locked
Certificate Problems in OWA Integration RRS feed

  • Question

  • I must have installed 10 certificates by now, I can't figure this one out. I have 1 Exchange server hosting all Exchange roles. I have one Lync server hosting all roles for IM and Presence. I correctly configured OWA integration, and the controls are showing up, but I am getting the well documented "Instant messaging isnt available right now" from inside of OWA. It is a certificate problem. I am not sure I know enough about certificates to try anything additional. Here is my setup.

    I have a public SSL cert for my mail domain mail.wellness-group.org. The FQDN of the mail server is WGES.solace.local.

    My Lync FQDN is WGMS.solace.local. I am using a self signed cert (Issued by my primary DC/CA). This cert includes the following SAN's:

    lync.wellness-group.org

    sip.wellness-group.org

    sipinternal.wellness-group.org

    sipexternal.wellness-group.org

    dialin.wellness-group.org

    meet.wellness-group.org

    admin.wellness-group.org

    mail.wellness-group.org

    WGES.solace.local

    I have this certificate installed on both the Exchange and the Lync box.

    Get-CsManagementStoreReplicationStatus yields:

    UpToDate           : True
    ReplicaFqdn        : WGMS.solace.local
    LastStatusReport   : 10/3/2011 3:10:29 PM
    LastUpdateCreation : 10/3/2011 3:10:26 PM
    ProductVersion     : 4.0.7577.0

    UpToDate           : False
    ReplicaFqdn        : WGES.solace.local
    LastStatusReport   :
    LastUpdateCreation : 10/3/2011 3:10:26 PM
    ProductVersion     :

    Lync Logging shows this:

    TL_ERROR(TF_CONNECTION) [0]0718.0EF0::10/03/2011-19:11:15.444.0000ad33 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record
    LogType: connection
    Severity: error
    Text: The peer is not a configured server on this network interface
    Peer-IP: 192.168.1.116:45376
    Transport: TLS
    Result-Code: 0xc3e93d6a SIPPROXY_E_CONNECTION_UNKNOWN_SERVER
    Data: fqdn="mail.wellness-group.org"
    $$end_record

    Which is followed directly with:

    TL_INFO(TF_PROTOCOL) [0]0718.0EF0::10/03/2011-19:11:15.444.0000ad27 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
    Trace-Correlation-Id: 3625187076
    Instance-Id: 000069EB
    Direction: incoming
    Peer: 192.168.1.116:45376
    Message-Type: request
    Start-Line: REGISTER sip:wellness-group.org SIP/2.0
    From: <sip:chris.dill@wellness-group.org>;epid=4FA4351FD0;tag=5d56bf3ad
    To: <sip:chris.dill@wellness-group.org>
    CSeq: 1 REGISTER
    Call-ID: 8e1465bd9bb34fda8eacb34c0e65c114
    MAX-FORWARDS: 70
    VIA: SIP/2.0/TLS 192.168.1.116:45376;branch=z9hG4bKfd86a851
    CONTACT: <sip:mail.wellness-group.org:5075;ms-fe=WGES.solace.local;transport=Tls;ms-opaque=dc9f2663bcfc585a>;+sip.instance="<urn:uuid:73e0d747-1fd9-5cf3-9703-8ad6657d4387>";text;audio;video;image
    CONTENT-LENGTH: 0
    EVENT: Registration
    EXPIRES: 1800
    SUPPORTED: gruu-10
    SUPPORTED: ms-forking
    SUPPORTED: msrtc-event-categories
    USER-AGENT: RTCC/3.5.0.0 OWA/14.01.0323.003
    Message-Body: –
    $$end_record

    IM in the office works fine, it saves missec conversation, syncs correctly, pulls AD thumbnailPhoto, etc. I am getting an online signal for the current users only with everything else disabled/offline.

    I have done: Enable-CSTopology after adding Exchange as a csTrustedApplication 

    Please instruct me if possible using steps pointing at my FQDN's not just a link to the whitepaper on configuring certificates, which I have followed several times already. I am willing sto begin anew with the Lync topology/certificate if necessary.

     

    Thank you for any help in advance.


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"
    Monday, October 3, 2011 7:28 PM

Answers

All replies

  • On a side note, the Published Trusted Application Server is using the FQDN of my internal Exchange server, which is WGES.solace.local.

    When I tried to republish using my public name mail.wellness-group.org i got error messages when I published saying the FQDN could not be found.

