Certificate interaction on Exchange 2007 Availability Service & OCS Communicator
Hello Team, I have an issue at one of my customers with Exchange 2007 Autodiscover, Availability Services and OCS Communicator interaction. Stuff like Out Of Office, Free/Busy,... is not working for all users; the OCS 2007 R2 Communicator client is complaining about "Exchange Connection Error". After investigating, I may have found the cause of all this, but wanted to doublecheck with you if my assumptions are correct: The SSL certificate has the following information: Common name : mail.company.com + additional SAN-names: autodiscover.company.com, owa.company.com and mail.company.com again * Users connecting to Outlook Web Access use "owa.company.com", and this works fine. Alle Exchange Web Service URLs (internalURL and externalURL) as well as the internalURi SCP are reffering to "owa.company.com". * Testing Outlook Autodiscover using test emailautoconfiguration" works fine; autodiscover is oke When tracing the OCS Communicator interaction with Exchange, using Fiddler, I discovered it "blocks" when connecting to "mail.company.com"; I assume this is because the ExchangeURLs are not referring to mail.company.com but to owa.company.com. My question is: does Exchange Availability Service and Autodiscover can only work with the common name of the certificate, and does not check the SAN-names? If so, I can modify the internalURL and externalURL as well as the internalUri SCP to "mail.company.com", if my webmail can still make use of owa.company.com without prompting with an SSL-error in the browser. I assume it works for the browser. Or is there something else misconfigured on the Availability Service and should it work with the SSL-certificate SAN-names as well? Kind regards, Peter
August 11th, 2010 11:10am

Continuing on above issue... I updated my client with Communicator Hotfix 2028888 (oct 2009). When starting OCS Communicator now, the "Exchange Connection Error" is replaced by "Outlook Integration Error". Another strange thing happening is my OCS Communicator gives multiple popups for authentication, using several URLs (netbios name of mailbox server, autodiscover.company.com, mail.company.com), but how many times I try entering the user and password, it gives no solution. After 5 attempts for authentication, it stops but the exclamation mark in OCS stays. I hope this shines a new light on the issue. Kind regards, Peter
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2010 12:43pm

A new update... after modifying all Exchange URL en Autodiscover SCP to "mail.company.com", the CN of my SSL cert, the OCS Communicator keeps complaining again with "Exchange Connection Error". Full details are "Communicator could not retrieve calendar or Out of Office Information from Exchange Web Services. Communicator will automatically continue to retry. If this problem persists, contact your system administrator" Any help is appreciated. Peter
August 16th, 2010 1:47pm

Hi Peter, I have noted your update from today, but let's try to start by addressing your original inquiries to see if this will shed any light. To answer the initial question "Does Exchange EWS and Autodiscover work only with the common name" the answer is no. SAN names are perfectly acceptable and will be used by Exchange as IIS handles this side of the connection for these services. Exchange itself does not check for SAN versus Common Name. One thing to note, is that the you seem to indicate that mail.company.com is the common name, but is the last name listed in the SAN portion. We recommend the common name always be listed as a SAN, and always be the *first* SAN listed in the certificate. Generally this is due to issues with ISA 2006 (which the you have not indicated you use but we still recommend as a general practice) as discussed here: http://blogs.technet.com/b/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx The second question was whether changing the internalURL, externalURL, and internalURI SCP to mail.company.com would still allow use of owa.company.com for OWA without SSL errors. The answer is yes. IE also makes full use of the SANs listed in the cert and Exchange itself does not care where you're connecting from - this is an IIS-side function. Keep in mind, however, that any non-domain-joined Outlook client will still search for company.com/autodiscover/autodiscover.xml and autodiscover.company.com/autodiscover/autodiscover.xml first, and if it receives a response will use it, even if the cert doesn't match - meaning an error for your end-user. Lastly, in regards to the "Communicator could not retrieve calendar or Out of Office Information from Exchange Web Services. Communicator will automatically continue to retry. If this problem persists, contact your system administrator" error: - Try connecting to https://owa.company.com/ews/exchange.asmx from a browser. If you do not get a certificate error, your certificate is fine. If you do, you'll need to resolve that first. - Try checking free/busy and OOF via Outlook 2007 or higher. This will ensure the EWS service is running (which handles availability and OOF) Thanks, Kevin Ca - MSFT
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 2:56am

Hello Kevin, Thanks for the detailed feedback. I was away on holiday, so couldn't provide you with any feedback. Sorry for that. In the meantime, most topics are already cleared out, however, not all is working fine. a) I found out EWS and Autodiscover can indeed work with SAN-names as well; this works fine b) No ISA 2006 in use, so I don't care about the order of the SAN-entries for the moment c) Connecting to https://owa.company.com/ews/exchange.asmx works fine without SSL-error (I see the XML-data); I needed to provide my credentials upfront, but I assume this is normal. Error in OCS Communicator is still existing though. Free/Busy and Out Of Office are also not working. What can I do to investigate this further? All internal/externalURL and uri settings are fine. Thanks Peter
September 6th, 2010 10:21am

Did you ever get this situation solved? I am still having this problem as well!
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 1:41pm

You are not alone. We started having this problem after one of our monthly patching efforts. I have not been able to determine exactly what patch it was. Seems like it started happening some time in December 2010. We used to have no problems with running the OCS client outside of our network using ISA 2006. We now get the "Communicator could not retrieve calendar or ...." message.
March 18th, 2011 8:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics