Exchange wildcard certificates with Lync Phone Edition

There’s certainly no lack of information out there regarding issues with wildcard certificates in various situations with Exchange and, increasingly, Lync.  Jeff Schertz recently posted a good article on the topic as it relates to Lync.  It’s worth adding another tidbit to his information, which is that a wildcard certificate on Exchange Web Services will cause Lync Phone Edition not to connect to Exchange.  If you look at the log files from the phone you’ll see something like this (irrelevant parts of the log have been removed):

INFO  :: NAutoDiscover::DnsAutodiscoverTask::PopulateAutodiscoverUrlsFromDnsSrv: SRV record found for record, _autodiscover._tcp.domain.com, value, mail.domain.com.

INFO  :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: Trying url, https://mail.domain.com/autodiscover/autodiscover.xml

INFO  :: WebServices::CSoapTransport::OpenNewInternetHandle: Connecting using INTERNET_OPEN_TYPE_PRECONFIG flag

WARN  :: WebServices::CSoapTransport::OpenAndSendDummyRequest: HttpSendRequest failed. Server=mail.domain.com, Path=/autodiscover/autodiscover.xml

ERROR :: WebServices::CSoapTransport::GetHttpHeaders: Failed to send a dummy request: hr=0x80072f06, url=https://mail.domain.com/autodiscover/autodiscover.xml

INFO  :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: GetHttpHeaders failed with 0x80072f06

WARN  :: NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: Exception with this url. hr=0x80072f06

The error code I highlighted is ERROR_INTERNET_SEC_CERT_CN_INVALID, meaning that the CN (subject) of the certificate is not valid.

Be aware that this doesn’t cause any problems with the regular Lync client, only Lync Phone Edition.  As you probably guessed, the solution is to replace that wildcard certificate with a regular certificate that contains the EWS FQDN in either the subject or subject alternative name field.

OCS R2 Integration with Exchange 2010 OWA

Exchange 2010 includes the ability to add presence and IM integration right into the OWA experience.  This adds a number of handy features:

- Presence for internal and federated OCS contacts

- Ability to start and maintain chat sessions directly from OWA

- OCS contact list integration, including add/remove contacts and groups

- Ability to control your presence state from OWA

Now for some screenshots…

Presence integration including context menu additions:

 

Chat window and the ability to control multiple simultaneous chat sessions:

 

Your presence and presence control:

 

Contact list integration with groups and presence (the contact list is in the left pane below your folders):

 

 

Installation and configuration was fairly straight forward, only a few items to point out.  First of all, here’s the download link and link to documentation.  Right now there’s a missing link in the documentation for a UCMA update for Windows 2008 R2.  That update is part of the 968802 package here.  All you need for this integration is to apply the UCMARedist.msp update to your Exchange 2010 server.

Now, a few things to point out in terms of the integration process.  First, make sure to put the spaces in between each pair of characters in the IMCertificateSerialNumber web.config value.  If you don’t the integration won’t work and you’ll get an error in your event log:

Log Name:      Application
Source:        MSExchange OWA
Date:          11/12/2009 11:36:28 AM
Event ID:      87
Task Category: InstantMessage
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      excassrv1.corp.evangelyze.net
Description:
An exception was thrown while attempting to load the IM provider .dll file.

File: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA\bin\Microsoft.Rtc.UCWeb.dll
The local certificate specified was not found in the store for local computer.

