locked
OWA 2013 and Skype for Business 2015 integration with wildcard certs and multiple CAS. RRS feed

  • Question

  • After spending some time fighting for a wildcard cert I decided to leave a post about it.

    I have 2 CAS/MBX Exchange 2013 and 1 Skype4B. Exchange servers use wildcard certificate and use one DNS round robin name for CAS array.

    First I've followed https://technet.microsoft.com/en-us/library/jj688055.aspx?f=255&MSPPError=-2147217396

    And there is nothing about multiple servers. Then I've found out that I have to create trusted application pool named after cert subject. And it can not be wildcarded. But there is a way out.


    • Edited by vden Wednesday, January 10, 2018 2:02 PM
    Monday, January 8, 2018 10:52 PM

Answers

  • 1. Issue usual web certificate from local CA on each Exchange server. Subject name must be the FQDN of this Exchange server. Add 3 SAN: FQDN of each Exchange and of CAS array. You do not need to activate these certs for any Exchange service. These certs just should exist in computer storages.

    2. Get the thumbprint of the certificate and add it to local web.conf. Repeat for every Exchange server.

    3. For every Exchange server run: Get-OwaVirtualDirectory -Server <Exchange server> | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint <Thumbprint>

    4. Using topology Builder on SFB server create Trusted application pool for multipple servers and add both Exchange. The name of this pool must be CAS array FQDN.

    5. Add application to the pool using usual command from instruction.

    6. Enable topology and do iisreset on both Exchange.

    Restart browser and go to owa. Maybe some things here are an overkill but it should work. I think application pool can have any name but it must exist in SAN. And maybe it is not necessary to add other SANs. I think also that adding InstantMessagingCertificateThumbprint in web.conf is no more needed. This file will be overwrited by any CU update and Set-OwaVirtualDirectory should be enough.

    • Marked as answer by vden Wednesday, January 10, 2018 2:02 PM
    Wednesday, January 10, 2018 2:02 PM

All replies

  • Hi vden,

    Thanks for your sharing and advice.

    Yes,the web.config file is replaced during CU installation and must be edited to include IMCertifucate Thumbprint and IMServerName values.the is required for OWA integrateion with Lync IM.

    Please copy the steps of install OWA 2013 and Skype for Business 2015 integration with wildcard certs and multiple CAS to a new reply and mark it as answer,it will help others who have similar issue.


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, January 10, 2018 5:43 AM
  • 1. Issue usual web certificate from local CA on each Exchange server. Subject name must be the FQDN of this Exchange server. Add 3 SAN: FQDN of each Exchange and of CAS array. You do not need to activate these certs for any Exchange service. These certs just should exist in computer storages.

    2. Get the thumbprint of the certificate and add it to local web.conf. Repeat for every Exchange server.

    3. For every Exchange server run: Get-OwaVirtualDirectory -Server <Exchange server> | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint <Thumbprint>

    4. Using topology Builder on SFB server create Trusted application pool for multipple servers and add both Exchange. The name of this pool must be CAS array FQDN.

    5. Add application to the pool using usual command from instruction.

    6. Enable topology and do iisreset on both Exchange.

    Restart browser and go to owa. Maybe some things here are an overkill but it should work. I think application pool can have any name but it must exist in SAN. And maybe it is not necessary to add other SANs. I think also that adding InstantMessagingCertificateThumbprint in web.conf is no more needed. This file will be overwrited by any CU update and Set-OwaVirtualDirectory should be enough.

    • Marked as answer by vden Wednesday, January 10, 2018 2:02 PM
    Wednesday, January 10, 2018 2:02 PM