I was setting up OWA/Lync integration in my lab and ran into an interesting issue. After completing all the necessary steps, I logged into OWA as a test user and got the following error message: "Instant Messaging isn't available right now. The Contact List will appear when the service becomes available."
This error typically means one of two things, either you didn't complete all the necessary steps for integration to work, or you have a certificate issue. Since I know that I completed all the steps required, I started looking into a possible certificate issue. After verifying that the CAS array name was listed on the certificate bound to IIS on the CAS Server and that both the CAS Server and the Lync Front End Server trusted each other's certificates, I started looking at logging to see if I could figure out what was wrong.
I took SIPStack tracing on the Front End Servers to see if I could spot where the error was coming from. After logging back into OWA and taking a look at the log in Snooper, I saw the following:
TL_ERROR(TF_CONNECTION) 0AC0.1278::12/20/2011-20:45:01.704.000003ca (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_recordLogType: connectionSeverity: errorText: The peer is not a configured server on this network interfacePeer-IP: 172.16.3.11:15365Transport: TLSResult-Code: 0xc3e93d6a SIPPROXY_E_CONNECTION_UNKNOWN_SERVERData: fqdn="deitterick.com"$$end_record
As you can see highlighted above, the Lync Front End Server is rejecting the connection from the CAS Server because it can't find a trusted server object for "deitterick.com". Looking in Topology Builder, you can see that I created a trusted application pool for "mail.deitterick.com", my CAS array name, and that I defined "LAB-EX2010.lab.deitterick.com", my CAS Server name, as well:
The above looks correct, so why does the Lync Front End Server think that the connection is coming from "deitterick.com", instead of "mail.deitterick.com"? I next looked at the certificate on the Exchange CAS Server, that I was using for IIS. As you can see below, the subject name is "deitterick.com"!
So because the subject name on the certificate is "deitterick.com" and not "mail.deitterick.com", the Lync Front End Server is looking for the wrong trusted application pool name. There are two options to resolve this issue. The first is to reissue the certificate on the Exchange CAS Server and make sure that the CAS array name is the subject name on the certificate. The second is to change the trusted application pool name. Unfortunately you can't just edit the pool name in Topology Builder. You have to delete the trusted application pool from the topology, publish the topology, and then create the new trusted application pool and create the trusted application again.
The second option is the one that I chose, and after changing the trusted application pool name:
I published the topology, created the trusted application again, and now when I log into OWA, IM integration works:
So the important thing to remember when setting up OWA/Lync integration is to make sure that when you create the trusted application pool in Topology Builder, that you use the subject name defined on the certificate bound to IIS on your CAS Server(s).
Hi Doug, great information. I'm running into this issue right now. My question is, what were the commands you used to do this? I can create the pool name no problem using the cert that is registered, but how did you create the sub-app below deitterick.com?
In my case, I have a public cert on my internal exchange server with the public name mail.domain.com. But the internal FQDN is exch.hq.domain.com. Since IIS has the public FQDN, my trace shows the exact same error you have above.
Thanks in advance.
Thanks for the feedback! When you talk about "sub-app", are you talked about the image above that shows my CAS Server (LAB-EX2010.lab.deitterick.com)? If so, that gets created via Topology Builder. When you create the Trusted Application Pool, you want to pick "Multiple computer pool". That will allow you to list your CAS Server(s).
Hi Dough I recently had this issue when I ran a trace it was getting the OWA public address name rejected. I had to add this fqdn to the trusted pool. I know now because of u that it was rejecting this address because it was on the cert SN
Thank you very much Doug. This helped me fix the issue I was experiencing in my lab.
If one of my CAS servers is down due to the hardware issue, Do I need to change the Trusted application pool name before I put the crased CAS alive?
No, if you have multiple CAS Servers, the Trusted application pool name would be the CAS array FQDN. Listing the CAS Servers under that is telling Lync what FQDNs to accept traffic from.
Thanks for this article, it helped me out tonite!