     


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"

    Monday, October 3, 2011 7:36 PM
  • Lync must point to the FQDN that is the Subject Name of the cert installed on Exchange.  So in your case, you need to point Lync to mail.wellness-group.org.  Do you have an internal A record for mail.wellness-group.org configured?  If not, you will need one pointing to your Exchange server.  Here is a great reference:

    http://blog.schertz.name/2010/11/lync-and-exchange-im-integration/


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    Monday, October 3, 2011 7:48 PM
  • That is the blog I ran off of to begin with. I followed his instructions to the letter. Everything is working, except I think my certificates are messed up. I can not point Lync at a Trusted Application mail.wellness-group.org it only takes the FQDN (WGES.solace.local). I just re-ran it through and nothing changed.

    I do have an A record in my DNS Zone wellness-group.org which points mail at the my server IP 192.168.1.116.


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"
    Monday, October 3, 2011 8:10 PM
  • Based on another post I force- added my remote mail domain despite warnings that it could not be found. Now I have 2 Trusted Application Servers (internal FQDN WGES.solace.local) and (External FQDN mail.wellness-group.org).

    The DNS is correct, here is a nslookup from the Lync Server on mail.wellness-group.org:

    Server:  wgpdc.solace.local
    Address:  192.168.1.115

    Name:    mail.wellness-group.org
    Address:  192.168.1.116


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"
    Monday, October 3, 2011 8:19 PM
  • Based on another post I created a certificate for my internal FQDN through my DC/CA and assigned it to no services on the Exchange server. I then used that certificates Thumbprint in the set-owavirtualdirectory.

     

    I tried this both with the above extra Trusted Application Server (mail.wellness-group.org) and without it, and there was no change at any point.


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"
    Monday, October 3, 2011 8:43 PM
  • This is the current information message logged. I still get the unavilable messaging service, but no more red flags in the log...

    TL_INFO(TF_CONNECTION) [0]0718.0830::10/04/2011-00:24:51.106.000124a8 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(164))$$begin_record

    LogType: connection

    Severity: information

    Text: TLS negotiation started

    Local-IP: 192.168.1.118:5061

    Peer-IP: 192.168.1.116:11757

    Connection-ID: 0x29D00

    Transport: TLS

    $$end_record

     


    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"
    Tuesday, October 4, 2011 12:27 AM
  • Hi,Christopher,

    Please go to http://www.digicert.com/help/ and test your certificate for Lync and Exchange.

    Also please use logging tool to troubleshoot the integration issue with the following link

    http://blogs.technet.com/b/ilvancri/archive/2010/10/10/troubleshooting-lync-exchange-owa-integration.aspx

    For the certificate issue, ensure that you have registerd the application name in Lync topology builder using the Exchange certificate's SUBJECT NAME and not any of the SUBJECT ALTERNATE NAMES.

    And I also heard that self-signed certificate will cause problem when integrated with Lync and Exchange OWA,more details you can read through this similar thread

    http://social.technet.microsoft.com/Forums/en-AU/ocsucintegration/thread/0ca86a9f-4494-4a45-8b2f-06a4ae0c0069

    Besides,another more information for your reference.

    http://social.technet.microsoft.com/Forums/en-GB/ocsucintegration/thread/bd2ff1c5-6cce-42e3-862b-d9baf1325199

    http://www.lynclog.com/2011/09/lync-exchange-2010-sp1-owa-integration.html

    http://blogs.technet.com/b/ilvancri/archive/2010/09/22/configuring-exchange-2010-sp1-and-lync-rc-to-enable-owa-as-lync-endpoint.aspx

    Regards,

    Sharon


    • Edited by Sharon.Shen Friday, October 7, 2011 9:07 AM
    • Proposed as answer by Sharon.Shen Thursday, October 13, 2011 10:01 AM
    • Marked as answer by Sharon.Shen Friday, October 14, 2011 6:51 AM
    Friday, October 7, 2011 9:05 AM

  • Check that the FQDN URL match that defined in Exchange Management Shell, the Subject / Common Name of the certificate assigned to the CAS services and Trusted Application Server and/or Pool.

     


    TechNet Forum Moderator (Unified Communications) - http://www.leedesmond.com
    Friday, October 7, 2011 10:56 PM
  • I have 2 CAS/HUB servers in a CAS array and a single Lync FE server in a pool.

    I struggled with this certificate issue for several days and finally got it to work.

    If using multiple CAS boxes, make sure you have your Trusted Application Pool, Trusted Application Computers and Trusted Application setup correctly

    I have an internal wildcard certificate for exchange which of course Lync detests. 

    I then tried additional multi SAN certs in various configurations, thinking the cas array name was needed as the hostname.. to no avail..

    The key is to use a certificate for each CAS server with just the hostname FQDN as the CN (not hostname) and NO other SANs in the certificate.

    Apply it to the respective OWA folders.

    Hopefully for you... network nirvana!

    Cheers

    Tuesday, December 13, 2011 3:02 AM