Event ID 87 in Exchange 2010 with OCS Integration

Recently while installing Exchange 2010 in a customer environment I ran into an error related to certificates when I tried to enable the OCS integration in OWA.  The client had chosen Godaddy as their public CA of choice and as it turns out this played a role in causing the issue.  Godaddy used a ” symbol in the issuer field of the certificate. Although it wouldn’t normally matter, it does when you are using that field in an XML config file, like the one used for IM integration with OWA/Exchange 2010.

I’ll assume you’ve read and followed the technet article on configuring Exchange 2010 to work with your OCS environmnet here, and now you’re seeing an Error in your application log on your Exchange 2010 CAS server like the one below:

The cause of the error in this case was the Issuer string found in the Godaddy certificate contained ” symbols:

A number of people have detailed (thanks to Chris and Robin’s Technology Blog) that the ” character wasn’t allowed in an XML file.  So knowing its not allowed is a wonderful thing, but replacing it wasn’t exactly clear to me.  I don’t do much programming in XML (or none at all) so I wasn’t sure what the appropriate replacement was.  Luckily I have access to a crack team of programmers at PCMS (thanks Mike B!) who were able to verify I needed to replace both ” symbols from the Issuer string with:

"

It ends up looking like this:

Wonderful, now I save my config file, restart IIS and all should be happy right?  Well not quite yet…

Although the error was gone from the application log, the Contact List in OWA was showing “Instant Messaging isn’t available right now”

Now a little more reading and I see that people are having issues with using certificates provided by a different CA than the OCS certificates.  Now I know OCS is picky sometimes, but I couldn’t believe it wouldn’t work because of that, and I had already added the public FQDN of the CAS server to my Host Authorization tab in OCS and it was working with the self signed certificate I used.  Then it hit me-the public cert had a different subject name than the self signed certificate because the company had planned to update the web address in the coming months and we used SAN fields for the old address that was to be retired.  I updated the Host Authorization tab with the subject name of the certificate (even though DNS didn’t point to it yet), iisreset on the Exchange 2010 CAS server and, voila, its working.   Just like Outlook Anywhere, the principal name from the certificate must be used in the Host Authorization tab.

Now even when I’m in OWA, I have access to all of my OCS contacts and lists.

Advertisements

About Kevin Peters

My name is Kevin Peters.
This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink.

4 Responses to Event ID 87 in Exchange 2010 with OCS Integration

  1. Paul Slager says:

    Hi,

    I basically have the exact same issue as you had. I am also using a GoDaddy Certificate, I sorted out the certificate issues last week, however, I keep getting the message “Instant Messaging isn’t available right now.

    Current Setup

    OCS 2007 R2 Server = ocs01.XXX.com
    OCS CWA 2007 RTM = ocscwa1.XXX.com
    OCS CWA 2007 R2 = ocscwa2.XXX.com
    External OWA = webmail.XYZ.com
    Internal OWA = exchangefe1.XXX.com

    In the Host authorization I have: I made sure I checked the correct permissions as well.
    Exchangefe1.lwginc.com
    Webmail.lwgconsulting.com

  2. Paul Slager says:

    Kevin was able to help me sort all of my issues out, thank you so much Kevin. He went above and beyond by totally working through all of my issues. The problem came down to the subject in the certificate not matching what I put in the host authorization section of OCS. I purchased a multidomain certificate, well the first subject name was something other than the OWA FQDN, previously I only had the OWA FQDN in the Host Authorization section, once we placed the correct subject name in the Host Authorization section we had to stop all running services and then start all running services. 🙂

  3. Elvis says:

    Hi all,
    I too am using a GoDaddy cert and am having the exact issue described.. However, I’m using a wildcard certificate.. My subject is *..com, which I wouldn’t be able to enter into the Host Authorization field..

    What should I use for my subject to make this work?

    Thanks in advance!

    • Kevin Peters says:

      Hi Elvis,

      To make this work you have to have the subject name of the certificate in the host authorization field no matter what. For this scenario I would recommend getting a certificate with the webmails FQDN as the subject instead of the wild card. Hope this helps!

      Thanks for reading!

      -kp

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s