2 iulie 2008 16:06
I am setting up Communicator Web Access 2007 by following this guide http://technet.microsoft.com/en-us/library/bb663589(TechNet.10).aspx
At the section on requesting an MTLS certificate this guide goes on about using the "duplicated Web Server template that you duplicated for the Office Communications Server 2007 certificates". I've set up OCS 2007 a few times now and I've never had to duplicate any certificate templates.
I see some of the LCS 2005 documentation makes references to this step, but I haven't seen anything for OCS 2007 about duplicating templates.
So what to do? Is the above implementation guide just wrong and I don't need to duplicate a template, or do I follow this LCS 2005 guide to duplicate the template? http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_7.mspx
2 iulie 2008 16:35ModeratorTypically you would duplicate the web server template if you needed client auth on the certificate. PIC with AOL and most remote call control deployments require this. However, you do not need this for CWA. You can use a regular certificate based on the default template.
2 iulie 2008 21:52
14 iulie 2008 22:47
I got everything working without using any duplicated templates so thanks again. For anyone else who is wondering the same as me, that CWA 2007 deployment guide is really quite poor, lots of missing steps, especially related to certificates and the differences between internal and external users.
I installed two CWA servers as per the guide, one for internal users and one for external users. For the internal server I obtained a single (non-duplicated) certificate from my internal CA and used this for both MTLS and SSL. For the external server I got an internal CA certificate for MTLS and a public CA certificate for SSL
19 august 2008 19:31
Simon, I agree, the documentation is not clear about this.
'I obtained a single (non-duplicated) certificate from my internal CA and used this for both MTLS and SSL'
What exactly did you do to get the web server template certificate from the CA to the CWA server? I have tried many things, but nothing has worked yet.
When I request it via \\ca_server\certsrv and request a cert., web server is not listed in the list of certs.Bob
20 august 2008 16:13
On my CA the web server template is listed as an available certificate template when using the certsrv web page to submit an advanced certificate request. Is your CA an enterprise root CA running on Windows 2003 Enterprise edition?
Check on your Certification Authority MMC and have a look at the Certificate Templates node. If Web Server is not listed as an available template try right clicking on Certificate Templates and choosing New > Certificate template to Issue. This may allow you to add it.
20 august 2008 17:49
I have a root CA (running Enterprise 2003) and a Subordinate Enterprise CA (running Std. 2003) on the DC . The CWA documentation indicates the certificate must come from the CA that issued the cert. to OCS. That would be the root CA. When I tried to get the cert. from the root CA, there was no Web Server listed. I finally requested the cert. from the Subordinate Enterprise CA (not the one that issued the Cert. to OCS) and I received one and it did work with the CWA server.
When I look at the Certificate Authority MMC on the root CA, it does not have the folder for Certificate Templates. The Subordinate Enterprise CA does have the folder which is why I could grab the cert. from it.
So I think it is working OK now. Thanks for your help.
26 august 2008 16:25I'm hung on this step myself, and the docs for CWA are lacking in this department.
I've created a MTLS cert on the same CA that the OCS used for it's certs, although I was told that OCS was built using HTTPS/TLS, and not MTLS. I even dropped the MTLS cert that I created on the OCS just in case. I've dropped in the CA chain, I've put HTTPS, MTLS certs on the CWA server, but can't get past the "The certificate that you selected is the incorrect. Please select a valid Mutual TLS certificate" error in the setup.
I'm still new at certs, but this can't possibly be this hard. Are there any good docs around that detail exactly what I need to do to get past this? If I don't actually need an MTLS cert, as some have said above, how do I get past this?
11 septembrie 2008 21:22
I am a former user of LCS 2k5 and like someone mentioned in the posts before, the deployment guide for LCS 2k5 did ask you to duplicate the web server template and like also mentioned I did not have to duplicate a certificate template for OCS 2k7. One major difference I noticed from the web server template and the duplicated web server template was that the duplicated one was allowed to make the certificate exportable. This feature is used during the certificate request section in the OCS2k7 deployment. If you notice during that part of the deployment guide it requests you to mark the key as exportable and if you dont select the duplicated web server template and you pick "web server" that option will be greyed out.
My main question is what "intended purposes" or "enhanced key usage" does this certificate need to have? Originally when I was giving my CWA server a certificate from my CA using the duplicated template the only purpuse it had was server authentication. I went to the certificates template manager and gave the duplicated template the Client Authentication purpose as well. Still no luck, "not a valid Mutual TLS certificate". I even used just a standard web server template certificate with no luck. I noticed that my Web Server template only has the "Server Authentication" usage on it.
If the cert just needs the server authentication, what else does it need to have to be classified as a MTLS certificate so that the Activation wizard accepts it?
18 noiembrie 2008 16:00
- Propus ca răspuns de yuichu 14 aprilie 2009 23:30
19 ianuarie 2009 17:20(For the ones who haven't figured out yet ... like me until now:)
The trick is to actually not use the web page to request the certificate but the certificate wizard out of either
- OCS <http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/MS_Live_Communications_Server/Q_24034409.html> (scroll to the end) or
- any non-default IIS web site (properties, directory security, server certificate, ...) which is the nicer and more secure way of doing it
- Propus ca răspuns de yuichu 14 aprilie 2009 23:30
14 aprilie 2009 23:37
I am new with this cert thing. Can you please give some advices?.
For CWA to work for external users, do we need reverse proxy (https) server on the perimeter?. If yes, that mean we will need another public CA cert on external interface and another public CA for internal interface, correct?. (my environment is only using public cert).
Reverse proxy ====== CWA ========= FE OCS
Two public certs for reverse proxy
One for CWA
One for FE OCS (already have)