locked
Problem with Lync and Exchange Web Services with UAG RRS feed

  • Question

  • Hi,

    Our environment:

    • We have a UAG (SP1 update 1 + hotfix) array with two members running Windows Server 2008 R2 SP1.
    • We have a HTTPS trunk called OWA (public host name owa.domain.com) for Exchange 2010 services with public certificate owa.domain.com. We also have a HTTP to HTTPS trunk for OWA. Autodiscover and EWS applications are configured with KCD for SPN http/*. We have delegated the http/cas.domain.local to both UAG servers in our AD. We have changed the CAS servers' EWS and autodiscover IIS authentication settings so the NTLM is at the top.
    • Lync web services are also published through UAG. HTTPS Trunk lyncweb (public host name lsweb-ext.domain.com) is configured with no authentication. Public wildcard certificate for lyncweb *.domain.com.

    Problem:

    External Lync clients connecting to our Lync Edge are receiving Exchange connection error.

    KCD is working ok and the connection is forwarded to the CAS array. From UAG log:

    The S4U2Self Kerberos token for user xxxx@domain.com with source IP address xxxxxxx was retrieved successfully. The application is Exchange 2010 EAS and OA - Autodiscover of type Autodiscover on trunk owa; Secure:1.

    The S4U2Self Kerberos token for user xxxx@domain.com with source IP address xxxxxxxx was retrieved successfully. The application is Exchange 2010 EAS and OA - EWS of type EWS on trunk owa; Secure:1

    Going through the Lync https connections to owa.domain.com/EWS/Exchange.asmx I can see that the client authenticating with Kerberos but the CAS server responds with http error 400. If I sign out from the client and sign in with different account the authentication switches to NTLM and is successfull.

    Any help is appreciated!

    Regards Jukka

    Tuesday, October 9, 2012 7:20 AM