OCS 2007 R2 CWA SAN RRS feed

  • Question

  • According to the R2 documentation, the Certificate for CWA requires SAN names of "as" and "download".  We currently are using a Certificate with just the Subject name of the Web site, with no SAN.  We do no see any problems with devices getting their updates, or any other reduced functionality.

    From the documentations on CWA certificates:

    Subject alternative name (SAN)

    Includes the following:

    • The URL of the Communicator Web Access site.

    • The as URL.

    • The download URL.

    • The fully qualified domain name (FQDN) of the Communicator Web Access server.

    Thursday, February 12, 2009 3:41 PM

All replies

  • Device updates don't come from CWA - they come from the pool where the user is homed.  The as and download FQDNs are for desktop sharing via CWA.  You'll notice issues if you attempt to use this capability but don't have the DNS records and certificates properly sorted.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Thursday, February 12, 2009 11:59 PM
  • I misstated the "device updates", ment to say "computers getting their downloads".  My certificate only has the subject name of the web site (no SAN entries) and I still cannot find anything that does not work.  I tried it from a computer that had never had IM or the desktop sharing plug-in installed.  It automatically downloaded the desktop sharing, I got the prompt to run the exe to install the plug-in,  it installed and desktop sharing worked fine. 

    I installed fiddler to decrypt the HTTPS traffic and I did see requests for the “as” host, but still did not see anything that did not work.

    The R2 documentation is very clear you need these SAN entries, but I have not found any documentation that explained why they are needed, and to date have not found anything that breaks without them.  (maybe a future version needs them?)

    Wednesday, February 18, 2009 2:24 AM
  • Gentlemen...

    If I try to install a certificate (godaddy) with the following details.
    Subject Name : im.company.com
    Subject name : download.im.company.com
    Subject Name : First CWA computer name (cwa1.corp.local)
    Subject Alt Name : Second CWA computer name (cwa2.corp.local)

    I still get the error that says this.
    "The subject name of the certificate you selected doesnt match the current computers FQDN"

    Any thoughts on this ??
    Wednesday, July 1, 2009 2:33 PM
  • Where is that error coming from?  A validation wizard or from a client that attempts to access the CWA site?  Also your certificate fields should be filled out as shown below:

    /san: im.contoso.com,download.im.contoso.com,as.im.contoso.com,cwa1.corp.local

    By chance have you installed CWA on the Front-End server (not supported)?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 2:42 PM
  • CWA is on its own machine.

    Error occurs when I try to activate the communicator web access...

    I have as.im.contoso.com missing for now , but I can add that in....I dont think that would cause that error during activation , right ??

    Also , I have not used lcscmd.exe to generate the certificate request , I purchased the certificate from godaddy and the csr was generated on another machine...dont think that should be a problem since I exportd the certs out along with the private key..
    Wednesday, July 1, 2009 2:53 PM
  • anyone ?
    Wednesday, July 1, 2009 4:43 PM
  • Resubmit the request (preferrably from the CWA server using LCSCMD, but not required) and include the as.im.domain.com entry as well.  That might cause the activation error as it may be checking for all the required FQDNs.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 4:51 PM
  • same issue after I added as.im.domain.com...

    "The subject name of the certificate you selected doesnt match the current computers FQDN"

    I dont get this....freakin impossible to troubleshoot..

    Do you think its because I have both cwavm.corp.local and cwavm2.corp.local in the same cert as SAN names ?

    right now subject name is im.domain.com ... should I try subject name to be the fqdn of the machine and SAN name to be im.shi.com ?
    • Edited by ZPoint2010 Wednesday, July 1, 2009 6:49 PM
    Wednesday, July 1, 2009 5:59 PM
  • Can I use two different certificates 

    For the activation I will just use a certificate with the subject name : cwavm.corp.local

    For the virtual server I will user a certificate with the subject name : im.company.com

    will this work ?
    Wednesday, July 1, 2009 6:33 PM
  • What is cwa2.corp.local?  I'm still not clear on why there are two server FQDNs.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 6:42 PM
  • welll I have two front end servers..

    cwavm and cwavm2

    I figured I would add both the SAN names (for both the servers) in one certificate so I could use the same certificate on both the servers...

    bad idea ?
    Wednesday, July 1, 2009 6:47 PM
  • I removed the other machines FQDN from the SAN name of the cert...

    apparently that hasnt helped also...this is so much BS
    Wednesday, July 1, 2009 7:01 PM
  • By "Two Front-End servers" are you talking about two actual Enterprise Edition front-end server nodes in a cluster, or are you referring to the 'Front-End' OCS server and the separate CWA servers as both 'Front-End' servers?  Or are you simply calling the separate CWA servers 'front-end' servers?

    Only the CWA server's local FQDN should be included in the SAN field.  FQDNs from the Front-End Standard Edition Stand-Alone or Enterprise Edition Pool Server should not be included in this certificate.

