Solved: Unity Connection 8.5 Single Inbox with Verisign Certificates

James Hawkins · ‎10-03-2011

Hi,

I am trying to connect CUC 8.5.1.12900-7 to Exchange 2010 using Basic authentication with SSL.

I am having problems when I get to the test user stage and think the problem may be caused by certificates.

To obtain the certificates that I have installed on CUC I got one of the users to connect to OWA and then exported the certificates associated with the connection and then loaded then onto CUC - is this the right way to do it? - there does not seem to be any documentation that covers this in detail.

Can anyone point me in the right direction or at least let me know how to troubleshoot the problem?

Thanks

Jonathan Schulenberg · ‎10-03-2011

You want to export the root CA certificate from OWA and import it to both the tomcat-trust and connection-trust stores. When I did this last week on 8.6(1)a I did not have to restart Tomcat although that has been required in the past. You can spot the root CA certificate by choosing the Certificate Path tab, selecting the highest certificate in the chain, opening it, select the Details tab, and click Copy to File. When you save it you will want the Base-64 encoded file and need to manually change the file extension from .CRT to .PEM.

Additionally, you can rule SSL out by unchecking the Validate Certificates for Exchange Servers checkbox. This will allow the SSL session even if the certificate fails validation.

Other issues I have seen:

The permissions granted to the Exchange user did not delegate to that user/mailstore or you accidentally missed a step.
The AutoDiscover folder in IIS is not allowing Basic authentication. The Exchange architect I worked with last week wouldn't enable this so I ended up using NTLM authentication instead since both EWS and AutoDiscover were allowing Integrated WIndows Auth.

View solution in original post

James Hawkins · ‎10-03-2011

Hi,

Just checked my config and found that Basic authentication was not enabled on Exchange EWS

Just for info the certificates that I got by getting a user to connect to OWA worked just fine - I got the idea from Michael Luo's excellent boo on Presence - thanks Mike

Jonathan Schulenberg · ‎10-03-2011

You want to export the root CA certificate from OWA and import it to both the tomcat-trust and connection-trust stores. When I did this last week on 8.6(1)a I did not have to restart Tomcat although that has been required in the past. You can spot the root CA certificate by choosing the Certificate Path tab, selecting the highest certificate in the chain, opening it, select the Details tab, and click Copy to File. When you save it you will want the Base-64 encoded file and need to manually change the file extension from .CRT to .PEM.

Additionally, you can rule SSL out by unchecking the Validate Certificates for Exchange Servers checkbox. This will allow the SSL session even if the certificate fails validation.

Other issues I have seen:

The permissions granted to the Exchange user did not delegate to that user/mailstore or you accidentally missed a step.
The AutoDiscover folder in IIS is not allowing Basic authentication. The Exchange architect I worked with last week wouldn't enable this so I ended up using NTLM authentication instead since both EWS and AutoDiscover were allowing Integrated WIndows Auth.

James Hawkins · ‎10-03-2011

Hi Jonathan,

Thanks for your response - really useful information.

Is there any way of verifying that my setup is using SSL?