Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
Troubleshooting Exchange Calendaring Integrations
Downloads: This chapterpdf (PDF - 1.48MB) The complete bookPDF (PDF - 2.99MB) | Feedback

Troubleshooting Exchange Calendaring Integrations

Troubleshooting Exchange Calendaring Integrations

Troubleshooting Exchange Server Connection Status

Exchange Server connection status displays under the Cisco Unified CM IM and Presence Administration window after you configure the Exchange Presence Gateway for either a WebDAV or Exchange Web Services (EWS) calendaring integration (choose Presence > Gateways). The Exchange Server Status area in the Presence Gateway Configuration window reports the status on the connection between the IM and Presence Service and the Exchange Server.


Note


You can add, update or delete one or more EWS servers with no maximum limit. However, the Exchange Server Status area in the Presence Gateway Configuration window is designed to only verify and report status of the first 10 EWS servers that you configure.


.

Test

Status Description and Recommended Action

Exchange Reachability (pingable)

The IM and Presence Service successfully reached (pinged) the Exchange Server.

Exchange Reachability (unreachable)

The IM and Presence Service failed to ping the Exchange Server. The server may not be reachable due to an incorrect field value or an issue with the customer's network, for example, cabling.

To resolve this, ensure that the Presence Gateway field contains the correct value (FQDN or IP address) to reach the Exchange Server over the network. Note that the UI does not require the Presence Gateway field value to be the Subject CN value.

If you have connection problems with the Exchange Server, also see the System Troubleshooter in Cisco Unified CM IM and Presence Administration and implement the recommended solution. Choose Diagnostics > System Troubleshooter.

Troubleshooting SSL Connection/Certificate Status

SSL Connection/Certificate Verification status displays in Cisco Unified CM IM and Presence Administration window when you configure the Exchange Presence Gateway for a either a WebDAV or Exchange Web Services (EWS) calendaring integration (choose Presence > Gateways). The Exchange Server Status area in the Presence Gateway Configuration window indicates if there is a certificate Subject CN mismatch or a SAN mismatch.


Note


You can add, update or delete one or more EWS servers with no maximum limit. However, the Troubleshooter on the Presence Gateway window is designed to only verify and report status of the first 10 EWS servers that you configure.


Test

Status Description and Recommended Action

SSL Connection/Certificate Verification - Verified

The IM and Presence Service verified the SSL connection with the Exchange Server. Click View for the certificate details.

SSL Connection/Certificate Verification Failed - Certificate Missing From Chain

Note   

These instructions describe the view of the customized Certificate Import Tool. If you are simply verifying connection status, the tool indicates the verified status but you do not have the option to Save.

One or more certificates that the IM and Presence Service requires to establish a secure connection to the Exchange Server are missing. The Certificate Viewer can provide details of the missing certificates.

Complete these steps in the Certificate Viewer to display any missing certificates:

  1. Chose Configure to open the Certificate Viewer.
  2. Check the Accept Certificate Chain check box .
  3. Click Save.
  4. The certificate chain details display. Note any certificates with a status of Missing.
  5. Close the Certificate Viewer.

To complete the certificate chain, you must:

  1. Download the missing certificates files from the Exchange Server.
  2. Copy or FTP the missing certificate files to the computer that you use to administer the IM and Presence Service.
  3. Use Cisco Unified IM and Presence OS Administration to upload any of the required missing certificates.

Troubleshooting Tips

  • If the certificates are not available in the Certificate Viewer, you may need to manually download and install the missing certificates from the Exchange Server, and upload these certificates in Cisco Unified IM and Presence OS Administration as follows:
    • Log in to the Cisco Unified IM and Presence OS Administration and user interface and upload certificates to complete the certificate chain.
    • Return to the Presence Gateway Configuration window under the Cisco Unified CM IM and Presence Administration user interface, reopen the Certificate Viewer, and verify that all certificates in the certificate chain now have a status of Verified.
  • You must restart the Cisco Presence Engine after you upload Exchange trust certificates.
  • Log in to Cisco Unified IM and Presence Serviceability user interface.
  • Choose Tools > Service Activation. Note that this can affect Calendaring connectivity.
  • Choose either Configure or View to launch the Certificate Chain Viewer where you can view the details of the certificate chain. The Configure button displays if there are any issues with the certificate chain that the IM and Presence Service downloads from the Exchange Server - for example, the missing certificates scenario described above. Once you successfully import and verify the certificate chain, the SSL Connection / Certificate Verification status updates to Verified and the View button replaces Configure.