    What is the FQDN is the server that is ONLY running CWA and no other OCS roles?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 7:05 PM
  • cwavm.corp.local , its only purpose is CWA. Its not one of the front end servers.

    I was just saying that at some point I might loadbalance the two CWA servers...but thats not important.

    I already removed the second CWA server from the certificate SAN name , I still get the error.
    Wednesday, July 1, 2009 7:08 PM
  • Have you validated that the Private key is in fact associated with the certificate?

    Also, where is the error showing up? Certificate assignment, Validation Wizard, client connection testing?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, July 1, 2009 7:35 PM
  • yes , the certificate has a private key.

    Error shows up in the activation wizard when the certificate is assigned.
    Thursday, July 2, 2009 1:37 PM
  • no one has a clue ?
    Thursday, July 2, 2009 7:45 PM
  • Try this - use a separate certificate for the activation (MTLS) and the virtual server. The MTLS certificate must match the local machine's FQDN - the CWA server, not your Front-End server name.

    MTLS Certificate
    Subject Name: cwa1.corp.local

    Virtual Server Certificate
    Subject Name: im.company.com
    Subject Alternative Names: as.im.company.com,download.im.company.com,cwa1.corp.local

    Monday, July 6, 2009 5:42 PM
  • Hi guys,

    i have the same beaviur.

    well for mtls works fine mtls certificate with the fqdn of the server when i install cwa. so my certificate for mtls is servername.childdomain.root.local

    For virtual server i have two interesting points.

    i have used :
    Virtual Server Certificate
    Subject Name: cwa.childdomain.root.local (cwa is my alias for internal access)
    Subject Alternative Names: as.cwa.childomain.root.local,download.cwa.childdomain.root.local,servercwa.childdomain.root.local

    first dns stuff 
    when i created  cname as and download with the syntax as.CWA on my internal dns it automaticaly create a subzone called CWA and this i think is standard beahviur of dns.

    When i try to connect by ie to cwa.childomain.root.local i get error on the certificate. And it is correct i think because internet explorer get an aswer from servercwa.childdomain.root.local,
    When i try to connect using servercwa.childdomain.root.local i can connect but i can not use desktop sharing. (i get blank pages and no error )

    Any idea ?

    Actualy i want to try one thing
    1) using directly the servername also for virtual server dns and certificates.

    Kind regards


    vincenzo tricoci
    Wednesday, July 8, 2009 8:29 AM
  • Only to clarify that actualy when i try to share from cwa session to MOC i can do that without any issue.
    When i try to get control from cwa didn 't work.
    all the latest hotfix has been placed.

    No paricular error on iis log.

    kind regards


    vincenzo tricoci
    Wednesday, July 8, 2009 9:46 AM

  • is your Server FQDN the same as your CWA FQDN?

    Below is the request used in the CWA deployment guide. Be sure you have the subject name in the SAN name list as the first SAN. Also validate what you are using for mtls cert? are they one and the same.

    LcsCmd.exe /Cert /Action:Request /sn:im.contoso.com /san: im.contoso.com,download.im.contoso.com,as.im.contoso.com /ca:ca-server.contoso.com /OU:OCSServers /org:Contoso /country:US /city:Redmond /state:WA /friendlyName:CWA_Certificate /exportable:TRUE
    Mitchr |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, July 16, 2009 2:37 PM
  • I too have the same problem.  I have two certificates.  A MTLS certificate from my local certificate authority for the server FQDN.  This certificate installs fine through the CWA GUI.  I have another certificate, from a public issuer, for im.domain.com with SAN names download.im.domain.com and as.im.domain.com.  When I try to install this certificate, I get this warning:

    The certificate you selected is ussed for a subject that differs from the fully qualified domain name (FQDN) of this server.  If you continue, clients and other servers may not be able to connect to this server.  Do you wish to proceed with this certificate?

    Now, this warning is technically correct.  My certificate does not match the FQDN of the server.  But, it's not supposed to, it's supposed to be im.domain.com.  So what gives?  I have also tried this same certificate with the FQDN present in the SAN section, and receive the same error.

    Furthermore, if I assign the certificate anyway, within 15 minutes the IIS site for CWA loses the certificate settings in the SSL binding.  Its the strangest thing.  I'll assign the certificate, either through the CWA GUI or through the IIS bindings GUI.  Shortly thereafter I can no longer login to the CWA site, and I find that the HTTPS binding for my CWA site in IIS says "No certificate", and I have to reassign the certificate.  I've created a script that automatically assigns the certificate every 15 minutes, but that's far from ideal.

    Lastly, I've noticed another weird behavior.  When I open the CWA GUI and expand all the way down to the node that shows the "Connectivity" settings, it never loads the certificate settings.  The "HTTPS" line has a green check mark.  Every other line related to the certificate and IIS site always say "Retrieving data...".  The Next Hop Connections area also says "Retrieving Data..."

    My platform is Windows 2008 X64.
    Friday, July 17, 2009 12:17 PM