Category: Lync

Remotely configure a certificate after importing the new certificate to your Exchange Servers

Scenario:  You imported a new certificate to your Exchange servers and you want to configure the certificate on each server remotely.  There is OWA/LYNC integration and the thumbprint of the older certificate needs to be updated with the thumbprint of the new certificate for the IMCertificateThumbprint property in each servers OWA web.config file.

Scriptlets:

Declare your variables for the Servers and for the thumbprints of the Old and New Cert.

#Declare Variables
$OldCert = "B8FE4323EEdAAB31258C2F44283001004EEACB23"
$NewCert = "A8E457DE801F7831317C2F5F5450007EA238DDE3"
$Servers = Get-exchangeserver Ex* | Select -ExpandProperty Name

We are going to backup the web.config file as well in the event of a mistake.

#Backup Web.Config and Save it locally
$Servers | %{
"Copying $_"
MD C:TempWebConfig$_
Copy-item "\$_c$Program FilesMicrosoftExchange ServerV15ClientAccessOwaweb.config" "C:TempWebConfig$_"
}

Because OWA/LYNC integrations exists, we need to modify the IMCertificateThumbprint OWA Web.Config file so it updates/overwrites the old thumbprint with the new thumbprint.

#Edit the Web.Config on each Server
$Servers | Sort | %{
"Editing WebConfig for $_"
$WebConfigFile = "\$_c$Program FilesMicrosoftExchange ServerV15ClientAccessOwaweb.config"
(Get-Content $webconfigfile).replace('$OldCert', 'NewCert') | Set-Content $Webconfigfile
}

Enable the Services on the new Certificate

#Enable UM, IIS, SMTP, UMCallRouter on new Cert
$Servers | %{
Enable-ExchangeCertificate -Server $_ -thumbprint $NewCert -services IIS,SMTP,UM,UMCallRouter -force -confirm:$false
}

Finally, Restart IIS & UM Services on each server

#Restart IIS & UM Services
$Servers | %{
iisreset $_
get-service msexchangeUM* -computername $_ | Restart-service
}

 

Integrate Exchange 2013 OWA and LYNC

Scenario:  Integrate Exchange 2013 OWA and LYNC together. The steps are from the Exchange perspective

Steps:

1. Configure Partner Applications with Exchange and Lync:

“C:Program FilesMicrosoftExchange ServerV15ScriptsConfigure-EnterprisePartnerApplication.ps1 -AuthMetaDataUrl ‘https://atl-cs-001.litwareinc.com/metadata/json/1’ -ApplicationType Lync”

2.  Configure OWA Virtual Directories to enable Instant Messaging and to assign OCS as the Instant Messaging Type. Note: InstantMesaging should be enabled but the InstantMessagingType is set to none by default.

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $True -InstantMessagingType OCS

3.  Copy the Thumbprint of the Certificate you are using for Exchange  by running:

Get-ExchangeCertificate -server Srv2013CM1

4. Add the 2 keys under the <appsettings> section of the web.config file located on C:Program FilesMicrosoftExchange ServerV15ClientAccessOWA for each of the backend servers.

<add key=”IMCertificateThumbprint” value=”EA5A332496CC05DA69B75B66111C0F78A110D22d”/><add key=”IMServerName” value=”atl-cs-001.litwareinc.com”/>

5. Recycle the MSExchangeOWAAppPool:

C:WindowsSystem32InetsrvAppcmd.exe recycle apppool /apppool.name:”MSExchangeOWAAppPool”

 

If you use Outlook Web App Policies:

You will have to enable  InstantMessaging and set the InstantMessagingType to OCS. By default, policies are not assigned to any user. Therefore any user will use the settings of the OWA Virtual Directory.  OWA Policies override the settings set on the virtual directories.

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $True -InstantMessagingType “OCS”

 

More instruction can be found here.

Exchange server is unavailable error from a CX 600 Lync Phone

Error:  Exchange server is unavailable error from a CX 600 Lync Phone
Synopsis: This error is expected. No matter which Lync Phone Edition – Information Worker (Aastra 6725ip, HP 4120 and Polycom CX600) or Common Area device that supports “PIN and Extension Login” you like to use. This is because the Authentication Method that really is used when PIN & Extension Login is performed is: the new Lync TLS-DSK, a kind of certificate based (Derived Session Key – DSK) authentication.

TLS-DSK is not supported by the Exchange Webservices (EWS,UM, OAB, etc.). So a device that only has a Derived Session Key (an not the full AD user credentials, for e.g. NTLM Authentication, which is supported by Exchange Webservices), will never be able to Logon to Exchange, till Exchange also supports TLS-DSK.

When tethering an Information Worker Phone via USB, you provide your full AD user credentials to the device (via a Lync client POP-UP-Dialog). This credentials allow the device to use NTLM Authentication when it logs into Exchange Webservices. The same, if you use a Tanjay (CX700 or LG Nortel IP8540) and enter your full credentials via the full quertz keyboard in Touch-Display. But no matter if you use devices or the Lync client itself, all of them support TLS-DSK, cause it is the only authentication method that can work without an DC (Domain Controller) available. In case of outages or SBA (Branch Survivabilty) scenarios, TLS-DSK will continue to work, while NTLM or Kerberos will stop till a DC becomes available again.

Resolution: Plug usb port of lync phone to a computer with Lync enter AD credentials when prompted. USB cable can unplugged given that the AD credentials will now be cached on the Lync phone