Revoke Lync Client Certificates – Why should you do it AND what to watch out for

For those of you who do not know, about 99% of your logins to Lync are done via a certificate the Lync Front End provides you.  The reasons for why this is the default way is a topic for another blog post. Since I just told you that 99% of your logins to lync are certificate based, how does this impact a company for a user who just got abruptly fired and their AD account disabled?

The answer is, the users AD account being disabled does NOTHING to prevent a user from logging into lync should they already have a valid certificate.  Which leads me to my next question?

Is a certificate issued by the Lync FE valid forever?  Nope, by default only valid for 180 days.  But given this, this still doesn’t help you solve the problem of preventing a fired employee from accessing lync.  If you do nothing, the user could potentially still use Lync for up to 180 days…..not good.

So how do we overcome this issue?  The answer is pretty straight forward.  If you don’t have a nightly maintenance plan running for your lync environment, you should get on that and add this little code below to it.

##Begin Lync Cert Revoke for Disabled AD Accounts

##Finds Users on  Lync Pools who have disabled AD Accounts
$DISABLED = Get-CsAdUser | Where-Object {$_.UserAccountControl -match “AccountDisabled”}
$DATE = Get-Date
$COUNTER = 0
$log = “D:\lync\data\CertRevoke.txt”
$start = [System.DateTime]::Now

echo “Script Start” $start >> $log
foreach ($USER in $DISABLED){
$COUNT = get-csclientcertificate -Identity $USER.samaccountname
#If the user has more 1 or more certs, action is taken.
if ($Count.count -ge 1)

{
$USERNAME = $USER.SamAccountName
$CERTS = $COUNT.count

Write-Output “$USERNAME $CERTS $DATE” | Out-File $log -Append
Revoke-CsClientCertificate -Identity $USERNAME
$COUNTER++
}

}
$stop = [System.DateTime]::Now
echo “Script Stop” $stop >> $log
echo “—————————————————————————————————–” >> $log
echo “” >> $log

The above will find any account that is disabled and will revoke the certificate for that user.  We run this as part of our nightly maintenance plan at 7pm.

So the next question is well that’s great but what if the user account is disabled for some reason like failing to complete security training….what happens when the account gets re-enabled?  The answer here is nothing really.  All the user has to do is launch lync like they normally would and instead of the user auto-signing in with a certificate (because they were all revoked), the lync client would say “hey, who are you” and present you with info to sign in via your AD account.  Once you sign in once, the FE gives you a 180 day cert and off to the races!

So why do all of this?  Well, it humans error and fail to let IT know when a user was terminated.  Doing so will prevent that user or your still hired users from reaching out to the departed staff over company equipment.

So what’s the one GOTCHA!  It appears that VVX phones with PIN auth can get around this.  Currently working with Microsoft on this to understand what’s going on here.  We recently had a user in this situation and in the logs of the above script, i kept seeing their name as having a cert revoked.  I dug into it a little more and was able to see it was the VVX phone still having a NEW valid certificate (i said new for a reason.  Each night the cert would get revoked through the automated script and somehow the phone would get a new one).

How do you see the issued certs that a user has? Pretty easy actually…just run get-csclientcertificate -Identity sip:first.last@domain.com and it’ll spit out all the certs a user has.  When you do this, it doesn’t list the device that has the cert (like an iPhone/lync client/vvx phone) so how do you figure out the device that has it.

Fortunately there is a view within the SQL monitoring server that you can look it.  Simply replace “Somedeviceid” with the deviceid from the get-csclientcertificate command above.

certs

5 thoughts on “Revoke Lync Client Certificates – Why should you do it AND what to watch out for

  1. It would be interesting to see if changing the csclientpin along with disabling the user certificate would prevent the VVX phones from automatically logging in again. Also, is the user disabled for Lync prior to their AD account being disabled?

    Like

    • Hi Mark,

      That is our thought as well that we could just set a new pin but it seems that if we’re revoking the certs, it should do it for everything…will follow up to this thread when i get an answer back from Microsoft. We could add a set-csclientpin to our script but that would introduce other issues…continue reading below.

      The goal of our script is to not be too invasive, that is, if you disable a user in lync, or remove the user, all the users existing meetings/contacts….get removed. Further, should the user have their AD account disabled because maybe they are on vacation and didn’t update their password in time, if we removed them from lync we would then have to manually re-add them back to lync thus creating A LOT of work for our Lync team….

      hope this helps.

      Like

  2. In the below scenario –

    – Lync 2013
    – Full Enterprise Voice
    – User has a forward to mobile configured
    – AD account is disabled
    – Certificate is revoked

    The forward is still followed. We came across incidents whereby leavers were still receiving the forwarded calls to their mobile way after they had left.

    In order to eliminate this you should set the “Enabled” parameter from Get-CsUser to false. Might want to whack the below command on the end.

    “Set-CsUser $USERNAME -Enabled:$False”

    Like

    • For us, we have a pretty solid work flow where when users leave their AD accounts are deleted shortly after. When the account is deleted so does the number association.

      Like

      • If the deletion is soon after then no need to worry. I often come across environments whereby accounts are left disabled for anything between 14 and 45 days, thus running the risk of clients still discussing business matters with leavers.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s