在 Lync Server 2013 中設定自動探索的憑證Configuring certificates for Autodiscover in Lync Server 2013

 

主題上次修改日期: 2012-12-12Topic Last Modified: 2012-12-12

Director 集區、前端集區及反向 proxy 的憑證,都需要額外的主體替代名稱專案,以支援與 Lync 用戶端的安全連線。The certificates for your Director pool, Front End pool, and reverse proxy require additional subject alternative name entries to support secure connections with Lync clients.

注意

您可以使用 Get-CsCertificate Cmdlet 來檢視目前指派的憑證相關資訊。You can use the Get-CsCertificate cmdlet to view information about the currently assigned certificates. 然而,預設檢視會截斷憑證屬性,而且不會顯示 SubjectAlternativeNames 屬性中所有的值。However, the default view truncates the properties of the certificate and does not display all values in the SubjectAlternativeNames property. 您可以使用 Get-CsCertificateRequest-CsCertificate 和 Set-CsCertificate Cmdlet 來檢視部分資訊,並要求及指派憑證。You can use the Get-CsCertificate , Request-CsCertificate and the Set-CsCertificate cmdlets to view some information and to request and assign certificates. 不過,如果您不確定目前憑證上主體替代名稱 (SAN) 的屬性,這並不是最好的方法。However, it’s not the best method to use if you are unsure of the properties of the subject alternative names (SAN) on the current certificate. 若要查看憑證和所有的屬性成員,建議使用 Microsoft Management Console (MMC) 中的 [憑證] 嵌入式管理單元,或使用 Lync Server 部署嚮導。To view the certificate and all property members, it is suggested to use the Certificates snap-in the Microsoft Management Console (MMC) or to use the Lync Server Deployment Wizard. 在 [Lync Server 部署嚮導] 中,您可以使用 [憑證] 嚮導來查看憑證屬性。In the Lync Server Deployment Wizard, you can use the Certificate Wizard to view the certificate properties. 下列程式會詳細說明如何使用 Lync Server 管理命令介面和 Microsoft Management Console (MMC) 來查看、要求與指派憑證的程式。The procedures for viewing, requesting and assigning a certificate using the Lync Server Management Shell and the Microsoft Management Console (MMC) are detailed in the following procedures. 若要使用 Lync Server 部署嚮導,請參閱此處的詳細資料:如果您已部署選用的 Director 或 Director 集區: 在 Lync Server 2013 中設定 director 的憑證To use the Lync Server Deployment Wizard, see details here if you have deployed the optional Director or Director pool: Configure certificates for the Director in Lync Server 2013. 若為前端伺服器或前端集區,請參閱以下的詳細資料: 在 Lync Server 2013 中為伺服器設定憑證For the Front End Server or Front End pool, see the details here: Configure certificates for servers in Lync Server 2013.
此程序中的最初步驟是準備步驟,引導您成為目前憑證扮演的角色。The initial steps in this procedure are preparation steps, to orient you as to what role the current certificates play. 根據預設,憑證不會有 lyncdiscover。 <microsoft.rtc.management.xds.sipdomain > 或 lyncdiscoverinternal。 <內部功能變數名稱 > 專案,除非您先前已安裝行動服務,或是預先準備好您的憑證。By default, the certificates will not have a lyncdiscover.<sipdomain> or lyncdiscoverinternal.<internal domain name> entry unless you have previously installed Mobility Services or have prepared your certificates in advance. 這個程序使用 SIP 網域名稱範例 ‘contoso.com’ 及內部網域名稱範例 ‘contoso.net’。This procedure uses the example SIP domain name ‘contoso.com’ and the example internal domain name ‘contoso.net’.
Lync Server 2013 和 Lync Server 2010 的預設憑證設定是使用名為 ' Default ) ' 的單一憑證 (,但 web 服務) 、WebServicesExternal 和 WebServicesInternal 以外的目的預設 (。The default certificate configuration for Lync Server 2013 and Lync Server 2010 is to use a single certificate (named ‘Default’) with the purposes Default (for all purposes except for the web services), WebServicesExternal and WebServicesInternal. 選用設定是針對每種用途使用不同的憑證。An optional configuration is to use separate certificates for each purpose. 您可以使用 Lync Server 管理命令介面和 Windows PowerShell Cmdlet 來管理憑證,或使用 Lync Server 部署嚮導中的憑證嚮導來管理憑證。Certificates can be managed by using the Lync Server Management Shell and Windows PowerShell cmdlets, or by using the Certificate Wizard in the Lync Server Deployment Wizard.

