November 4 2009

Office Communicator error – Cannot synchronize address book

We’d rolled out Office Communicator 2007 R2 across the environment, however a handful of machines were getting the ‘Cannot synchronize address book’ error and when expanded the entire error message was ‘Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book.’

So after doing some extensive Googling, I did some troubleshooting and found that the situtation was:

– There was no issue with the proxy server. I could manually enter the name of one of the address book files (eg https://ocs.domain.com/Abs/Ext/F-0918.lsabs) and download it manually through the browser.

– There is no GalContacts.db file in the ‘C:Documents and Settings%UserName%Local SettingsApplication DataMicrosoftCommunicator’ folder meaning that there was no locally cached copy of the address book.

– In the registry under ‘HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS’ if I set the CertificateRevocation DWORD and to 0, I can successfully sign in and retrieve the address book (below)

Registry setting
Registry setting

This pointed to an issue with the certificate we were using and specifically the Certificate Revocation List (CRL). From here we need to check the certificate we were using for OCS, look at the details tab and check the CRL Distribution Point (shown below)

Check Certificate
Check Certificate

I then checked this distribution point (a HTTP location in our case) and found out that it was invalid. Right, so next it was off to reconfigure our internal Certificate Authority server with the correct CRL locations.

On the Certificate Authority, we open up the MMC snap-in, right click the server name and select properties. On the extension tab, select ‘CRL Distibution Point’. You then want to configure some valid location underneath here and tick the box to ensure these are being included in the issued certificates. For example in my case, I ensured that there were 3 additional entries (not including the C:Windows one):

LDAP:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
[TICK] Publish CRLs to this location
[UNTICK] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[TICK] Publish Delta CRLs to this location

file://\<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
[TICK] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[UNTICK] Publish Delta CRLs to this location

http://<ServerDNSName>/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
[GREYED OUT] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[GREYED OUT] Publish Delta CRLs to this location

Selecting OK will then restart the Certificate Services service. Then you need to recreate your OCS certificates via the OCS MMC certificate wizard. Once these have been applied to the OCS server (OCS services do NOT need to be restarted), you clients just need to sign out and back in and all of your address book issues are fixed!

If you look at your new certificate, the newly added CRL Distribution Points should be listed. You can also use the ‘Certutil.exe –v –verify –urlfetch c:exported_certificate.cer’ with above certificate and check that CRL locations can be reached successfully. The ‘pkiview.msc’ tools from the Windows 2003 Resource Kit was also very useful in checking that the CRL locations could be reached.



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

Tags: , , , , , , , , ,

Posted November 4, 2009 by danovich in category Certificates, OCS / Lync, Tools, Windows

6 thoughts on “Office Communicator error – Cannot synchronize address book

  1. goof1427

    hi danovich-

    good article but im a bit lost. I did figure out that the CRL was the issue by using a domain vs non domained machine on our network. We have a GPO to enable “check for server certificate revocation” in IE. So I dont know how to around this… I dont understand what valid locations I would add…I have the same three as you do above. Should I be adding some more? any help is appreciated. Thanks.

    Reply
  2. tony

    Thank you so much. This article was spot on in determining our OCS R2 address book issues which just started happening recently. It seems our CA changed the CRL URLs without much notice (well, it didn’t get to us).

    Reply
  3. danovich (Post author)

    Good to know it helped someone. I found the issue still exists with Lync 2010, in fact I came across the same issue in a different environment. Same process to fix it.

    Reply
  4. Louise

    “Then you need to recreate your OCS certificates via the OCS MMC certificate wizard.”

    I can’t seem to find this… are you talking about IIS?

    Reply

Leave a Reply