SSL Connection/Certificate Verification Failed- Subject CN Mismatch

The Presence Gateway field value must match the Subject CN value of the leaf certificate in the Certificate Chain. You can resolve this by entering the correct value in the Presence Gateway field.

Verify that your entry in the Presence Gateway field is correct as follows:

  1. Re-enter the correct Subject CN value in the Presence Gateway field. The IM and Presence Service uses the Presence Gateway field value to ping the server. The host (FQDN or IP address) that you enter must exactly match the IIS certificate Subject Common Name.
  2. Click Save.
Tip   

Choose either Configure or View to launch the Certificate Chain Viewer where you can view the details of the certificate chain. The Configure button displays if there are any issues with the certificate chain downloaded from the Exchange Server - for example, the missing certificates scenario described above. Once you successfully import and verify the certificate chain, the SSL Connection / Certificate Verification status updates to Verified and the View button replaces Configure.

SSL Connection/Certificate Verification Failed - SAN Mismatch

The Presence Gateway field value must match one of the Subject Alternative Name (SAN) values of the leaf certificate in the Certificate Chain. You can resolve this by entering the correct value in the Presence Gateway field.

Verify that your entry in the Presence Gateway field is correct as follows:

  1. Re-enter the correct SAN value in the Presence Gateway field. The IM and Presence Service uses the Presence Gateway field value to ping the server. The host (FQDN or IP address) that you enter must exactly match one of the entries in the certificate Subject Alternative Name.
  2. Click Save.
Tip   

Choose either Configure or View to launch the Certificate Chain Viewer where you can view the details of the certificate chain. The Configure button displays if there are any issues with the certificate chain downloaded from the Exchange Server - for example, the missing certificates scenario described above. Once you successfully import and verify the certificate chain, the SSL Connection / Certificate Verification status updates to Verified and the View button replaces Configure.

SSL Connection/Certificate Verification Failed - Bad Certificates

Information in the certificate is incorrect, which renders it invalid.

Typically, this occurs if the certificate matches the required Subject CN but not the public key. This could happen if the Exchange Server regenerates the certificate but the IM and Presence Service node still maintains the old certificate.

To resolve this, complete these actions:

  • Choose the logs to determine the cause of the error.
  • If the error is due to a bad signature, you need to remove the outdated certificate from the IM and Presence Service in Cisco Unified IM and Presence OS Administration, and then upload a new certificate in Cisco Unified IM and Presence OS Administration.
  • If the error is due to an unsupported algorithm, you need to upload a new certificate that contains the supported algorithm in Cisco Unified IM and Presence OS Administration.

SSL Connection / Certificate Verification Failed - Network Error

Due to network issues, for example, a no-response timeout, the IM and Presence Service cannot verify the SSL connection.

We recommend that you verify the network connectivity to the Exchange Server, and ensure that the Exchange Server is accepting connections using the correct IP address and port number.

SSL Connection/Certificate Verification Failed

Verification failed for a non-specific reason or because the IM and Presence Service cannot perform the reachability test.

We recommend that you review the debug log files for more information.

Troubleshooting Account Name and Password


Note


  • Impersonation Account Name and Password Validation is performed only for EWS integrations.
  • If the Impersonation Account does not have a mailbox configured, the Exchange Server Status area in the Presence Gateway Configuration window reports a message stating that the test was not run.

Test

Status Description and Recommended Action

Account Name and Password Validation (authenticated)

The IM and Presence Service successfully authenticated the impersonation account name and password.

Account Name and Password Validation (failed)

The IM and Presence Service failed to validate the configured impersonation account.