使用 Lync Server 管理命令介面來更新具有新主體替代名稱的憑證To update certificates with new subject alternative names using the Lync Server Management Shell

  1. 使用具有本機系統管理員權限的帳戶登入電腦。Log on to the computer using an account that has local administrator rights and permissions.

  2. 啟動 Lync Server 管理命令介面:依序按一下 [ 開始]、[ 所有程式]、[ Microsoft Lync server 2013],然後按一下 [ Lync server 管理命令介面]。Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

  3. 找出哪些憑證已經指派給伺服器,以及使用類型為何。在下一個步驟中,您會需要此資訊來指派更新的憑證。請在命令列中輸入:Find out what certificates have been assigned to the server and for which type of use. You need this information in the next step to assign the updated certificate. At the command line, type:

    Get-CsCertificate
    
  4. 查閱上一個步驟的輸出,看看是否有單一憑證指派至多個用途,或者是否為每個用途指派不同的憑證。查閱 Use 參數,以找出憑證的用法。針對所顯示的憑證比較 Thumbprint 參數,看看相同的憑證是否有多個用途。Look in the output from the previous step to see whether a single certificate is assigned for multiple uses or whether a different certificate is assigned for each use. Look in the Use parameter to find out how a certificate is used. Compare the Thumbprint parameter for the displayed certificates to see if the same certificate has multiple uses.

  5. 更新憑證。在命令列中輸入:Update the certificate. At the command line, type:

    Set-CsCertificate -Type <type of certificate as displayed in the Use parameter> -Thumbprint <unique identifier>
    

    例如,如果 Get-CsCertificate Cmdlet 顯示一個含有 Use of Default 的憑證、一個含有 Use of WebServicesInternal 的憑證,以及一個含有 Use of WebServicesExternal 的憑證 , 而且它們全都有相同的憑證指紋值,請在命令列中輸入:For example, if the Get-CsCertificate cmdlet displayed a certificate with Use of Default, another with a Use of WebServicesInternal, and another with a Use of WebServicesExternal, and they all had the same Thumbprint value, at the command line, type:

    Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <Certificate Thumbprint>
    

    重要事項:Important:

    如果為每個用途指派不同的憑證 (每個憑證的憑證指紋值都不同),則切勿以多種類型來執行 Set-CsCertificate Cmdlet。If a separate certificate is assigned for each use (the Thumbprint value is different for each certificate), it is important that you do not run the Set-CsCertificate cmdlet with multiple types. 在此情況下,要為每個用途個別執行 Set-CsCertificate Cmdlet。In this case, run the Set-CsCertificate cmdlet separately for each use. 例如:For example:

    Set-CsCertificate -Type Default -Thumbprint <Certificate Thumbprint>
    Set-CsCertificate -Type WebServicesInternal -Thumbprint <Certificate Thumbprint>
    Set-CsCertificate -Type WebServicesExternal -Thumbprint <Certificate Thumbprint>
    
  6. 如果要檢視憑證,依序按一下 [開始][執行…]。鍵入 MMC 以開啟 Microsoft Management Console。To view the certificate, click Start, click Run…. Type MMC to open the Microsoft Management Console.

  7. 從 MMC 功能表中,依序選取 [檔案][新增/移除嵌入式管理單元…] 和 [憑證]。按一下 [新增]。出現提示時,選取 [電腦帳戶],然後按 [下一步]From the MMC menu, select File, select Add/Remove snap-in…, select Certificates. Click Add. When prompted, select Computer account, then click Next.

