none
OWA Integration fails

    Question

  • Hi,

    So I'm getting the notorious cannot start IM session in OWA with grey bulbs.

    Here is the setup:

    2 Exchange site, with 2 CAS servers in each, (one site is a DR site)

    Site1-CAS01.Domain.local
    Site1-CAS02.Domain.local
    Site2-CAS01.Domain.local
    Site2-CAS02.Domain.local

    CAS Array: mail.domain.com (only one CAS Array, as the hardware load balancer will point the vip accordingly)

    Each exchange server has self signed, fqdn from internal root ca & a wildcard cert of *.domain.com from 3rd party.

    I created a trusted pool with mail.domain.com and configured it for OWA integration, I got the above behavior.  Used logging and snooper found that it did not like the default fqdn *.domain.com cert.

    So I created another trusted pool with site2.cas01.domain.local and in the $cert, I used the certificate assigned by internal root CA.  Please note that this certificate is not assigned to IIS, and tested it, and that works fine.

    So my question is, how do I go about configuring OWA integration for my scenario?

    Thanks

    Friday, March 16, 2012 6:40 AM

Answers

  • It is really strange that without assigning certificate to IIS still it is working. any how i have done with the CAS array pool which were having two servers in it, but was using SAN certificate not wildcard certificate

    you can go to topology  builder and define the Array name not the cas servers names in this case you dont have to select the single server option you have to select multiple server option in which you can define multiple cas servers in it.

    can you run the command get-exchangecertificate | fl to see which certificates are assigned to which services, as you have mentioned that u r still using self signed certificate this is using which services.

    Also for the time being what if you define two CAS servers(primary site) in the trusted appllications while defining array and use the internal CA does it work.


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 16, 2012 6:59 PM
  • Hi,

    Here is some suggestions,

    1) create trusted application pool with matching " cas array" fqdn.

    2) create a SAN certificate fron your Enterprise CA ,'subject name' of the cert should match trusted application pool.

    Each CAS server fqdn should be added as a SAN entry.No need to assign this certificate to any services.

    3) Enterprise Root must available on all the servers and clients.( by default it is installed).

    4) Run the Get-OwaVirtualDirectory | Set-OwaVirtualDirectory  with 'thumbprint of the new cert'  as mentioned by SKHATRI.

    Saturday, March 17, 2012 4:16 AM
  • Hi Shah,

    Any update?

    Besides SKHATRI and UCGuy’s suggestions, here is a troubleshooting guide for reference.

    And you can also check these posts (Post A & Post B). Hope helps.


    Noya Lau

    TechNet Community Support

    Tuesday, March 20, 2012 2:53 AM
    Moderator

All replies

  • Hi,

    I believe you should assign the certificate and MAP to the IIS because these thumbnails will be used to do the instant messaging, how ever if you are going to change this certificate to third party certificate you have to change it again. following is the command Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingType OCS -InstantMessagingEnabled:$true –InstantMessagingCertificateThumbprint

    As you can see the above command uses the certificate thumbprint is the same thumbprint which is assigned to the IIS on CAS server.

    plan it properly if you alwasy want to use the same internal CA then you have to assign the certificate to CAS Server IIS role and then go ahead.

    For more information http://blog.schertz.name/2010/11/lync-and-exchange-im-integration/ 


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 16, 2012 10:09 AM
  • SKhatri,

    Thanks for your response.  I don't think that is the case.  As the OWA integration is currently working, but it is working using the fqdn of the CAS server and not the CAS array.  the cert for FQDN for CAS server is not assigned to IIS, the 3rd party wild card is.

    But the OWA integration works, but I want it to work with the CAS Array, or can I just create 4 pools for 4 CAS servers?

    Thanks

    Friday, March 16, 2012 6:29 PM
  • It is really strange that without assigning certificate to IIS still it is working. any how i have done with the CAS array pool which were having two servers in it, but was using SAN certificate not wildcard certificate

    you can go to topology  builder and define the Array name not the cas servers names in this case you dont have to select the single server option you have to select multiple server option in which you can define multiple cas servers in it.

    can you run the command get-exchangecertificate | fl to see which certificates are assigned to which services, as you have mentioned that u r still using self signed certificate this is using which services.

    Also for the time being what if you define two CAS servers(primary site) in the trusted appllications while defining array and use the internal CA does it work.


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, March 16, 2012 6:59 PM
  • Hi,

    Here is some suggestions,

    1) create trusted application pool with matching " cas array" fqdn.

    2) create a SAN certificate fron your Enterprise CA ,'subject name' of the cert should match trusted application pool.

    Each CAS server fqdn should be added as a SAN entry.No need to assign this certificate to any services.

    3) Enterprise Root must available on all the servers and clients.( by default it is installed).

    4) Run the Get-OwaVirtualDirectory | Set-OwaVirtualDirectory  with 'thumbprint of the new cert'  as mentioned by SKHATRI.

    Saturday, March 17, 2012 4:16 AM
  • Hi Shah,

    Any update?

    Besides SKHATRI and UCGuy’s suggestions, here is a troubleshooting guide for reference.

    And you can also check these posts (Post A & Post B). Hope helps.


    Noya Lau

    TechNet Community Support

    Tuesday, March 20, 2012 2:53 AM
    Moderator