To resolve this, ensure that the account name and password match that of the impersonation user configured on the Exchange Server.

Issues Known to Impact Microsoft Exchange Integrations

This section describes known issues that are common or specific to Microsoft Exchange Server 2003, 2007, and 2010.

Scale Limitations for Calendar Integrations

Cisco Unified Communications Manager IM and Presence Service and Exchange calendaring integrations have been validated with up to X% of the users subscribing to calendar presence and with up to Y% of the users doing simultaneous calendar transitions (for example, joining or leaving meetings simultaneously). See Table 1 for percentage values pertaining to specific releases of Cisco Unified Presence.

Table 1 Scale Limitations for Specific Cisco Unified Presence Releases

Software Release

% of Users Subscribing to Calendar Presence

% of Users Performing Simultaneous Calendar Transitions

8.5(1)

50

30

8.5(2) and later

100

50

Calendar State Does Not Update if a User Moves Between Microsoft Exchange Servers

Problem

If an Exchange administrator moves a user from one Exchange Server to another in an Exchange integration, the calendaring state change does not update for that user.

Cause

The condition occurs because the Exchange Server does not signal when a user is moved from one server to another.

Solution

The IM and Presence Service administrator or user must disable and then reenable calendar integration for that user after the Exchange administrator has moved the user from one Exchange Server to another.

LDAP User Removal Takes at Least 24 Hours to Replicate on the IM and Presence Service

Problem

If a user is deleted from LDAP, the user state changes to Inactive on Cisco Unified Communications Manager and user authentication on client applications subsequently fails. However, it has been observed during testing that once Cisco Unified Communications Manager synchronizes the change from LDAP, the user is not removed for 24 hours after the synchronization occurred (either by the Administrator forcing the synchronization or scheduling it to occur at a specific time).

The Cisco Sync Agent on the IM and Presence Service does not synchronize any user state change until the user is removed. Until then, that user still exists on Cisco Unified Communications Manager and all IM and Presence Service capabilities (including Exchange calendaring subscriptions) remain licensed for that user for 24 hours. This delay means that users who were logged in to Cisco Jabber before the user was removed from LDAP are not logged out automatically. The user’s pre-existing calendar state (Available, Busy) persists for that user on the IM and Presence Service until the user logs out of the client.

Cause

The condition occurs when Cisco Unified Communications Manager is set up and LDAP authentication is used. When a user is deleted from LDAP, calendaring subscriptions continue to be established and updated for that user on the IM and Presence Service for a period of at least 24 hours.

Solution

If a user is removed from LDAP, you can manually remove the license for that user so that the IM and Presence Service ends the Exchange calendaring subscriptions with immediate effect and logs the user out of the client application. Otherwise, be aware that there may be a 24 hour delay.

Localization Caveat with WebDAV Calendar Integrations

Problem

If you set the default language (English) on the user's Exchange Mailbox when a different language/locale is installed on Cisco Unified Communications Manager, the Exchange Server maintains the default calendar name (in English) and you cannot change the language/locale for that user. A 404 error returns for calendaring subscriptions.

Cause

This condition only occurs in localized Exchange 2003 and 2007 integrations over WebDAV. The issue does not affect Exchange Web Services (EWS) integrations.

Solution

  • To prevent this issue occurring, we recommend that you set languages correctly during the Exchange setup. Install the appropriate language/locale on Cisco Unified Communications Manager and select the appropriate language/locale on the Exchange Server the first time the user logs in.
  • If the language on the user's Exchange Mailbox is set to English when a different language/locale is installed on Cisco Unified Communications Manager, you must switch the language/locale on Cisco Unified Communications Manager back to English for that user. To do this, see Setting User Locales for Multilingual Calendar Integration.

Verifying that the Microsoft Exchange Server URL Contains the Localized Word for Calendar

If you are localizing your Calendaring integration, verify that the Exchange Server URL contains the localized word for Calendar.