  8. 如果憑證位於這部電腦上,請選取 [ 本機電腦]。If the certificate is located on this computer, select Local computer. 如果憑證位於另一台電腦上,則選取 [另一台電腦],鍵入電腦的完整網域名稱或按一下 [請輸入物件名稱來選取] 中的 [瀏覽],鍵入電腦的名稱。If the certificate is located on another computer, select Another computer, type in the fully qualified domain name of the computer or click Browse In Enter the object name to select, type the name of the computer. 按一下 [檢查名稱]Click Check Names. 解析出電腦的名稱之後,將會加上底線。When the name of the computer is resolved, it will be underlined. 依序按一下 [確定][完成]Click OK, then click Finish. 按一下 [確定] 以認可選取項目,然後關閉 [新增/移除嵌入式管理單元] 對話方塊。Click OK to commit the selection and close the Add or Remove Snap-ins dialog.

    重要

    如果憑證未出現在主控台中,請確定您沒有選取 [使用者或服務]。If the certificate does not show up in the console, ensure that you have not selected User or Service. 您必須選取 [電腦],否則您將無法找到 probper 憑證。You must select Computer, or you will not be able to locate the probper certificate.

  9. 如果要檢視憑證的屬性,依序展開 [憑證][個人],然後選取 [憑證]。選取要檢視的憑證,用滑鼠右鍵按一下憑證,然後選取 [開啟]To view the properties of the certificate, expand Certificates, expand Personal, and select Certificates. Select the certificate to view, right-click on the certificate and select Open.

  10. [憑證] 檢視中,選取 [詳細資料]。您可以在此處選取 [主體] 來選取憑證主體名稱,隨即顯示指派的主體名稱和相關屬性。In the Certificate view, select Details. From here, you can select the certificate subject name by selecting Subject and the assigned subject name and associated properties are displayed.

  11. 若要查看指派的主體替代名稱,請選取 [ 主體替代名稱]。To view the assigned subject alternative names, select Subject Alternative Name. 隨即會顯示所有指派的主體替代名稱。All assigned subject alternative names are displayed. 根據預設,在屬性中找到的主體替代名稱是「 DNS 名稱 」類型。The subject alternative names that are found in the property are of type DNS Name by default. 若 IPv6 AAAA) 記錄,您應該會看到下列成員 (所有應該是的功能變數名稱(如 DNS 主機中所述) (A 或(如果有的話):You should see the following members (all of which should be fully qualified domain names as represented in DNS host (A or, if IPv6 AAAA) records:

    • 此集區的集區名稱,或單一伺服器名稱 (如果不是集區)Pool name for this pool, or the single server name if this is not a pool

    • 被指派憑證的伺服器名稱Server name that the certificate is assigned to

    • 簡單 URL 記錄,通常為 meet 和 dialinSimple URL records, typically meet and dialin

    • Web 服務的內部及 Web 服務外部名稱 (例如,webpool01.contoso.net、webpool01.contoso.com) ,其依據拓撲產生器和透過 ridden Web 服務選取範圍內的選擇。Web services internal and Web services external names (for example, webpool01.contoso.net, webpool01.contoso.com), based on choices made in Topology Builder and over-ridden web services selections.

    • 如果已指派,則 lyncdiscover。<sipdomain>If already assigned, the lyncdiscover.<sipdomain> 和 lyncdiscoverinternal。<sipdomain>and lyncdiscoverinternal.<sipdomain> 記錄。records.

    最後一項是您最感興趣的 – 是否有 lyncdiscover 和 lyncdiscoverinternal SAN 項目。The last item is what you are most interested in – if there is a lyncdiscover and lyncdiscoverinternal SAN entry.

    取得此資訊之後,即可關閉憑證檢視和 MMC。Once you have this information, you can close the certificate view and the MMC.

