Don’t Forget Lync when you update your Exchange Certificates

June 2, 2012 · 0 comments

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

We had been on our new Exchange 2010 environment for almost a year when we decided to add Lync 2010 to the mix.  For this effort we used an outside consulting firm, and while I do not mean to discredit third-party integrators the fact of the matter is that they do not take the time and effort to provide their customers with sufficient information  and training to continue service/support of the applications they leave behind.

Case in point.  After a few months of successful bliss, our users started to complain that Outlook Web App (OWA) would no longer work with Lync.  What they got was the following error message.

We did the first thing any IT group would do and that was to ask ourselves, “what have we changed recently?”  The first thing that came to mind was a new CAS server.  However, it was not yet introduced into our load balancer for the existing CAS array of servers.  Since it was not yet production ready, we temporarily took it out just in case.  That made no difference as expected.

The next idea was to go back further in time to identify changes.  That is when one of my senior administrators asked about the recent renewals of our Exchange SAN certificates.  But we knew we had installed them correctly as all of the services (OWA, ActiveSync,RPC over HTTPS and so forth) were working correctly as well as the Lync clients.  But it was an interesting thought and one I decided to pursue.  Well, turns out that was a good move.  In reading how Lync 2010 integrates with Exchange 2010, I found that there are some settings that connect the two and that this can only be done through the Exchange Management Shell (EMS).
Our missing element was to identify the new SAN certificate on the CAS server with the Instant Messaging certificate used to communicate with Lync.  We assumed, like most administrators, that when the certificate was installed on the CAS servers that the system would update this automatically.  In fact, you must specifically identify the certificate by it’s thumbprint and set the integration value manually on each CAS server.

Here is what you need to do:

  1. Open EMS
  2. Run the command “Get-ExchangeCertificate”
  3. Copy the text of the thumbprint of you SAN certificate
  4. Run the command “Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint <certificate thumbprint from step #3>

On each CAS server:

  1. Open a command prompt window as an administrator
  2. Run the command “iisreset”

That’s it.  Once IIS has been reset on all of the CAS servers, the OWA clients will find the Lync 2010 contacts and your users will be up and running.  They do not need to restart OWA, close their browsers or take any action.  OWA continues to retry the connection and will re-establish the connection to Lync without any user interaction required.

Enhanced by Zemanta

Article by Steve Van Domelen

Steve has written 47 awesome articles.

Previous post:

Next post: