locked
Integration with OWA broken RRS feed

  • Question

  • We used to have this working, but not any longer.  Now when users use OWA and go to sign in to IM.  We have both Skype for Business 2016 and Exchange 2016 on Premises.

    From the Skype server, I run the command Test-CsExStorageConnectivity -SipUri "sip:me@ourdomain" -Verbose

    and this test PASSES.  I take this as meaning that the partner application between Exchange and Skype is all OK.  So I don't have to look at my certificates or anything.  Is this correct?

    From the Exchange server I use this test...  Test-OAuthConnectivity -Service EWS -TargetUri https://chchexch16.ourdomain/ews/ -Mailbox "Me" -verbose |fl 

    but this test fails.  I get the error... 

    Task        : Checking EWS API Call Under Oauth
    Detail      : The configuration was last successfully loaded at 1/01/0001 12:00:00 AM UTC. This was 1061428490 minutes ago.
                  The token cache is being cleared because "use cached token" was set to false.
                  Exchange Outbound Oauth Log:
                  Client request ID: 47320369-7ad9-44b3-a30a-64bc62dfaeed

                  Exchange Response Details:
                  HTTP response message:
                  Exception:
                  System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.

    I have checked with netsh winhttp show proxy and both servers are set to Direct.

    I wish Microsoft had given us a wizard to set this up!  Any help appreciated.

    Thanks, Neal 


    Thursday, February 14, 2019 3:19 AM

Answers

  • Finally solved it.

    What I had to do is to make sure that the certificate (Get-CSCertificate –Type OAuthTokenIssuer) had SAN names that were our OWA FQDN.  Then I had to export it (with private key) and import it on to the Exchange server.

    Once that was done, I re ran all the commands with that thumbprint.  

    I didn't find a way to see from Exchange that it was the correct one. 

    • Marked as answer by HotAir3.1 Tuesday, February 26, 2019 2:55 AM
    Tuesday, February 26, 2019 2:55 AM

All replies

  • Just found a TechNet that says the test always fails, so this might be a red herring.  https://support.microsoft.com/en-za/help/4488267/test-oauthconnectivity-always-fails-when-exchange-server-uses-proxy-to 

    Anyway, it says to install CU12, so we will do that - but I suspect it has nothing to do with our problem.  It was all working with CU5.

    Thursday, February 14, 2019 3:27 AM
  • Hi,

     

    Please try opening OWA url at SfB server internet browser and take a look, will there be a certificate warnings?

    Besides, please make sure you have created a Skype for Business Server trusted application pool and a trusted application associated with Outlook Web App.

    To do this, run Get-CsTrustedApplicationPool and Get-CsTrustedApplicationComputer in SFB to check the status.

    Also please run Get-OWAVirtualDirectory to check the configuration in Exchange Mgmt shell.

      

    In addition, the autodiscover service must be configured before you can integrate Skype for Business Server and Exchange Server. 

    You can verify whether or not the autodiscover service has been configured by running the following command from the Exchange Server.

    Get-ClientAccessServer | Select-Object Name, AutoDiscoverServiceInternalUri | Format-List

     

    After the autodiscover service has been configured, you must then verify the Skype for Business Server OAuth configuration settings by running “Get-CsOAuthConfiguration” in SFB Mgmt shell.

    If it is not configured, please run the following which ensures that Skype for Business Server knows where to find the autodiscover service. 

    Set-CsOAuthConfiguration -Identity global -ExchangeAutodiscoverUrl "https://autodiscover.domain.com/autodiscover/autodiscover.svc

     

    Some reference

    https://blogs.technet.microsoft.com/jenstr/2012/10/31/troubleshooting-tips-for-exchange-2013-owa-im-integration-to-lync-2013/

    https://docs.microsoft.com/en-us/previous-versions/office/communications/jj688055(v=ocs.16)

     

    As for the Test-OAuthConnectivity error reported, please try installing the latest CU as mentioned in the official article to have a fix.

    Kind regards,

    Calvin Liu


    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Calvin-Liu Thursday, February 21, 2019 9:39 AM
    Thursday, February 14, 2019 7:52 AM
  • Thanks Calvin for taking the time to reply.

    1) From the SfB server, can browse to OWA, no certificate error. 

    2) PS C:\Users\chch administrator> Get-CsTrustedApplicationPool

    Identity             : TrustedApplicationPool:chchexch16.antnz.local
    Registrar            : Registrar:chchlync.antnz.local
    FileStore            :
    ThrottleAsServer     : True
    TreatAsAuthenticated : True
    OutboundOnly         : False
    RequiresReplication  : False
    AudioPortStart       :
    AudioPortCount       : 0
    AppSharingPortStart  :
    AppSharingPortCount  : 0
    VideoPortStart       :
    VideoPortCount       : 0
    Applications         : {urn:application:outlookwebapp}
    DependentServiceList : {}
    ServiceId            : 1-ExternalServer-1
    SiteId               : Site:Christchurch
    PoolFqdn             : chchexch16.antnz.local
    Version              : 7
    Role                 : TrustedApplicationPool

