Skype for Business – Leavers Process – Certificate Authentication

In IT leaver processes, I often find that organisations neglect to follow the crucial step of revoking certificates that have been issued to Skype for Business users, resulting in AD disabled users still being able to sign-in to Skype for Business!

If they can sign into Skype for Business from a device that has been issued a valid certificate (e.g. their personal mobile or laptop), they can communicate with your internal users, federated partners if you allow federation, and run up PSTN costs if they are enabled for Enterprise Voice, and so on.

Issue

By default, when a Skype for Business client successfully authenticates, the Skype for Business Front End Server generates a X.509 certificate and publishes it to the RTC database, as well as to the users local certificate store on their connecting client device.

Certificates are generated and issued to clients, not individual users.  Skype for Business users typically use multiple clients (e.g. Skype for Business Desktop Client, Polycom VVX handset, Skype for Business Mobile App), so inevitably end up with multiple certificates.

Certificates are valid for 180 days, and can allow a user to continue to log in regardless of their AD account being disabled.  Their account will not be checked during Skype for Business sign-in.

The following PowerShell command shows how multiple certificates that have been issued to devices I’ve been using.  These are all still valid (look at ExpirationTime).

Get-CsClientCertificate -Identity steve.bush@x500.co.uk

Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {18e7332f-d993-5a46-9bf5-07b7f8cc70fa}
PublicationTime : 31/05/2017 14:24:41
ExpirationTime : 27/11/2017 14:09:38
Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {095d4315-2f8c-5fc3-9fb8-0accc4c87f0b}
PublicationTime : 05/06/2017 10:59:00
ExpirationTime : 02/12/2017 10:43:54
Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {c569fe4f-bac2-5fc2-b303-10ab9b383340}
PublicationTime : 14/07/2017 08:26:10
ExpirationTime : 10/01/2018 08:11:10
Identity : sip:steve.bush@x500.co.uk
CertificateType : OcsSigned
DeviceId : {785dc7b5-9ed4-509a-9c4b-0ced620bb048}
PublicationTime : 02/08/2017 13:03:32
ExpirationTime : 29/01/2018 12:48:31

Solution

At the point of disabling the user account, the following PowerShell command should be ran to revoke all client certificates issued against the user.

Revoke-CsClientCertificate -Identity steve.bush@x500.co.uk

All granted certificates have been revoked for user with identity “sip:steve.bush@x500.co.uk”

This task can also be performed using the Skype for Business Server 2015 Control Panel.

RemoveUserCert

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s