locked
OWA Skype integration not working after certificate change RRS feed

  • Question

  • Greetings.

    Recently, we changed Exchange certificate to an Wildcard one. 

    As Skype for Business doesn´t support Wildcard Certificates, we renew its certificate concerning only Skype for Business Names:

    DNS Name=lyncac.mycompany.com.br

    DNS Name=dialin.mycompany.com.br

    DNS Name=lyncdiscover.mycompany.com.br

    DNS Name=meet.mycompany.com.br

    DNS Name=meeting.mycompany.com.br

    DNS Name=sip.mycompany.com.br

    After changing Skype for Business certificate and change all integration configuration (Set-OwaVirtualDirectory and web.config changing the new thumbprint), the owa skype integration didn´t work, logging:

    (...)Microsoft.Rtc.Internal.UCWeb.Utilities.UCWException: Unknown error (0x80131500) ---> Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x80131500) (...)

    On that link below, the author says:  “This relates to a Certificate issue either the Skype for Business server doesn’t trust the Certificate used for OWA or the Certificate doesn’t contain the SANs of the FQDN of the Exchange Servers.”.

    https://ucmart.uk/2015/09/08/skype-for-business-exchange-2013-owa-sign-in-fails-error-exception-ucweb-failure-codetlsfailure-subcodetlsremotedisconnected-reasonrnmicrosoft-rtc-internal-ucweb-utilities-uc/

    Does it mean that into Skype for Business Certificate SAN we need to have CAS fqdn too?

    Or, what´s missing for integration to work?

    Saturday, June 18, 2016 7:01 AM

Answers

  • I did it!

    The public wildcard certificat is binded with the services. 

    The certificate with the names used in the CsApplicationPool, was issued by the internal CA and not binded with any services. I just left it in the certificates repository. 

    After importing the certificate in both mbx servers, I re did all the configurations of web.config and OwaVirtualDirectory, deleted the ApplicationPool that i have created for testing and readded the application mb01 to the old application pool. 

    And it worked!

    Thankou very much. 

    • Proposed as answer by Liinus Tuesday, June 21, 2016 7:14 PM
    • Marked as answer by Niko.Cheng Saturday, July 9, 2016 5:23 AM
    Tuesday, June 21, 2016 6:35 PM

All replies

  • No, but the CAS FQDN has to be included on the Exchange certificate. If the Wildcard include this FQDN, it should be ok.

    regards Holger Technical Specialist UC

    • Proposed as answer by Liinus Saturday, June 18, 2016 10:20 AM
    • Unproposed as answer by FabioMartinsRB Tuesday, June 21, 2016 10:52 AM
    Saturday, June 18, 2016 9:05 AM
  • Validate that the CAS FQDN is there in the SAN entry of the Wild card certificate- Exchange. 


    Linus

    Saturday, June 18, 2016 10:45 AM
  • No, but the CAS FQDN has to be included on the Exchange certificate. If the Wildcard include this FQDN, it should be ok.

    regards Holger Technical Specialist UC

    In our environment we have a cas array.

    So I need to put both servers name as SAN in the wildcard certificate?

    cas01.mycompany.com.br

    cas02.mycompany.com.br

    One thing I don´t understand is that we changed to the wildcard certificate some time ago and we didn´t have problem with owa integration, the problem just happened after we changed the skype certificate.

    Monday, June 20, 2016 2:45 AM
  • Hi FabioMartinsRB,

    You’d better to add the record cas01.mycompany.com.br and cas02.mycompany.com.br in the wildcard certificate.


    Would you please tell us how did you renew your certificate for SFB?


    You could renew your certificate as following method:

    1 go to SFB Deployment Wizard Step 3 and click Run or Run Again.

    2 In Certificate Wizard, we select the proper certificate and then click Request.

    For details, please refer to

    https://blogs.technet.microsoft.com/uclobby/2015/05/15/requestrenewing-skype-for-business-server-2015-certificates/

    Best regards,

    Alice Wang 
    • Edited by Eason Huang Monday, June 20, 2016 10:13 AM update url
    Monday, June 20, 2016 9:15 AM
  • Hi Fabio , 

    yes lets make sure that both the FQDNS  are there in the SAN entry also , check  the trusted application from the sfb side and verify that its pointing to the correct FQDN of the CAS array. 


    Linus

    Monday, June 20, 2016 10:38 AM
  • Hi FabioMartinsRB,

    You’d better to add the record cas01.mycompany.com.br and cas02.mycompany.com.br in the wildcard certificate.


    Would you please tell us how did you renew your certificate for SFB?


    You could renew your certificate as following method:

    1 go to SFB Deployment Wizard Step 3 and click Run or Run Again.

    2 In Certificate Wizard, we select the proper certificate and then click Request.

    For details, please refer to

    https://blogs.technet.microsoft.com/uclobby/2015/05/15/requestrenewing-skype-for-business-server-2015-certificates/

    Best regards,

    Alice Wang 

    Before we have wildcard certificate, we had a certificate with tons of names, including exchange names and skype for business names. The same certificate generated by exchange ecp wizard were used for all services.

    After we changed exchange certificate to wildcard one, we continued using the same certificate on other services and was changing one by one in different times. 

