likes
Reply
Nick Elniff

‎Jun 27 2017 09:18 AM - edited ‎Jun 27 2017 02:52 PM

‎Jun 27 2017 09:18 AM - edited ‎Jun 27 2017 02:52 PM

Re: Mobile Apps, internal use, certificate warnings

Is it possible to purchase public certs for the internal SfB Infrastructure?

This is really the best route to take and will eliminate a lot of headaches if you want to provide the full feature-set for BYOD SfB Mobile clients that are on your internal network.

0 Likes
Reply
Thet Naing null

‎Jul 01 2017 06:30 PM

‎Jul 01 2017 06:30 PM

Re: Mobile Apps, internal use, certificate warnings

Yes, possible and done that. And some organization who prefer to use Public cert for all secure communication over internal cert.

 

I  had configured and deployed public SSL certificates for Frontend, Oauth, RP, and Edge for a few customers and working perfect. 

0 Likes
Reply
Thet Naing null

‎Jul 01 2017 06:30 PM

‎Jul 01 2017 06:30 PM

Re: Mobile Apps, internal use, certificate warnings

Please let me know if you wanna know how it should be done. 

0 Likes
Reply
Benoit Machiavello

‎Jul 19 2017 10:25 AM

‎Jul 19 2017 10:25 AM

Re: Mobile Apps, internal use, certificate warnings

Hi, 

 

sorry I was out of office.

for sure it's possible to replace all certs with public certs...But it's not without cost...

0 Likes
Reply