In IT leaver processes, I often find that organisations neglect to follow the crucial step of revoking certificates that have been issued to Skype for Business users, resulting in AD disabled users still being able to sign-in to Skype for Business!
If they can sign into Skype for Business from a device that has been issued a valid certificate (e.g. their personal mobile or laptop), they can communicate with your internal users, federated partners if you allow federation, and run up PSTN costs if they are enabled for Enterprise Voice, and so on.
Issue
By default, when a Skype for Business client successfully authenticates, the Skype for Business Front End Server generates a X.509 certificate and publishes it to the RTC database, as well as to the users local certificate store on their connecting client device.
Certificates are generated and issued to clients, not individual users. Skype for Business users typically use multiple clients (e.g. Skype for Business Desktop Client, Polycom VVX handset, Skype for Business Mobile App), so inevitably end up with multiple certificates.
Certificates are valid for 180 days, and can allow a user to continue to log in regardless of their AD account being disabled. Their account will not be checked during Skype for Business sign-in.
The following PowerShell command shows how multiple certificates that have been issued to devices I’ve been using. These are all still valid (look at ExpirationTime).
Get-CsClientCertificate -Identity steve.bush@x500.co.uk
Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {18e7332f-d993-5a46-9bf5-07b7f8cc70fa}
PublicationTime : 31/05/2017 14:24:41
ExpirationTime : 27/11/2017 14:09:38Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {095d4315-2f8c-5fc3-9fb8-0accc4c87f0b}
PublicationTime : 05/06/2017 10:59:00
ExpirationTime : 02/12/2017 10:43:54Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {c569fe4f-bac2-5fc2-b303-10ab9b383340}
PublicationTime : 14/07/2017 08:26:10
ExpirationTime : 10/01/2018 08:11:10Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {785dc7b5-9ed4-509a-9c4b-0ced620bb048}
PublicationTime : 02/08/2017 13:03:32
ExpirationTime : 29/01/2018 12:48:31
Solution
At the point of disabling the user account, the following PowerShell command should be ran to revoke all client certificates issued against the user.
Revoke-CsClientCertificate -Identity steve.bush@x500.co.uk
All granted certificates have been revoked for user with identity “sip:steve.bush@x500.co.uk”
This task can also be performed using the Skype for Business Server 2015 Control Panel.