none
Lync and Exchange UM for Voicemails RRS feed

  • Question

  • I am having some issues getting Exchange UM Certificates to work with my Lync server so voicemails can be placed on the Lync system. Whenever, Lync transfers to voicemail and tries to contact the Exchange UM service, I see the following errors:

    "The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Please check that this is a configured TLS peer and that the certificates being used are correct. More information: A TLS failure occurred because the target name specified in the certificate isn't correct"

    AND

    "The Microsoft Exchange Unified Messaging service rejected the call for the following reason: A TLS failure occurred because the target name specified in the certificate isn't correct. The error code = 0x1 and the message = Incorrect function." <-I see 3 of these error messages

    I created a new cert in the Exchange Console under Server Configuration, gave it a friendly name of "Lync VM", gave it a Exchange UM configuration and entered both the Exchange Server and Lync Server FQDN for a certificate of "Public" Then I used my certificate authority to create the certificate and import it over into the Exchange server and assign the UM service to it. Finally, I copied that certificate over to the Lync Server and imported it into the "Personal" store for a Local Computer account. If I double click the certificate file and click "Install" it installs it under "Other People" for a User Account. I also imported the certificate in the Personal certificate store for "Local Computer"

    The above steps seems to get rid of the first error message, but I still three of the other error messages. I also tried just creating the certificate with just the FQDN of the Exchange UM server (My Exchange 2010 SP1 server has all the roles on it, its a test environment, so I dont have any need to split out the roles). 

    Anyone have any ideas?

    Tuesday, June 12, 2012 1:53 AM

Answers

  • I was finally able to figure out this issue. In the UM Dial Plan that I created, I needed to set VoIP security to Secured. Both Unsecured and SIP Secured did not work. Once this was set to secured, it instantly started working!
    • Marked as answer by mabrito Friday, June 29, 2012 7:44 PM
    Friday, June 29, 2012 7:44 PM
  • Hi,

    Looks like the certificate you requested for exchange UM service is not correct.

    1, The certificate need to be requested from the CA which trusted by Lync server. This step what you do is right.

    2, The certificate for UM service is with Exchange server FQDN as the Subject name and any other required names (e.g. mail.domain.com, autodiscover.domain.com) added to the Subject Alternative Names field.

    3, If you cannot import the certificate to Exchange server on EMC, please try to import the certificate to Exchange server IIS website then assign the certificate to UM service in EMC or using the powershell.

    You can refer jeff's article about Lync and Exchange UM Integration:http://blog.schertz.name/2010/11/lync-and-exchange-um-integration/

    You can use the Exchnage server powershell to create the Exchange Certificate:http://technet.microsoft.com/en-us/library/dd351057.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Wednesday, June 13, 2012 7:51 AM
    Moderator

All replies

  • The approach you are taking is almost entirely wrong. You need to keep your certificate requests from Lync and Exchange separate.

    1. Create a certificate request from Exchange use the Exchange server's FQDN as the SN

    2. Process this request

    3. Assign the certificate to the UM service using EMC or the Exchange shell

    4. Create a certificate request from Lync using the certificates wizard in the Lync setup program

    5. Process this request

    6. Assign the certificate using the Certificates wizard

    Importing the certificate manually should not be necessary but if it is then it has to be stored in the Personal container for the Local Machine.

    Tuesday, June 12, 2012 12:55 PM
  • Not sure what you mean by entirely wrong. This is the guide I used to get it to the state I am in now: http://www.lynclog.com/2011/04/integrating-exchange-um-with-lync-2010.html

    I followed what you mentioned above and redid the certificates. In Exchange, under Server Configuration and then in the Exchange Certificates tab, I clicked "New Exchange Certificate" in the Actions menu. For the friendly name (first screen), I entered in the FQDN of the Exchange/UM server, then chose "Unified Messaging Server" and made it a Public certificate and entered in the FQDN of the Exchange/UM again and the request was created. I copied the contents of the request file, went to my CA and processed the request and created the certificate and then finished processing the Exchange Certificate request in EMC and assigned the UM role to it. 

    I also recreated the Lync certificates like you mentioned using the the Certificates wizard of the Setup program. 

