Topic Last Modified: 2012-03-27

Client certificates provide a way for users to be authenticated when logging on to Microsoft Lync Server 2010. Certificates are particularly useful for telephones and other devices running Microsoft Lync 2010 Phone Edition where it is difficult to enter a user name and/or password. The Revoke-CsClientCertificate provides a way for administrators to revoke client certificates that have been issued to a user.

Revoke-CsClientCertificate -Identity <UserIdParameter> [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

Client certificates provide an alternate way for users to be authenticated by Lync Server 2010. Instead of providing a user name and password, users present the system with an X.509 certificate. (This certificate must have a subject name or subject alternative name that identifies the user.) To be authenticated, users only need to type in a personal identification number (PIN); it’s typically easier for a mobile phone user to type in a PIN than to type in an alphanumeric user name and/or password.

At any time administrators can revoke the client certificates that have been issued to a user by using the Revoke-CsClientCertificate cmdlet. Revoke-CsClientCertificate revokes all the client certificates issued to the user in question from the server.

Revoke-CsClientCertificate does not delete certificates from the client device itself; certificates are only deleted from the server. However, this is sufficient to prevent a client from using certificates for authentication purposes: if a certificate cannot be found on the server than the authentication request will be denied.

Note that, by default, the firewall exceptions for SQL Server Express are not enabled when you install the Standard Edition of Lync Server 2010. In turn, that means that you will not be able to run Revoke-CsClientCertificate from a remote instance of Windows PowerShell; that’s because your command will not be able to traverse the firewall and access the SQL Server Express database. (However, you can still run the cmdlet locally; that is, on the Standard Edition server itself.) If you are using Standard Edition and need to run Revoke-CsClientCertificate remotely you must manually enable the firewall exceptions for SQL Server Express.

Who can run this cmdlet: By default, members of the following groups are authorized to run the Revoke-CsClientCertificate cmdlet locally: RTCUniversalServerAdmins. To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Revoke-CsClientCertificate"}


Parameter Required Type Description



User Identity

Indicates the Identity of the user account for which certificates are to be revoked. User Identities can be specified by using one of four formats: 1) the user's Session Initiation Protocol (SIP) address; 2) the user's user principal name (UPN); 3) the user's domain name and logon name, in the form domain\logon (for example, litwareinc\kenmyer); and, 4) the user's Active Directory display name (for example, Ken Myer). User Identities can also be referenced by using the user’s Active Directory distinguished name.



Switch Parameter

Suppresses the display of any non-fatal error message that might occur when running the command.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.



Switch Parameter

Prompts you for confirmation before executing the command.

String value or Microsoft.Rtc.Management.ADConnect.Schema.ADUser object. Revoke-CsClientCertificate accepts pipelined input of string values representing the Identity of a user account. The cmdlet also accepts pipelined input of user objects.

None. Instead, Revoke-CsClientCertificate revokes instances of the Microsoft.Rtc.Management.UserPinService.CertInfoDetails object.

-------------------------- Example 1 ------------------------

Revoke-CsClientCertificate -Identity "Ken Myer"

The command shown in Example 1 revokes all the client certificates currently assigned to Ken Myer; this is done by calling Revoke-CsClientCertificate followed by the Identity of the user whose certificates are to be revoked.

-------------------------- Example 2 ------------------------

Get-CsUser | Revoke-CsClientCertificate

Example 2 revokes all the client certificates that have been issued in your organization. To do this, Get-CsUser is first called in order to return a collection of all the users in your organization who have been enabled for Lync Server. This collection is then piped to the Revoke-CsClientCertificate cmdlet, which deletes the certificates for each user in the collection.