Communicator Phone Edition – Update Issues

After following several guides to configuring the device update service in OCS 2007 R2, including Rui Silvas trilogy and Rick Varvels guide, I still couldn’t get the phones to update the software.

All logs were showing that it had worked, the Update service logs showing that the phone had found the right sw, and IIS logs showing me a 200 OK sent to all phones…

Troubleshooting finally led me to try downloading the CPE.nbt file manually from


which just gave me a blank page.

I tried comparing the IIS configuration to one I knew was working, and saw that I had a lot less IIS roles installed on the one that was not working.

When I installed this Front End server, i used the commands in this post to install the prereqs. Turns out that if you are going to use CPE, you will probably also need the “Static Content” role service in IIS to configure the correct MIME types on the fileextensions the update serrvice uses.

There exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension.

If this role service is not installed, the updater does not work. You will have to add this feature, and then manually add the correct MIME types to the DeviceUpdateFiles_Int/ and DeviceUpdateFiles_Ext/ folders, which should be:

<mimeMap fileExtension=”.nbt” mimeType=”binary/octet-stream” />

<mimeMap fileExtension=”.cat” mimeType=”binary/octet-stream” />

(I have no idea as to why the bottom one is smaller than the other, but I cant get them equal size for some reason :S)

Hey presto! The phones update themselves like magic has happened!

Communicator phone edition certificates, Standalone CA

I recently was installing OCS in a domain where we for some reason could not use an enterprise CA, so a standalone was installed. This works fine on the MOC clients, but it was a problem when we were trying to use Communicator Phone Edition.

According to the phone ed. deployment guide, the CPE gets the certificate from AD like this:

1.   The device searches for Active Directory directory objects of category certificationAuthority. If the search returns any objects, the device will use the attribute caCertificate. This attribute is assumed to hold the certificate and the device will install the certificate.

The Root CA certificate must be published in the caCertificate for Communicator Phone Edition. To place the Root CA certificate in the caCertificate attribute, use the following command:

certutil -f -dspublish <Root CA certificate in .cer file> RootCA.

2.   If the search for Active Directory objects of category CertificationAuthority does not return any objects, or if the objects have empty caCertificate attributes, the device searches for Active Directory objects of category pKIEnrollmentService in the configuration naming context. Such objects exist if certificate AutoEnrollment was enabled in Active Directory. If the search returns any objects, it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate by using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

If neither of these methods succeeds, the device displays the error message “Cannot validate server certificate” and the user is unable to use the device.

The certutil command described above requires you to have necessary rights in the forest, which we didn’t have.

The solution ended up being:

* Run the server 2k3 reskit tool pkiview.msc
* Right click Enterprise PKI and choose Manage AD Containers
* In the NTAuthCertificates tab, add the root certificate of the standalone CA

That should be it! When we did this the phones started downloading the right certificate.

Edit: This might not be working perfectly. Some phones use an extreme amount of time downloading the right certificate. Might be the messy PKI in the forest being the problem, but i will need to test this some more…