  12. 如果自動探索服務,表示 lyncdiscover。 >功能變數名稱 > 和 lyncdiscoverinternal。<domain name>If an Autodiscover Service, meaning the lyncdiscover.>domain name> and lyncdiscoverinternal.<domain name> (根據此為外部或內部憑證) 主體替代名稱缺失,且預設使用單一預設憑證、WebServicesInternal 和 WebServiceExternal 類型,請執行下列操作:(based on if this is an external or internal certificate) subject alternative name is missing, and you are using a single Default certificate for the Default, WebServicesInternal and WebServiceExternal types, do the following:

    • 在 Lync Server 管理命令介面命令列提示字元處,輸入:At the Lync Server Management Shell command line prompt, type:

      Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -Ca dc\myca -AllSipDomain -verbose
      

      如果您有許多 SIP 網域,則無法使用新的 AllSipDomain 參數。If you have many SIP domains, you cannot use the new AllSipDomain parameter. 相反地,您必須使用 DomainName 參數。Instead, you must use DomainName parameter. 當您使用 DomainName 參數時,必須定義 lyncdiscoverinternal 和 lyncdiscover 記錄的 FQDN。When you use the DomainName parameter, you must define the FQDN for the lyncdiscoverinternal and lyncdiscover records. 例如:For example:

      Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -Ca dc\myca -DomainName "LyncdiscoverInternal.contoso.com, LyncdiscoverInternal.contoso.net" -verbose
      
    • 如果要指派憑證,請鍵入:To assign the certificate, type the following:

      Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint <Certificate Thumbprint>
      

      其中 “Thumbprint” 代表對新發行的憑證顯示的指紋。Where “Thumbprint” is the thumbprint displayed for the newly issued certificate.

  13. 針對在對 Default、WebServicesInternal 和 WebServicesExternal 使用不同憑證時遺漏的內部自動探索主體替代名稱,請執行下列動作:For a missing internal Autodiscover subject alternative names when using separate certificates for Default, WebServicesInternal, and WebServicesExternal, do the following:

    • 在 Lync Server 管理命令介面命令列提示字元處,輸入:At the Lync Server Management Shell command line prompt, type:

      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -AllSipDomain -verbose
      

      如果您有許多 SIP 網域,則不能使用新的 AllSipDomain 參數,而必須使用 DomainName 參數。當您使用 DomainName 參數時,必須為 SIP 網域 FQDN 使用適當的字首。例如:If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Request-CsCertificate -New -Type WebServicesInternal -Ca dc\myca -DomainName "LyncdiscoverInternal.contoso.com, LyncdiscoverInternal.contoso.net" -verbose
      
    • 針對遺漏的外部自動探索主體替代名稱,在命令列中輸入:For a missing external Autodiscover subject alternative name, at the command line, type:

      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -AllSipDomain -verbose
      

      如果您有許多 SIP 網域,則不能使用新的 AllSipDomain 參數,而必須使用 DomainName 參數。當您使用 DomainName 參數時,必須為 SIP 網域 FQDN 使用適當的字首。例如:If you have many SIP domains, you cannot use the new AllSipDomain parameter. Instead, you must use DomainName parameter. When you use the DomainName parameter, you must use an appropriate prefix for the SIP domain FQDN. For example:

      Request-CsCertificate -New -Type WebServicesExternal -Ca dc\myca -DomainName "Lyncdiscover.contoso.com, Lyncdiscover.contoso.net" -verbose
      
    • 如果要指派個別憑證類型,請鍵入:To assign the individual certificate types, type the following:

      Set-CsCertificate -Type Default -Thumbprint <Certificate Thumbprint>
      Set-CsCertificate -Type WebServicesInternal -Thumbprint <Certificate Thumbprint>
      Set-CsCertificate -Type WebServicesExternal -Thumbprint <Certificate Thumbprint>
      

      其中 “Thumbprint” 代表對新發行的個別憑證顯示的指紋。Where “Thumbprint” is the thumbprint displayed for the newly issued individual certificates.