Procedure
    Step 1   Install the same language locales (load the locale installer) on both the IM and Presence Service and Cisco Unified Communications Manager. For more information about installing locales on the IM and Presence Service, see [Optional] Configuration of Multilingual Support for Calendar Integration.
    Step 2   Restart the IM and Presence Service node, and log in to the Cisco Unified CM IM and Presence Administration user interface.
    Step 3   Find and delete the existing Exchange Presence Gateway that supports a different locale for calendaring (choose Presence > Gateways).
    Step 4   Add a new Exchange Presence (Outlook) Gateway. Click Add New.
    Step 5   Verify in the database (pebackendgateway table) that the 'localecalendarname' attribute is in whichever language locale you have installed.
    Step 6   Ensure the user locale is set after the locale is installed on both the IM and Presence Service and toggling the user locale on the Cisco Unified Communications Manager, if necessary.

    Applying Microsoft HotFix KB841561

    Note that this issue is specific to Microsoft Exchange Server 2003. Apply Microsoft HotFix KB841561 if you encounter problems with Exchange 2003 and it returns a "500 Internal Server Error”.

    Procedure
      Step 1   Uninstall SP2 for Windows Server 2003 and for Exchange 2003.
      Step 2   Install SP1 for Windows Server 2003 and Exchange 2003.
      Step 3   Download and install KB841561 from the following URL: http:/​/​www.microsoft.com/​downloads/​details.aspx?familyid=050be883-11fc-4045-b988-c737e79c65d0&displaylang=en
      Step 4   Install SP2 for Windows Server 2003 and for Exchange 2003.

      Fixing the “HTTP 503 Service Unavailable” Error from Microsoft Exchange 2007


      Note


      This issue only affects Exchange 2007.

      Problem

      Since Exchange 2007, Microsoft changed the Outlook Web Access (OWA) URL from /exchange to /owa, which is the virtual directory that OWA uses to access mailboxes on Exchange 2007 mailbox servers. However, the IM and Presence Service always sends SUSCRIBE requests to the /exchange virtual directory, which is the URL that is still used for WebDAV integration with Exchange 2007. During testing with Exchange Server 2007 (SP1), it was observed that if you change the http://server/exchange URL to redirect to http://server/owa URL, an error (HTTP 503 Service Unavailable) displays on the Internet Information Services (IIS) Manager console in Exchange 2007.

      Cause

      The condition occurs when Exchange 2007 SP1 is in use, and the Exchange virtual directory target address is modified to redirect to the default OWA directory for webmail.

      Solution

      If the “503 Service Unavailable" error message displays, perform the following steps:

      Procedure
        Step 1   From Administrative Tools, open Internet Information Services.
        Step 2   Delete the Exchange virtual directory in IIS.
        Step 3   Review the warning, and run the recommended cmdlet in the Exchange Management Shell (EMS):
        Step 4   Run this cmdlet in the EMS to ensure that the Exchange virtual directory is set up correctly and to add the directory again in IIS.

        SyntaxNew-OwaVirtualDirectory -name exchange -OWAVersion Exchange2003or2000 -VirtualDirectoryType mailboxes

        Step 5   Wait for the Exchange Server to populate the virtual directory into IIS.
        Step 6   Restart the IIS.
        Step 7   Test your http://server/exchange/user_email_address/calendar URL, using the full target address for example, http://mail.contoso.com/exchange/user@contoso.com/calendar
        Step 8   Ensure that you are prompted for a username and password. This indicates that WebDAV is enabled and configured correctly on the virtual directory. Enter your Active Directory credentials.
        Step 9   Check the IIS logs that display for the IM and Presence Service.
        Step 10   If the logs indicate that there is a 401 authentication issue, add the domain to authenticate access.
        Step 11   Restart the IIS.
        Step 12   Log in to the Cisco Unified IM and Presence Serviceability user interface.
        Step 13   Choose Tools > Service Activation and restart the Cisco Presence Engine.
        Step 14   Check the IIS logs again and verify that the SUBSCRIBE messages are present and correct for your calendar.
        Tip   

        This procedure also applies to Apple MAC users who require WebDAV to view their emails using Microsoft Entourage 2008.