none
Integrating Lync 2010 with Exchange 2010 SP1 RRS feed

  • Question

  • Hi Folks,

    I'm having trouble getting Exchange 2010 SP1 to integrate properly with Lync 2010. My configuration is as follows:

    2 Exchange 2010 SP1 CAS\HT servers (mail1.domain.com & mail2.domain.com), each with its own cert. They are configured as a CAS array and load balanced using NLB (mail.domain.com).

    1 Lync 2010 Standard edition server.

    I've installed all the patches on the Exchange servers and configured them and the Lync server in what I believe to be the correct manner. The issue is this: both CAS servers each have their own cert with a separate thumbprint. I run the command:

    Get-OwaVirtualDirectory | set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint "213BF7792DF72782928ED7431D52957B9E086F08" -InstantMessagingServerName "lync2010.domain.com" -InstantMessagingType OCS -InstantMessagingEnabled $true

    on each of the CAS servers. However, if I put mail1.domain.com's thumbprint in the command when it is run, the "Get-OwaVirtualDirectory | fl Server,Instant*" command shows that thumbprint for both servers:


    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Server,Instant*

    Server                                : MAIL1
    InstantMessagingCertificateThumbprint : 1A2022CCF3D234087E682A3BEDD0B6459E87A0DC
    InstantMessagingServerName            : lync2010.domain.com
    InstantMessagingEnabled               : True
    InstantMessagingType                  : Ocs

    Server                                : MAIL2
    InstantMessagingCertificateThumbprint : 1A2022CCF3D234087E682A3BEDD0B6459E87A0DC
    InstantMessagingServerName            : lync2010.domain.com
    InstantMessagingEnabled               : True
    InstantMessagingType                  : Ocs

    If I then rerun the command on mail2, both servers are listed as having mail2's thumbprint. The result of this is that integration works if I go to https://mail1.domain.com/owa (if mail1's thumbprint is active), but it does NOT work if I go to https://mail2.domain.com/owa, OR https://mail.domain.com/owa.

    Something that was very unclear to me was exactly how to configure the Lync server for the NLB load-balanced CAS array. Right now I currently have it configured as a single server application pool with replication disabled as explained here: http://www.expta.com/2010/09/how-to-integrate-lync-server-2010-with.html. I did also try it with the multicomputer app pool, but that exhibited the same behaviour.

    Is it possible to get this to work with a CAS array using NLB where each server's thumbprint is different?

    Thanks for any insight,

    Ian

    Monday, January 10, 2011 11:08 PM

Answers

  • Well, based on what you said, I decided to try going through the whole certificate creation business again in the lab. I ran new-exchangecertificate, then submitted the request to my CA. I downloaded the resulting cert file to mail1, then copied it to mail2. I was able to run import-exchangecertificate and enable-exchangecertificate successfully on mail1. I then tried import-exchangecertificate on mail2, and that appeared to work too. Must be my memory playing tricks on me.

    However, when I tried to run enable-exchangecertificate on mail2, it errored out saying there was no private key. What to do?

    I finally ran export-exchangecertificate on mail1, which exported to a .pfx file with the private key intact (protected by a password). I then copied the .pfx file to mail2 and ran import-exchangecertificate and enable-exchangecertificate and it worked!

    Now all is well, so thanks for the help!

    Ian

    • Marked as answer by ianc3 Tuesday, January 11, 2011 6:56 PM
    Tuesday, January 11, 2011 6:56 PM

All replies

  • You should be using the same exact certificate on each node of the CAS array, thus the thumbprint is identical.  It's not a correct confguration to use unique certificates (even if they are configured using the same SN/SAN data) as the private key is different between them.
    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, January 11, 2011 3:39 PM
    Moderator
  • <<You should be using the same exact certificate on each node of the CAS array>>

    That would seem to be the case, however, I had a different experience in the lab. My first thought was to do just that: use the same cert on both nodes.

    I generated a cert in the lab which had all the appropriate names on it and successfully imported it on the first node using import-exchangecertificate. However, when I tried to import the cert on the second node using import-exchangecertificate, the command failed, saying that the thumbprint already existed. Hence, I needed to used two certs to be able to import them both.

    How does one get around this problem?

    ianc

    Tuesday, January 11, 2011 4:26 PM
  • Interesting, I have not run into that before, although I typically do not use the Exchange cmdlets to perform the certificate import.  I bring the certificate in through normal means and then assign the certificate to Exchange services using Powershell.
    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, January 11, 2011 6:15 PM
    Moderator
  • Well, based on what you said, I decided to try going through the whole certificate creation business again in the lab. I ran new-exchangecertificate, then submitted the request to my CA. I downloaded the resulting cert file to mail1, then copied it to mail2. I was able to run import-exchangecertificate and enable-exchangecertificate successfully on mail1. I then tried import-exchangecertificate on mail2, and that appeared to work too. Must be my memory playing tricks on me.

    However, when I tried to run enable-exchangecertificate on mail2, it errored out saying there was no private key. What to do?

    I finally ran export-exchangecertificate on mail1, which exported to a .pfx file with the private key intact (protected by a password). I then copied the .pfx file to mail2 and ran import-exchangecertificate and enable-exchangecertificate and it worked!

    Now all is well, so thanks for the help!

    Ian

    • Marked as answer by ianc3 Tuesday, January 11, 2011 6:56 PM
    Tuesday, January 11, 2011 6:56 PM