On the first sign-in Polycom phone tries to download Root CA certificate for Front End’s certificate. But the way it does it is not quite the same as the documentation says (apparently, echo OCS + Tanjay). In fact, the phone tries to get the root certificate (or the whole chain) through the Front-End Web services (or Director) when accessing “http: //%PoolFQDN%/CertProv/CertProvisioningService.svc/anon” and only after that, if the download of the certificate failed, the phone accesses AD but only in case if the login is made by name and password (via USB). If the input is made via Extension and PIN, then the phone does not have access to AD and it cannot download the root certificate, so the only option, in this case, is Web services.
Thus if Polycom phone cannot download certificate it means that you Front End Internal Web Services website is not running, phone cannot access it or maybe you have some encryption enabled.
If for some reason it’s not possible to meet the requirements above you can manually download certificate to Polycom phone:
- Connect Polycom phone via USB
- Log in to Polycom via Skype for Business client using domain FQDN instead of NETBIOS, i.e. enter user name as “domain.local\username” instead of “domain\username”
- Polycom should be able to download and install the certificate from Active Directory
Have fun! 🙂