Hi!

I've been spending the last week or two trying to get Lync and Exchange to play together nicely over EWS and using autodiscover etc. I've been all over this forum and others reading similar threads but still haven't found anything that solves this problem for me. Therefor I'm asking for your assistance in my perticular case and would be very grateful for any advice.

The case is that Lync clients on PCs are saying "EWS not deployed" and Lync mobile apps on iPhone are not able to connect to the Exchange server to get information regarding meetings.

Today I think I may have found the cause, although I can't understand why..

While following the Troubleshooting in the "Understanding and Troubleshooting Microsoft Exchange Server Integration" white paper I ran the cmdlet Test-WebServicesConnectivity

This resulted in:

Error                       : [System.Net.WebException]: The underlying connection was closed: Could not establish trus
                              t relationship for the SSL/TLS secure channel. Inner error [System.Security.Authenticatio
                              n.AuthenticationException]: The remote certificate is invalid according to the validation
                               procedure.

While a "Test-WebServicesConnectivity -TrustAnySSLCertificate" of course doesn't generate an error.

Now I do have a third party certificate for the Exchange 2010 server which has seemed to work just fine! It's got my mail.primarydomain.com as CN and autodiscover.primarydomain.com as a SAN entry. I've got the A record in my DNS pointing autodiscover.primarydomain.com to my Exchange 2010 server (This is a single server setup). I've also added SRV records for autodiscover but that didn't help.

https://www.testexchangeconnectivity.com finds and connects using Autodiscover succesfully even when using SSL.

Results of Get-ExchangeCertificate:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.primarydomain.com, autodiscover.primarydomain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=GlobalSign Domain Validation CA, O=GlobalSign nv-sa, OU=Domain Validation CA, C=BE
NotAfter           : 2013-05-02 09:22:20
NotBefore          : 2011-05-02 09:22:25
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : xxxxxxxxxxxxxxxxxxxxx
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.primarydomain.com, O=mail.primarydomain.com, OU=Domain Control Validated, C=SE
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


(Regarding Lync certs, they are still only signed by our CA and internally trusted as I was hoping to get everything up and running before replacing them with third party certs. )

Any pointers or ideas? Thank you for your time!

Best Regards,

Jimmy Beckman

I forgot one important thing. The the HKCU\Software\Microsoft\Communicator\[User SMTP Address]\Autodiscovery key is missing. It has never been created on the client PCs.

Above mentioned white paper from Microsoft says this is likely because of one of these reasons:

• Lync was unable to locate a valid DNS A record or SRV record for the Autodiscover site
• Lync successfully resolved one of the hard-coded Autodiscover DNS values but was unable to contact the site (for instance, because of an invalid IP address or invalid reverse proxy publishing rule)
• Certificate assigned to Autodiscover site is not trusted by the Lync workstation

Now, my DNS records should be correct, and the certificate too as far as I can see?

• Proposed as answer by saeid64 Sunday, June 17, 2012 11:13 AM

Hi Jimmy,

try, if assigning UM Service to the certificate solve the issue you have.

I asume you run the UM Integration ps1 on Exchange and the UmUtil on Lync server.

Regards,

Jan

Thanks for the answer. No, I haven't done anything of the above. We are not (yet) using Lync for telephony/voice. Does this still apply?

Hi Jimmy,

sorry missed that part...

no this only Needs to be done for Exchange UM, when voice is used.

Regards,

Jan

• Edited by Jan_Pete Monday, April 16, 2012 2:19 PM

Can you verify that the data presented by the autodiscover url is valid?

http(s)://yourexchangeautodiscoverurl/AutoDiscover/AutoDiscover.xml

The response should look similar to: http://msdn.microsoft.com/en-us/library/bb204082(v=EXCHG.80).aspx

Those urls would need to be accessible externally.  You can also also test the autodiscover url from your mobile device to check to see if that device trusts the cert.

Hi Jimmy,

It may also due to DNS resolution for autodiscover issue.

Lync will use DNS to find CAS server and request EWS configuration information. Please ensure that DNS has either an A record for autodiscover.domain.com or an SRV record for _autodiscover._tcp.domain.com that points to CAS server.

In addition, here is another post for reference. Hope helps.

Thanks for you answer indubious, my Autodiscover response when using a web browser is:

  <?xml version="1.0" encoding="utf-8" ?> - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> - <Response> - <Error Time="07:27:21.6974814" Id="3745492755">   <ErrorCode>600</ErrorCode>   <Message>Invalid Request</Message>   <DebugData />   </Error>   </Response>

 </Autodiscover>

That is regardless if using http or https, pc or mobile device. No certicate warnings when using https. When coming in externally I need to authenticate first though.

According to other TechNet posts such as this, that should be the normal behaviour? Also a test from www.testexchangeconnectivity.com is successful.

If I test autodiscovery (Test E-mail AutoConfiguration...) in Outlook that gives me a successful response similar to the example in the link you provided.

Thanks for you answer Noya Lau, but I believe my DNS settings are correct. Thanks for posting the link, but I have actually already went through all the steps in it.

I have A records in both internal and external DNS for autodiscover.domain.com. I have also added the _autodiscover._tcp.domain.com SRV record and pointed that to our Exchange (single server setup) both in internal and external DNS.

I have again double-checked that autodiscover.domain.com resolves to our Exchange, and it does..

Hi,

Please verify the EWS URLs your Lync client is trying to use: Press Ctrl + right click on Lync symbol in the task pane -> Configuration Information

Best Regards
Timo

Hi Timo and thanks,

Unfortunately they are both blank. I'm not getting any EWS URLs from autodiscover.

please verify the URL settings on the Exchange Server: Get-WebservicesVirtualdirectory | FL *Url*

Ok, here's the results of that cmdlet:

InternalNLBBypassUrl : https://internalFQDN/ews/exchange.asmx
InternalUrl          : https://mail.ourdomain.com/EWS/Exchange.asmx
ExternalUrl          : https://mail.ourdomain.com/ews/exchange.asmx

What is that InternalNLBBypassUrl? Should that be same as Internal / ExternalUrl?

Ok, solved this one after opening a case with Microsoft. The solution for us - since everything was in order regarding DNS, Certificates and seemingly all other configurations - was to recreate the Autodiscover Virtual Directory.

• Marked as answer by J.Beckman Wednesday, April 25, 2012 6:20 AM

Glad to hear you got EWS issue resolved but please explain in detail how one goes about "recreate the Autodiscover Virtual Directory."   Thanks in advance.

Please see this TechNet article for instructions!

http://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx