locked
OWA and SFB Im integration RRS feed

  • Question

  • I have searched every topic and keyword I can think of and no answers that work.

    I have an Exchange 2016 server and a Skype For Business 2015 server.  I have looked at every tutorial, and read every technet topic I could find and it still won't work.

    I have determined that Instant Messaging Logs are being created with very cryptic error messages, and I can supply some of those messages if needed.  However, I think the issue is the certificates.  I have a public(Go Daddy) Certificate on the Exchange server and a self-signed certificate on the SFB server.

    The Go Daddy certificate has multiple SAN's but the CN is Server.Domain.us where server is the name of the Exchange server.

    Do I need to have a common certificate on both servers?  If so, which certificate do I use?  Can the Go-Daddy certificate be used on the SFB server?  I have tried to import it using the Deployment Wizard for SFB but it won't let me import it.

    If I can't use that one on SFB, how do I keep the Go Daddy certificate on Exchange and still utilize a self-signed one to work with SFB?

    Please be advised, if you post a link to another article, I'm 99 percent sure I've already read it.

    Monday, September 25, 2017 5:25 PM

All replies

  • Hi Bluzeman,

    Are IMs being stored successfully within the users conversation history folder within the users mailbox?

    Skype and Exchange on premise can authenticate with eachother using OAuth certificates. These can be internally signed certs, and don't need to be publically signed certs - and infact i'd recommend against using a publically singed cert on the Skype for Business front end server as this is not supported.

    Hope this helps

    Craig
    blog.chiffers.com

    Tuesday, September 26, 2017 6:36 AM
  • Hi TheBluzeman,

     

    Basically, to communicate securely in a standardized way, Skype for Business Server uses certificates issued by Certificate Authorities (CAs).

    You are unable to use self-signed certificate on the SFB server ,you could use certificate from internal enterprise certification authority (CA) or a public CA such as Go Daddy. But I recommend you to use certificate from internal enterprise certification authority (CA).

     

    If you changed certificate, after integrating OWA and SFB IM, it is still not worked, please post the log on this thread(Please hide the domain or other private information).

    Path C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging on the MBX server


    Best Regards,

    Leon-Lu
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, September 26, 2017 7:14 AM
  • You need to configure exchange CAS and Oauth for proper integration with exchange.Refer below article for configuration

    https://technet.microsoft.com/en-us/library/jj721919.aspx?f=255&MSPPError=-2147217396


    Jayakumar K

    Tuesday, September 26, 2017 8:49 AM
  • Hello, and thank you all for the reply's.

    Craig, yes the conversation history is being stored.  A few users have the red exclamation point saying there are connectivity issues between SFB and Exchange, but the conversation history is all there and current even on the one's I have looked at that have the red !.

    As to the certificates, I have to admit that I'm very confused on that issue.  So let me point out a few more things here.  For SFB, we are currently internal only.  An edge server and reverse proxy will be added later but for now none of that is in place.  Exchange however is both internal and external.

    So the current setup is self-signed on SFB and Go Daddy on Exchange.  I can not replace the Go Daddy one with a self-signed as we have remote users.

    When I run Get-ExchangeCertificate it returns 7 certificates.  2 have no services assigned, WMSvc-<ServerName> and localhost.  I think the one I would need to change is the one called Microsoft Exchange Server Auth certificate, would that be correct?  And if so, do I just need to import that one to the SFB Server, import the oAuth from SFB to Exchange, or do I need to create a new one and replace both?

    I apologize for all the questions, Certificates have never been one of my strong suits. :)

    Tuesday, September 26, 2017 11:46 AM
  • I had a little free time today so I removed the IM Override that I previously created and made a new one using the thumbprint for Microsoft Exchange Server Auth Certificate.

    It still does not work but at least it's throwing an error in the event log, however I have not had much luck finding much information about it.

    The Event ID is 88.  The error reads:

    Failed to create an endpoint for user "sip:<User>@<Domain>" with SIP URI: "sip:<User>@<Domain>".

    Exception: "UCWEB Failure: Code=OcsFailureResponse, SubCode=Undefined, Reason=
    Microsoft.Rtc.Internal.UCWeb.Utilities.UCWException: The server name specified is not valid. Make sure that uri syntax is not used.
    Parameter name: host ---> System.ArgumentException: The server name specified is not valid. Make sure that uri syntax is not used.
    Parameter name: host
       at Microsoft.Rtc.Signaling.ConnectionContext.FailInvalidHost(LegacyConstructorValidation constructorValidation)
       at Microsoft.Rtc.Signaling.ConnectionContext..ctor(LegacyConstructorValidation constructorValidation, String host, Int32 port, String tlsTarget)
       at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint..ctor(UCWEndpointManager endpointManager, String sipUri, String homeServer, UInt32 categoryFilter, Object applicationContext, String endpointUserAgent)
       at Microsoft.Rtc.Internal.UCWeb.UCWEndpointManager.CreateEndpoint(String sipUri, String homeServer, UInt32 categoryFilter, Object applicationContext, String endpointUserAgent)
       --- End of inner exception stack trace ---
       at Microsoft.Rtc.Internal.UCWeb.UCWEndpointManager.CreateEndpoint(String sipUri, String homeServer, UInt32 categoryFilter, Object applicationContext, String endpointUserAgent)
       at Microsoft.Exchange.Clients.Owa2.Server.Core.InstantMessageOCSProvider.CreateEndpointAndBeginSignIn()"

    Any idea what this means?

    Tuesday, September 26, 2017 6:26 PM
  • I just read another tutorial that says you have to have a SIP UM Dial Plan for Instant messaging to work in OWA.  Is this true?

    There are so many conflicting requirements among so many different tutorials that I'm about ready to give up.

    Wednesday, September 27, 2017 12:12 PM
  • Anyone know what that error means?  I can't find a thing about it after a day of searching.
    Wednesday, September 27, 2017 7:38 PM
  • Problem solved!  I started another thread about the error as I thought it was a different issue, and Leon-Lu was able to give me just the information I needed.

    The issue was resolved HERE.

    Friday, September 29, 2017 3:07 PM
  • Hi TheBluzeman,

    I am glad to hear that,thank you for your update.


    Best Regards,

    Leon-Lu
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, October 1, 2017 8:37 AM