    Still not having any success. If I am doing wrong, the tutorial I followed is incorrect, of something please let me know. Also, just to see if this would do anything, I manually imported the Exchange certificate over Lync server and have it stored in the Personal container for Local Machine and also imported the Lync certificate over to the Exchange server and have it stored in the Personal container as well for Local Machine....still no success (figured this wouldnt do anything, but was just ruling it out). 

    Tuesday, June 12, 2012 1:48 PM
  • I looked at the article and it seems like a good article, I was confused about how you imported the certifcate, and if you have assigned the Lync certificate to the services as I mentioned in my last reply then everything should be good. In fact assigning the certificate correctly is required in order to get the Lync services to start so if they are running you are in good shape.

    Are you still getting the same error message? Have you tried logging from the Lync side using the Lync logging tool? It might shed some more light on what is causing the issue.

    Tuesday, June 12, 2012 2:02 PM
  • Also have you added your exchange UM server as a trusted application in Lync.

    http://technet.microsoft.com/en-us/library/gg425804.aspx


    If this post answered your question, Mark As Answer If this post was helpful, Vote as Helpful ---------------------------------------------------------- http://lyncme.blogspot.com

    Tuesday, June 12, 2012 4:17 PM
  • Just added as a trusted application in Lync (I did it via Topology builder and not PS command line) and still having no success. I still get the following error messages, three times:

    The Microsoft Exchange Unified Messaging service rejected the call for the following reason: A TLS failure occurred because the target name specified in the certificate isn't correct. The error code = 0x1 and the message = Incorrect function.

    Also, if I don't have the certificate I created for the Exchange UM service in the personal certificate store on the Lync server, it still continues to throw this error:

    The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Please check that this is a configured TLS peer and that the certificates being used are correct. More information: A TLS failure occurred because the target name specified in the certificate isn't correct. The error code = 0x1 and the message = Incorrect function.. Remote certificate: 5C2EBA60D01D6A025126A2F731676F8F629FF120 (MabritoLync.rfd.lcl sip.rfd.lcl dialin.rfd.lcl meet.rfd.lcl admin.rfd.lcl). Remote end point: 172.19.20.154:3925. Local end point: 172.19.28.55:5061.

    The remote certificate its talking about is the certificate that is applied to the Lync Services...the certificate that is created with the Lync Setup Program. I also imported this certificate into the personal certificate store on the Exchange Server as a Local Machine

    Tuesday, June 12, 2012 5:54 PM
  • Hi,

    Looks like the certificate you requested for exchange UM service is not correct.

    1, The certificate need to be requested from the CA which trusted by Lync server. This step what you do is right.

    2, The certificate for UM service is with Exchange server FQDN as the Subject name and any other required names (e.g. mail.domain.com, autodiscover.domain.com) added to the Subject Alternative Names field.

    3, If you cannot import the certificate to Exchange server on EMC, please try to import the certificate to Exchange server IIS website then assign the certificate to UM service in EMC or using the powershell.

    You can refer jeff's article about Lync and Exchange UM Integration:http://blog.schertz.name/2010/11/lync-and-exchange-um-integration/

    You can use the Exchnage server powershell to create the Exchange Certificate:http://technet.microsoft.com/en-us/library/dd351057.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Wednesday, June 13, 2012 7:51 AM
    Moderator
  • Sorry for late reply, got caught up in other things last week and had to back log this project. 

    I tried all your suggestions Sean with no success. I am going to dig more into the logs today and will reply back.

    Monday, June 18, 2012 12:17 PM
  • I'm having the exact same issue. I've tried all the suggestions above and I've read both the schertz and lynclog articles on configuring Exchange UM. Has anybody found out what is causing this problem?
    Wednesday, June 27, 2012 7:51 AM
  • I was finally able to figure out this issue. In the UM Dial Plan that I created, I needed to set VoIP security to Secured. Both Unsecured and SIP Secured did not work. Once this was set to secured, it instantly started working!
    • Marked as answer by mabrito Friday, June 29, 2012 7:44 PM
    Friday, June 29, 2012 7:44 PM
  • Hi,

    In the above Jeff's blog, it mentioned VOIP Security must be set to Secured.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, July 2, 2012 1:38 AM
    Moderator