    When was missing to change only sfb certificate, we renew that old certificate with tons of names, just keeping the sfb names, using the exchange ecp wizard, as it was done in the later time.

    I will replace wildcard certificate adding the cas name as SAN. 

    Thanks.

    Monday, June 20, 2016 11:51 AM
  • Hi Fabio , 

    yes lets make sure that both the FQDNS  are there in the SAN entry also , check  the trusted application from the sfb side and verify that its pointing to the correct FQDN of the CAS array. 


    Linus

    Hi!

    One doubt.

    In trusted applications of SFB, I have the name of the cas array, like webmail.mycompany.com.br. 

    May i add this name as SAN of the exchange wildcard certificate? ou the name of each member of the cas array?

    Monday, June 20, 2016 11:53 AM
  • When you have the CAS Array mentioned in the Trusted application , you have also mentioned the servers there right  -> When you selected Multiple server scenario.  Could you also look into the comment section of this blog as i could see many people have reported  the CAS array scenario.

    http://blog.schertz.name/2010/11/lync-and-exchange-im-integration/


    Linus

    Monday, June 20, 2016 3:37 PM
  • Hi!

    The Comodo CA doesn´t work putting SAN on Wildcard Certificates, because wildcard is already a multisubdomain certificate *.mydomain.com. 

    After reading this article:

    http://social.technet.microsoft.com/wiki/contents/articles/31375.integrate-exchange-2013-owa-and-skype-for-business-2015.aspx

    And talking with some coleagues, one suggested me to change the trusted application pointing to one of MBX server, create a certificate from our internal CA and install on certificate repository on that MBX server. Not necessarelly bind to any service, just install the certificate. 

    What do you think about this strategy?

    Thanks in advance. 

    Tuesday, June 21, 2016 10:47 AM
  • Yes Fabio, I was also reading the same. I would say you can  go ahead with that plan. Lets check if that helps 


    Linus || Please mark posts as answers/helpful if it answers your question.

    Tuesday, June 21, 2016 11:23 AM
  • I created the certificate for one of the 2 mbx servers, mb01.mycompany.com.br.

    Got its thumbprint using get-exchange certificate.

    Changed both web.config of the 2 mbx server.

    • <add key="IMCertificateThumbprint" value="Certificate ThumbPrint of Mailbox Server"/>
    • <add key="IMServerName" value="skype.mycompany.com.br" />

    I removed the mb01.mycompany.com.br from the older CsTrustedApplicationPool.

    Ran the following:

    • New-CsTrustedApplicationPool -Identity mb01.mycompany.com.br -Registrar skype.mycompany.com.br -Site 1 -RequiresReplication $False

    • New-CsTrustedApplication -ApplicationId OutlookWebApp -TrustedApplicationPoolFqdn mb01.mycompany.com.br -Port 5399
      (5199 and 5299 was already bind to other application)
    • Enable-CsTopology

    Ran the following too:

    • Get-OwaVirtualDirectory -Server CAS01 | Set-OwaVirtualDirectory -InstantMessagingType OCS -InstantMessagingCertificateThumbprint "Certificate ThumbPrint of Mailbox Server" -InstantMessagingServerName skype.mycompany.com.br
    • Get-OwaVirtualDirectory -Server CAS02 | Set-OwaVirtualDirectory -InstantMessagingType OCS -InstantMessagingCertificateThumbprint "Certificate ThumbPrint of Mailbox Server" -InstantMessagingServerName skype.mycompany.com.br

    And when I check the logs into:

    D:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

    of the MB01: I see no errors.

    of the MB02: 2016-06-21T17:30:40.320Z,49,5,,,,0,DEBUG:IM Certificate with thumbprint "Certificate ThumbPrint of Mailbox Server"could not be found.,

    I called the user I saw into the log of the mb01, and she was using skype integration without problems into the OWA.

    Can I conclude that If I request a certificate with both servers fqdn into the SAN it will work on both servers?


    Tuesday, June 21, 2016 6:08 PM
  • Thank you Fabio for sharing the findings. Yes so that  makes it clear that Skype talks to them with the FQDN , but you mentioned that its not possible to get the SAN entries as you have requested a Wildcard certificate for Exchange ? So are you going to request a new one?


    Linus || Please mark posts as answers/helpful if it answers your question.

    Tuesday, June 21, 2016 6:19 PM
  • I did it!

    The public wildcard certificat is binded with the services. 

    The certificate with the names used in the CsApplicationPool, was issued by the internal CA and not binded with any services. I just left it in the certificates repository. 

    After importing the certificate in both mbx servers, I re did all the configurations of web.config and OwaVirtualDirectory, deleted the ApplicationPool that i have created for testing and readded the application mb01 to the old application pool. 

    And it worked!

    Thankou very much. 

    • Proposed as answer by Liinus Tuesday, June 21, 2016 7:14 PM
    • Marked as answer by Niko.Cheng Saturday, July 9, 2016 5:23 AM
    Tuesday, June 21, 2016 6:35 PM
  • Nice to hear Fabio that it worked.

    Linus || Please mark posts as answers/helpful if it answers your question.

    Tuesday, June 21, 2016 7:12 PM