Conectare
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
CWA 2007 and duplicated web server template

Blocat CWA 2007 and duplicated web server template

  • 2 iulie 2008 16:06
     
     
    Sign in pentru a vota
    0

    I am setting up Communicator Web Access 2007 by following this guide http://technet.microsoft.com/en-us/library/bb663589(TechNet.10).aspx

     

    At the section on requesting an MTLS certificate this guide goes on about using the "duplicated Web Server template that you duplicated for the Office Communications Server 2007 certificates". I've set up OCS 2007 a few times now and I've never had to duplicate any certificate templates.

     

    I see some of the LCS 2005 documentation makes references to this step, but I haven't seen anything for OCS 2007 about duplicating templates.

     

    So what to do? Is the above implementation guide just wrong and I don't need to duplicate a template, or do I follow this LCS 2005 guide to duplicate the template? http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_7.mspx

     

    Thanks.

       

    Toate mesajele

    • 2 iulie 2008 16:35
      Moderator
       
       Răspuns
      Sign in pentru a vota
      0
      Typically you would duplicate the web server template if you needed client auth on the certificate.  PIC with AOL and most remote call control deployments require this.  However, you do not need this for CWA.  You can use a regular certificate based on the default template.

       

         
      • 2 iulie 2008 21:52
         
         
        Sign in pentru a vota
        0

         

        Thanks for the reply Mike, I'll give it a try. I guess the documentation for CWA 2007 just isn't accurate then.
           
        • 14 iulie 2008 22:47
           
           
          Sign in pentru a vota
          0

          I got everything working without using any duplicated templates so thanks again. For anyone else who is wondering the same as me, that CWA 2007 deployment guide is really quite poor, lots of missing steps, especially related to certificates and the differences between internal and external users.

           

          I installed two CWA servers as per the guide, one for internal users and one for external users. For the internal server I obtained a single (non-duplicated) certificate from my internal CA and used this for both MTLS and SSL. For the external server I got an internal CA certificate for MTLS and a public CA certificate for SSL

           

             
          • 19 august 2008 19:31
             
             
            Sign in pentru a vota
            0

            Simon,  I agree, the documentation is not clear about this.

             

            'I obtained a single (non-duplicated) certificate from my internal CA and used this for both MTLS and SSL'

             

            What exactly did you do to get the web server template certificate from the CA to the CWA server?  I have tried many things, but nothing has worked yet.

            When I request it via \\ca_server\certsrv and request a cert., web server is not listed in the list of certs. 

            Bob
               
            • 20 august 2008 16:13
               
               
              Sign in pentru a vota
              0

              On my CA the web server template is listed as an available certificate template when using the certsrv web page to submit an advanced certificate request. Is your CA an enterprise root CA running on Windows 2003 Enterprise edition?

               

              Check on your Certification Authority MMC and have a look at the Certificate Templates node. If Web Server is not listed as an available template try right clicking on Certificate Templates and choosing New > Certificate template to Issue. This may allow you to add it.

               

                 
              • 20 august 2008 17:49
                 
                 
                Sign in pentru a vota
                0

                Simon,

                I have a root CA (running Enterprise 2003) and a Subordinate Enterprise CA (running Std. 2003) on the DC .  The CWA documentation indicates the certificate must come from the CA that issued the cert. to OCS.  That would be the root CA.  When I tried to get the cert. from the root CA, there was no Web Server listed.  I finally requested the cert. from the Subordinate Enterprise CA (not the one that issued the Cert. to OCS) and I received one and it did work with the CWA server.

                When I look at the Certificate Authority MMC on the root CA, it does not have the folder for Certificate Templates.  The Subordinate Enterprise CA does have the folder which is why I could grab the cert. from it.
                So I think it is working OK now.  Thanks for your help.

                Bob

                   
                • 26 august 2008 16:25
                   
                   
                  Sign in pentru a vota
                  0
                  I'm hung on this step myself, and the docs for CWA are lacking in this department.

                  I've created a MTLS cert on the same CA that the OCS used for it's certs, although I was told that OCS was built using HTTPS/TLS, and not MTLS. I even dropped the MTLS cert that I created on the OCS just in case. I've dropped in the CA chain,  I've put HTTPS, MTLS certs on the CWA server, but can't get past the "The certificate that you selected is the incorrect. Please select a valid Mutual TLS certificate" error in the setup.

                   I'm still new at certs, but this can't possibly be this hard. Are there any good docs around that detail exactly what I need to do to get past this? If I don't actually need an MTLS cert, as some have said above, how do I get past this?

                  Thanks,

                  B
                     
                  • 11 septembrie 2008 21:22
                     
                     
                    Sign in pentru a vota
                    0

                     

                    I am a former user of LCS 2k5 and like someone mentioned in the posts before, the deployment guide for LCS 2k5 did ask you to duplicate the web server template and like also mentioned I did not have to duplicate a certificate template for OCS 2k7. One major difference I noticed from the web server template and the duplicated web server template was that the duplicated one was allowed to make the certificate exportable. This feature is used during the certificate request section in the OCS2k7 deployment. If you notice during that part of the deployment guide it requests you to mark the key as exportable and if you dont select the duplicated web server template and you pick "web server" that option will be greyed out.

                     

                    My main question is what "intended purposes" or "enhanced key usage" does this certificate need to have? Originally when I was giving my CWA server a certificate from my CA using the duplicated template the only purpuse it had was server authentication. I went to the certificates template manager and gave the duplicated template the Client Authentication purpose as well. Still no luck, "not a valid Mutual TLS certificate". I even used just a standard web server template certificate with no luck. I noticed that my Web Server template only has the "Server Authentication" usage on it.

                     

                    If the cert just needs the server authentication, what else does it need to have to be classified as a MTLS certificate so that the Activation wizard accepts it?

                       
                    • 18 noiembrie 2008 16:00
                       
                       Răspuns propus
                      Sign in pentru a vota
                      0

                       

                      I am currently having the same problem.  Has any one figured it out yet?
                      • Propus ca răspuns de yuichu 14 aprilie 2009 23:30
                      •  
                         
                      • 19 ianuarie 2009 17:20
                         
                         Răspuns propus
                        Sign in pentru a vota
                        0
                        (For the ones who haven't figured out yet ... like me until now:) 

                        The trick is to actually not use the web page to request the certificate but the certificate wizard out of either

                        - OCS <http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/MS_Live_Communications_Server/Q_24034409.html> (scroll to the end) or
                         - any non-default IIS web site (properties, directory security, server certificate, ...) which is the nicer and more secure way of doing it

                        Regards
                        • Propus ca răspuns de yuichu 14 aprilie 2009 23:30
                        •  
                           
                        • 14 aprilie 2009 23:37
                           
                           
                          Sign in pentru a vota
                          0

                          I am new with this cert thing. Can you please give some advices?.
                          For CWA to work for external users, do we need reverse proxy (https) server on the perimeter?. If yes, that mean we will need another public CA cert on external interface and another public CA for internal interface, correct?. (my environment is only using public cert).


                           Reverse proxy  ====== CWA ========= FE OCS

                          Two public certs for reverse proxy
                          One for CWA
                          One for FE OCS (already have)

                          Thanks
                          Yuichu