    3)  PS C:\Users\chch administrator> Get-CsTrustedApplicationComputer

    Identity : chchexch16.antnz.local
    Pool     : chchexch16.antnz.local
    Fqdn     : chchexch16.antnz.local

    4) [PS] C:\Windows\system32>Get-OWAVirtualDirectory -server chchexch16

    Name                   Server     OwaVersion
    ----                   ------     ----------
    owa (Default Web Site) CHCHEXCH16 Exchange2013

    5) [PS] C:\Windows\system32>Get-ClientAccessService | Select-Object Name, AutoDiscoverServiceInternalUri | Format-List

    Name                           : CHCHEXCH16
    AutoDiscoverServiceInternalUri : https://autodiscover.ourdomain/Autodiscover/Autodiscover.xml

    6) PS C:\Users\chch administrator> Get-CsOAuthConfiguration

    Identity                               : Global
    PartnerApplications               : {Name=Exchange;ApplicationIdentifier=00000002-0000-0ff1-ce00-000000000000;Rea
                                             nz;ApplicationTrustLevel=Full;AcceptSecurityIdentifierInformation=False;Enabl
    OAuthServers                       : {}
    Realm                                  :
    ourdomain
    ServiceName                        : 00000004-0000-0ff1-ce00-000000000000
    ClientAuthorizationOAuthServerIdentity :
    ExchangeAutodiscoverUrl        : https://autodiscover.
    ourdomain/Autodiscover/Autodiscover.svc
    ExchangeAutodiscoverAllowedDomains     :

    Thursday, February 14, 2019 7:57 PM
  • I've found the problem!

    Now I just have to figure out how to fix.  

    I found the log in C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

    and in the log I see this...

    2019-02-13T03:06:22.523Z,61,5,,,,0,DEBUG:IM Certificate with thumbprint ‎0d73ed787f96dea2155bbf724eab82f09237b44c could not be found.,

    2019-02-13T03:06:22.534Z,61,5,,,,0,DEBUG:Globals.Initialize: Initialization failed.,

    Thanks, Neal 

    • Proposed as answer by Calvin-Liu Friday, February 15, 2019 1:32 AM
    Thursday, February 14, 2019 8:15 PM
  • Hi,

     

    Awesome. Have you tried running the following cmdlet to reset it?

     

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingType OCS -InstantMessagingEnabled:$true –InstantMessagingCertificateThumbprint xxxxxx -InstantMessagingServerName fe.domain.com

    Note: The InstantMessagingCertificateThumbprint parameter specifies the trusted certificate used to communicate between the instant messaging server and the Mailbox server. Use the Get-ExchangeCertificate cmdlet to find the thumbprint of the certificate.

    Kind regards,

    Calvin Liu


    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Calvin-Liu Friday, February 15, 2019 1:32 AM
    Friday, February 15, 2019 1:32 AM
  • Hi Liu.

    Mixed results.  I used a different certificate, but now get a different error.  I want to wipe it all out and start again. 

    But the first thing I need to know, is when I use the command Get-ExchangeCertificate |fl I can not tell which one I am supposed to use!  For the purposes of Oauth, how do I know which one?

    On the Skype server, I type Get-CSCertificate and I can see the USE field, and one of them shows OAuthTokenIssuer.

    Thanks, Neal 

    Friday, February 15, 2019 2:42 AM
  • Hi Neal,

    If you want to check to see if you already have an OAuth certificate assigned to Skype for Business Server, run the following command:

    Get-CSCertificate –Type OAuthTokenIssuer

    Any update for the result?

    Kind regards,

    Calvin Liu


    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, February 21, 2019 9:39 AM
  • Hi Calvin

    Yes, on the skype server I can type in Get-CSCertificate and see the type but is there any way to see that on the Exchange server?  In other words, how do I see which certificate in Exchange to use?

    Thanks, Neal 

    Sunday, February 24, 2019 10:13 PM
  • Finally solved it.

    What I had to do is to make sure that the certificate (Get-CSCertificate –Type OAuthTokenIssuer) had SAN names that were our OWA FQDN.  Then I had to export it (with private key) and import it on to the Exchange server.

    Once that was done, I re ran all the commands with that thumbprint.  

    I didn't find a way to see from Exchange that it was the correct one. 

    • Marked as answer by HotAir3.1 Tuesday, February 26, 2019 2:55 AM
    Tuesday, February 26, 2019 2:55 AM
  • Hi,

    Glad to hear the issue is solved, thanks for sharing!

    And for checking if the OAuth certificate is the one that associated with your Exchange server, please try the following steps in Exchange Mgmt shell:

    1. Run Get-AuthConfig | fl CurrentcertificateThumbPrint to identify the authentication configuration is looking.

    2. Then examin the above output to verify if it could match the one which is also available in Exchange by running "Get-Certificate"

    And I found a related article could be as the reference: https://support.microsoft.com/en-ca/help/3089171/exchange-oauth-authentication-couldn-t-find-the-authorization-certific 

    Kind regards, 

    Calvin Liu


    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Tuesday, February 26, 2019 3:21 AM