Recently while installing Exchange 2010 in a customer environment I ran into an error related to certificates when I tried to enable the OCS integration in OWA. The client had chosen Godaddy as their public CA of choice and as it turns out this played a role in causing the issue. Godaddy used a ” symbol in the issuer field of the certificate. Although it wouldn’t normally matter, it does when you are using that field in an XML config file, like the one used for IM integration with OWA/Exchange 2010.
I’ll assume you’ve read and followed the technet article on configuring Exchange 2010 to work with your OCS environmnet here, and now you’re seeing an Error in your application log on your Exchange 2010 CAS server like the one below:
The cause of the error in this case was the Issuer string found in the Godaddy certificate contained ” symbols:
A number of people have detailed (thanks to Chris and Robin’s Technology Blog) that the ” character wasn’t allowed in an XML file. So knowing its not allowed is a wonderful thing, but replacing it wasn’t exactly clear to me. I don’t do much programming in XML (or none at all) so I wasn’t sure what the appropriate replacement was. Luckily I have access to a crack team of programmers at PCMS (thanks Mike B!) who were able to verify I needed to replace both ” symbols from the Issuer string with:
It ends up looking like this:
Wonderful, now I save my config file, restart IIS and all should be happy right? Well not quite yet…
Although the error was gone from the application log, the Contact List in OWA was showing “Instant Messaging isn’t available right now”
Now a little more reading and I see that people are having issues with using certificates provided by a different CA than the OCS certificates. Now I know OCS is picky sometimes, but I couldn’t believe it wouldn’t work because of that, and I had already added the public FQDN of the CAS server to my Host Authorization tab in OCS and it was working with the self signed certificate I used. Then it hit me-the public cert had a different subject name than the self signed certificate because the company had planned to update the web address in the coming months and we used SAN fields for the old address that was to be retired. I updated the Host Authorization tab with the subject name of the certificate (even though DNS didn’t point to it yet), iisreset on the Exchange 2010 CAS server and, voila, its working. Just like Outlook Anywhere, the principal name from the certificate must be used in the Host Authorization tab.
Now even when I’m in OWA, I have access to all of my OCS contacts and lists.