What FQDN to use when Setting Up OWA/Lync Integration?

I was setting up OWA/Lync integration in my lab and ran into an interesting issue.  After completing all the necessary steps, I logged into OWA as a test user and got the following error message: "Instant Messaging isn't available right now. The Contact List will appear when the service becomes available."

This error typically means one of two things, either you didn't complete all the necessary steps for integration to work, or you have a certificate issue.  Since I know that I completed all the steps required, I started looking into a possible certificate issue.  After verifying that the CAS array name was listed on the certificate bound to IIS on the CAS Server and that both the CAS Server and the Lync Front End Server trusted each other's certificates, I started looking at logging to see if I could figure out what was wrong.

I took SIPStack tracing on the Front End Servers to see if I could spot where the error was coming from.  After logging back into OWA and taking a look at the log in Snooper, I saw the following:


TL_ERROR(TF_CONNECTION) [0]0AC0.1278::12/20/2011-20:45:01.704.000003ca (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record
LogType: connection
Severity: error
Text: The peer is not a configured server on this network interface
Transport: TLS
Data: fqdn="deitterick.com"


As you can see highlighted above, the Lync Front End Server is rejecting the connection from the CAS Server because it can't find a trusted server object for "deitterick.com".  Looking in Topology Builder, you can see that I created a trusted application pool for "mail.deitterick.com", my CAS array name, and that I defined "LAB-EX2010.lab.deitterick.com", my CAS Server name, as well:

The above looks correct, so why does the Lync Front End Server think that the connection is coming from "deitterick.com", instead of "mail.deitterick.com"?  I next looked at the certificate on the Exchange CAS Server, that I was using for IIS.  As you can see below, the subject name is "deitterick.com"!

So because the subject name on the certificate is "deitterick.com" and not "mail.deitterick.com", the Lync Front End Server is looking for the wrong trusted application pool name.  There are two options to resolve this issue.  The first is to reissue the certificate on the Exchange CAS Server and make sure that the CAS array name is the subject name on the certificate.  The second is to change the trusted application pool name.  Unfortunately you can't just edit the pool name in Topology Builder.  You have to delete the trusted application pool from the topology, publish the topology, and then create the new trusted application pool and create the trusted application again.

The second option is the one that I chose, and after changing the trusted application pool name:

I published the topology, created the trusted application again, and now when I log into OWA, IM integration works:


So the important thing to remember when setting up OWA/Lync integration is to make sure that when you create the trusted application pool in Topology Builder, that you use the subject name defined on the certificate bound to IIS on your CAS Server(s).

Comments (11)

  1. dodeitte says:

    @James Xiong

    No, if you have multiple CAS Servers, the Trusted application pool name would be the CAS array FQDN.  Listing the CAS Servers under that is telling Lync what FQDNs to accept traffic from.

  2. dodeitte says:


    Thanks for the feedback!  When you talk about "sub-app", are you talked about the image above that shows my CAS Server (LAB-EX2010.lab.deitterick.com)?  If so, that gets created via Topology Builder.  When you create the Trusted Application Pool, you want to pick "Multiple computer pool".  That will allow you to list your CAS Server(s).

  3. James Xiong says:

    If one of my CAS servers is down due to the hardware issue, Do I need to change the Trusted application pool name before I put the crased CAS alive?

  4. GUS says:

    Hi Doug, great information. I'm running into this issue right now.  My question is, what were the commands you used to do this?  I can create the pool name no problem using the cert that is registered, but how did you create the sub-app below deitterick.com?

    In my case, I have a public cert on my internal exchange server with the public name mail.domain.com.  But the internal FQDN is exch.hq.domain.com.  Since IIS has the public FQDN, my trace shows the exact same error you have above.

    Thanks in advance.

  5. TechnoMusic says:

    Hi Dough I recently had this issue when I ran a trace it was getting the OWA public address name rejected. I had to add this fqdn to the trusted pool. I know now because of u that it was rejecting this address because it was on the cert SN

    Cheers 🙂

  6. Rocky says:

    Thank you very much Doug. This helped me fix the issue I was experiencing in my lab.

  7. Magnus Göransson says:

    Thanks for this article, it helped me out tonite!

  8. Rapper says:

    You are a life saver! Thank you very much for posting. MS is still trying to "read" the logs until now.

    To get mine working (Exchange 2013/Lync 2013), I created my trusted app pool via Topology Builder using "multiple computer pool" as type and add my mailbox servers’ FQDN. Add the trusted application, then publish the topology. it is working now!

    Thanks again!

  9. DC says:

    Hi, Dodeitte,

    i am having an issue with Lync 2013 contacts are not in sync in OWA.
    i did checked all the steps mentioned in your post to resolve this issue, still no luck.

  10. Chris says:

    Hi and thanks for the article.
    We got a problem creating a trusted app to a FQDN (=SN of certificate) Y01.secure.domain. Is the creation of trusted pool/computer FQDN case sensitive? Because we created y01.secure.domain and the certificate shows Y01.secure.domain and we always get the failure of unknown server.

Skip to main content