locked
One CWA server works, but not the 2nd server RRS feed

  • Question

  • I am trying to setup 1 internal CWA and 1 external CWA, as the Microsoft guide suggested, I was able to get the first server(Internal) working, but anytime I try to add any additonal CWA servers, even if it is another Internal CWA, I receive an error when logging in. Error states: Your session was ended.  Communicator Web access cannot sign in to the server.  Error code: 0-0-18100-2-0. 

    The OCSlogger error is:
    FailureReason=UntrustedRemoteCertificate
    Microsoft.Rtc.Signaling.TlsFailureException: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provide that the TLS session terminated.

    It appears to be an mtls cert problem, but I created the first mtls cert, with the fqdn of the server name (server1.domain.com) and that server works great, but when I duplicate the process and create another mtls cert, with the fqdn of the 2nd server name (server2.domain.com) the 2nd server does not work.  I have verified that the cert on Server2 are the same as on Server1 and that the Root CA is in the TrustedRoot folder and I have tried this on 3 other servers, with the same result.

    Any help is greatly appreciated.

    Thanks!
    Friday, July 17, 2009 12:55 AM

Answers

  • I was finally able to resolve this issue.  I used a certificate from Digicert, for the MTLS cert, on the Enterprise pool servers and our Enterprise CA for the CWA MTLS certificates.  When the CWA servers tried to communicate with the Front-end servers, the front-end servers tried to use the Digicert certificate and the CWA servers did not trust the Digicert CA.  Since Digicert acts as an Intermediate Certification Authority, their certificates needed to be placed in the Intermediate Certification Authorities store on all of the CWA servers. 
    • Marked as answer by jsheets Thursday, July 23, 2009 9:03 PM
    Thursday, July 23, 2009 9:03 PM

All replies

  • So are both servers the same name, and do both certificates have the same name? if so are they both issued by the same CA?

    are the sites on the same server or on a different server.

    Based on what you are saying you are using a server with a different fqdn from the CWA site. is that correct?
    Mitchr |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Friday, July 17, 2009 2:14 AM
  • The https cert is using the same fqdn name (cwa.externaldomain.com) using a split DNS configuration, but the mtls certs are using a different fqdn name because the actual server names are server1.domain.com and server2.domain.com.

    I hope I was able to clarify this setup a little better.

    Thanks for you help!
    Friday, July 17, 2009 11:06 AM
  • I was finally able to resolve this issue.  I used a certificate from Digicert, for the MTLS cert, on the Enterprise pool servers and our Enterprise CA for the CWA MTLS certificates.  When the CWA servers tried to communicate with the Front-end servers, the front-end servers tried to use the Digicert certificate and the CWA servers did not trust the Digicert CA.  Since Digicert acts as an Intermediate Certification Authority, their certificates needed to be placed in the Intermediate Certification Authorities store on all of the CWA servers. 
    • Marked as answer by jsheets Thursday, July 23, 2009 9:03 PM
    Thursday, July 23, 2009 9:03 PM