Next, when you run the command to add the InstantMessagingType value to your OWA virtual directory (Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingType OCS) you will get errors for any CAS servers that are not running Exchange 2010:

Property InstantMessagingType can't be set on this object because it requires the object to have version 0.10 (14.0.100.0) or later. The object's current version is 0.1 (8.0.535.0).
    + CategoryInfo          : NotSpecified: (0:Int32) [Set-OwaVirtualDirectory], InvalidObjectOperationException
    + FullyQualifiedErrorId : 79956A7E,Microsoft.Exchange.Management.SystemConfigurationTasks.SetOwaVirtualDirectory

This can be safely ignored – the value will be set on Exchange 2010 servers.  If you want to be sure just run get-owavirtualdirectory –server <Ex2010CASSrvName> |fl where <Ex2010CASSrvName> is the name of your Exchange 2010 CAS Server.  Among the output you should see this: InstantMessagingType: Ocs

Lastly, the documentation doesn’t seem to be complete in the “Configure Office Communications Server” section.   You’ll need to add the FQDN of the certificate that you specified in the web.config as a trusted host to your OCS environment.  To do so, right click your pool and select Properties –> Front End Properties.  Click the Host Authorization tab and then click Add.  Add the FQDN of your CAS and check the “Throttle as server” and “Treat as authenticated” check boxes.

It will take a few minutes for your OCS front end(s) to pick up this change.  Depending on your level of impatience (mine is high) You can force it by restarting the front end service but this will disconnect all your users from OCS, so do this with caution if you are working in a production environment.

Lastly, in case you’re curious which user agent this connection uses, here you go:

That should do it.  The entire process took about 5 minutes and works perfectly.

WM 6.1 Outlook Mobile Update for Exchange 2010

I noticed today that even folks “in the know” are having a hard time finding the update to Outlook Mobile that supports some new features of Exchange 2010, so I thought I’d post it.  The update is included in Windows Mobile 6.5 (which I hope to have soon now that a bunch of new devices are out – most likely the HTC Pure, aka Touch Diamond2) but is also available on Windows Mobile 6.1 via download.  Here is the link:  https://update.outlook.com/cabs/OutlookLiveSetup.cab.

For an overview of the new features check out the videos here.  The most noticeable differences are the new view (which includes a conversation view, if you’re into that), and integrated UM playback.  The UM playback is great – no more downloading attachments and playing them in Windows Media anymore.  Everything is integrated right into the message.

Enjoy!

Exchange UM Fails to Validate Certificate

Last week I hit an issue where Play on Phone was not working.  After entering the phone number in the appropriate field, Outlook would try for 30 seconds and then give the generic error indicating that it could not connect to the UM server.  As a starting point I checked the URL that was being sent to the client (https://<CAS URL>/unifiedmessaging/service.asmx) to ensure there were no connectivity or certificate issues.  Everything checked out fine there.

Next I looked at the UM server and found an event 1113 with the following description:

The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the certificate that was presented by the remote server is not trusted. The error code was "-2146762487" and the message was "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider".

This particular customer has separate servers for the mailbox, hub transport, CAS, and UM roles.  Since the client connection goes through the CAS server this would indicate that the UM server was rejecting the certificate that was presented by the CAS server.  A quick check of the certificates on the CAS server via get-exchangecertificate showed the certificate that we expected, and we could successfully browse to the same /unifiedmessaging/service.asmx URL from the UM server without any issues.  A netmon trace further confirmed that the certificate presented to the UM server was the one we expected.  Despite all this, the CAS server insisted that it was not able to find a valid UM server:

Event Type: Warning
Event Source: MSExchange Unified Messaging
Event Category: Shell
Event ID: 1083
Description:
The Unified Messaging Web service was unable to process a "PlayOnPhone" request for user "Doe, John". The error was "A valid Unified Messaging server could not be found for dial plan NorthAmerica.".

Since the CAS server was configured with a Verisign certificate this really didn’t make sense, but for the sake of completeness I checked each certificate in the chain and verified that it existed in the UM server’s local computer certificate store.  What I found was that the Verisign root certificate was indeed in the Trusted Root Certification Authorities store but the intermediate CA, from which the CAS server’s certificate was issued, was not in the Intermediate Certification Authorities store.  This didn’t seem to cause any problems from IE but just to be safe I added the intermediate certificate into the store.  Sure enough, this caused UM to begin accepting the connections from the CAS server.

