This documentation is archived and is not being maintained.

Provisioning Users and Applications

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

To enable users and Unified Communications Managed API 2.0 Core SDK applications to take advantage of Office Communications Server functionalities, data associated with the user or application in Active Directory must be activated and provisioned.

For each UserEndpoint instance (the user endpoint type), Active Directory should contain the user record that is enabled for Office Communications Server. This record can be created on Office Communications Server using Microsoft Management Console (MMC), using a privileged account or create the record programmatically. By default, users are not enabled for VoIP (Voice over Internet Protocol).

If Unified Communications Managed API 2.0 Core SDK is used to develop middle-tier applications that work with Office Communications Server, your application must have a trust relationship with Office Communications Server and with other supporting services such as Media Relay Authorization Server (MRAS). A trusted service entry in Active Directory enables Office Communications Server services to trust an application. This entry needs to be created only once for each application computer. The typical properties in this entry include the FQDN of the computer and the listening port.

Another trusted service entry property that can be used is an instance ID that is used to compute the GRUU that is implicitly associated with the application. Office Communications Server MMC displays an Authorized Hosts tab that can also be used to create a trust relationship, but this relationship is only for pool-level trust and is unsuitable for the trust relationship with an MRAS server that is needed to get server class tokens for supporting large numbers of conversations.

An application can be associated with an address of record (user at host portion of a URI) in the same way that a user is associated with a URI in Active Directory. For an application, a contact record is used like the user record for a user. The contact record contains information such as the URI for the application, phone URI (if any), the forwarding address (which is normally the GRUU of the application that corresponds to the trusted service entry), and the pool server (used as proxy for the application endpoint).

For a client platform that does not require a trust relationship, the computer should install the root certificate chain in order to trust the certificate supplied by Office Communications Server. Normally, this certificate is installed in the trusted root chain folder of the machine store. The certificate authority to be contacted for installing the root chain should be the same as the one used to install the certificate on the Office Communications Server computer.

In addition, to communicate with Office Communications Server, an application computer also requires a machine certificate because Office Communications Server supports only Mutual Transport Layer Security (MTLS) with trusted servers. This certificate is installed in the Personal Certificates folder in the local machine store. The subject of the certificate should match the FQDN of the local computer used in the trusted service entry.