none
TLS failure OCS to Exchange 2010 CAS and IM fail from MOC to CWA, maybe they're related...

    Question

  • This could be a very long post, but here goes... I have an Edge server, I have OCS installed (with IM from MOC to MOC working) and OCS Communicator Web Access Server. All are running on VM's in VMWare 4.0 U1, with OS at Windows 2008 EE 64Bit R2 (which is supported from what I read). Maybe the VMWare side of things would be frowned upon, but it's handling it well so far. I take the approach that anything can be done if you put your mind to it.

    OK, so anyway... I've installed the OWA / OCS integration pieces step by step:
    http://technet.microsoft.com/en-us/library/ee633458.aspx (I do think there's some issue with the certificate process...) Currently the OCS presence info is available in OWA, but IM from OWA or CWA, to OWA or CWA will not work. OWA or CWA to MOC does work, oddly enough.  Maybe it's best to simply say we aren't receiving IM's in CWA or OWA, regardless of where they're sent from.

    I believe I've got all necessary DNS entries created correctly, and I can log into CWA just fine.

    I've read one post about a hotfix for the UCMARedist hotfix here:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=B3B02475-150C-41FA-844A-C10A517040F4&displaylang=en&displaylang=en So this has been applied

    Exchange works fine, OWA works fine, just to be clear...

    On our OCS server, I see this error:

    OCS Protocol Stack              1001              14428
    TLS outgoing connection failures. Over the past 42 minutes Office Communications Server has experienced TLS outgoing connection failures 6 time(s). The error code of the last failure is 0x80004005 (Unspecified error) while trying to connect to the host "Exchange-CAS.domain.com".
    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
    Resolution:
    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    So it's a cert problem, right... I've been through certificates over and over, yet it still seems to be a cert issue. Maybe I prepared my Exchange-CAS cert wrong and it doesn't include the SN or something?

    I can telnet from OCS-Server to Exchange-CAS (port 25), and TLS appears to be working:
    220 exchange-cas.domain.com Microsoft ESMTP MAIL Service ready at Thu, 27 May 2
    010 11:39:18 -0500
    ehlo test
    250-exchange-cas.domain.com Hello [10.xxx.xxx.xxx]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250-XRDST
    250 XSHADOW
    starttls
    220 2.0.0 SMTP server ready

    This makes me think TLS is working... am I reading that wrong?

    I am using an internal CA for the certs for Exchange-CAS, OCS-Server & CWA-Server. I've been through this document:  Deploying Certificates in Office Communications Server 2007 and Office Communications Server 2007 R2, pub dat Aug 2009, and still can't seem to find a problem with my certs.

    When IM'ing from MOC to client using CWA or OWA, I get this error:
    The following message was not delivered to Bill Murray. More details (ID:504), yet with Bill Murray logged into OWA or CWA, I can IM back to me.

    If anyone has any initial thoughts, I'd love to hear them. Maybe some suggestions on certs for dummies would help?

    Also, just running Best Practices Analyzer tool for OCS R2, and I can post the results in a bit...

    Thursday, May 27, 2010 4:56 PM

All replies

  • Thanks for the great level of detail!  Saves that extra day of delays trying to get to the point! 

    Anyways, I assume the name of the Exchange CAS server is exchange=cas.domain.com and the certificate issued to the UM service in Exchange 2010 is issued with that name as the SN. 

    Let's try this:

    1. If you could please post the results of Get-ExchangeCertificate from the exchange server

    2. Get-ExchangeCertificate -Thumbprint {UM Cert Thumbprint}.  You will have to copy the thumbprint for the Exchange UM Cert from step one and paste into step 2.

    Also, I dont see anything in here about how the front end server is configured.  Is it an enterprise pool or standard edition server?  Can you also post the changes you made to the web.config file?

    Mark


    Mark King | MCTS:UC Voice | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Proposed as answer by ThomasForeman Thursday, September 16, 2010 9:11 PM
    Friday, May 28, 2010 6:09 PM
  • Did you apply the patch listed here: http://support.microsoft.com/kb/975858/ when preparing your 2008 r2 box for ocs.

     

    I have seen some weird TLS issues happen when you do not have that patch installed.

     

     


    Randy Wintle | MCTS: UC Voice Specialization | Winxnet Inc
    • Proposed as answer by ThomasForeman Thursday, September 16, 2010 9:11 PM
    Saturday, May 29, 2010 12:26 AM
  • We had an issue with the OWA Chat feature, it had to do with there being quotes in the Issuer name field. You can check out our fix here:

    http://www.wadeware.net/it-infrastructure/how-to-fix-exchange-2010-owa-chat-feature/


    Thom Foreman, MCSE, MCSA, MCTS
    • Proposed as answer by ThomasForeman Thursday, September 16, 2010 9:11 PM
    Monday, June 07, 2010 3:04 PM
  • I am having the same issue, was there an alternate fix?

     

    Two server environment, one Front End and one CWA server. Both running standard edition

     

    I have KB975858 installed on both servers as well.

     

    OC 2007 R2 -> OC 2007 R2, works fine

    CWA -> OC 2007 R2, works fine

    OC 2007 R2 -> CWA, does not work

    CWA -> CWA, does not work

    Friday, April 08, 2011 9:54 PM
  • Install http://support.microsoft.com/kb/974571 on FE and Edge server

    After that make sure NTLM SSP disabled on both of them.

    Regards,

    Rahul Uppal

    Saturday, August 27, 2011 6:36 AM