I haven’t had a chance to research whether or not this is documented/expected behavior but it’s certainly interesting to note this, especially as certificate vendors are beginning to use new 2048 bit based CAs.

Communicator Exchange Connection Issue

This week I noticed an issue with Communicator where all our users were getting an Exchange connection error:

Exchange connection error: Communicator could not retrieve calendar or Out of Office information from Exchange Web Services. Communicator will automatically continue to retry. If this problem persists, contact your system administrator.

This prevented out of office settings and free/busy presence from working.  Later, I heard from some folks that they were not able to set their out of office message in Outlook 2007.  When they clicked Tools/Out of Office Assistant they would receive:

Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.

Lastly, reports came in that clicking the scheduling assistant would crash Outlook.  A few tests indicated that these Outlook issues were affecting all users.  After checking all the standard Exchange Web Services items and finding no issue I came across KB 958934.  It turns out that the recent server updates that had been applied installed .Net Framework 3.5 SP1, and that was the root of the problem.  The actual fix is KB 952883, which unfortunately requires a call to MS Support.

Exchange 2007 UM SIP Integration with Mitel 3300

Rather than individually send out this Mitel document to everyone that asks for it on the forums I figured I'd just post it here for people to download.  I don't claim that this is the latest version or that it is accurate for all versions, etc., but since this document seems to have avoided all known search engines I've attached it here.  Also be aware that Microsoft has some Mitel configuration notes for other connectivity options.

Download MitelTechNoteForExchangeUM

Send/Receive never finishes

Today I finally decided to look into an issue that I'd noticed for some time.  In Outlook 2007 a manual send/receive (F9) would never complete. 

An Exchange task would forever say "Offline address book Connecting to Microsoft Exchange."  When I looked at Outlook's Connection Status the last line is "Synchronizing Views."  I decided to take a look at the IIS logs and found this:

2008-09-03 21:05:52 10.1.1.3 GET /OAB/3ebf24ed-43dc-4a50-a2a9-cc6ef51ebf84/oab.xml - 80 - 74.73.235.66 Microsoft+BITS/7.0 500 19 64 63

Indeed, browsing to that location returns a 500.19 Internal Server Error in IE.  While reviewing the root OAB folder in the file system (C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB\) I noticed a web.config file.  I checked another Exchange 2007 server and noticed that it did not have a web.config file in that location.  I moved the web.config to another location and that corrected the issue.

On a side note, this also corrects an issue with RSS feeds not updating automatically.

Exchange UM Certificates with OCS

While Exchange 2007's UM functionality is capable of integrating with OCS for voicemail, Exchange 2007 SP1 adds new options to more easily facilitate this integration.  The information to do so is outlined here.  As you can imagine, the certificate requirements add a new level of complexity for even experienced Exchange engineers.

When Exchange 2007 is installed, it generates a self-issued certificate for use with IIS, SMTP, and SIP (if you're using UM).  This certificate generally isn't ideal for Outlook and OWA clients because it's not trusted by any machines except for the Exchange server, and one of the first tasks to do is replace this certificate with one that is trusted by the user's machines.  Additionally, the certificate you use to replace it may not match the FQDN of the server since the server may be referenced by a more generic name (for example, mail.domain.com) to make it an easy to remember OWA address.  However, one of the requirements of UM/OCS connectivity is that the certificate used for UM exactly match the FQDN of the server so that MTLS is successful.  For MTLS to be successful, the certificate must be trusted by the OCS server(s).  This means you must either import the self-signed Exchange certificate to each OCS server or replace it with one that is trusted.  Most customers will want to use a certificate that is automatically trusted by OCS.  To do this, create a new certificate to be used by Exchange (outlined towards the bottom of this article) and then use the Enable-ExchangeCertificate cmdlet to assign it to the UM service.  Once this is complete and you've followed all the other steps for UM integration you should be all set.