Partilhar via

Configuring Office Web Apps Server communication using HTTPS

  • Artigo

     Hi all :

     Office Web Apps Server can communicate with SharePoint 2013, Lync Server 2013, and Exchange Server 2013 by using the HTTPS protocol. In production environments, we strongly recommend that you use HTTPS. In test environments that contain no user data, you can use HTTP for SharePoint 2013 and Exchange Server 2013 and skip the certificate requirement. Lync Server 2013 supports only HTTPS.

Certificates that are used by Office Web Apps Server must meet the following requirements:

  • The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)

  • The certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.

  • The Friendly name field must be unique within the Trusted Root Certificate Authorities store. If you have multiple certificates that share a Friendly Name field, farm creation will fail because the New-OfficeWebAppsFarm cmdlet will not know which of those certificates to use.

  • The FQDN in the SAN field must not begin with an asterisk (*).

  • The certificate properties and extensions do not matter. For example, customers have asked us whether Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are required. Office Web Apps Server requires no particular certificate property or extension.

 

     When you installed Office Web Apps Server, you need to request a valid certificate. Now I will to show how to request a OWA certificate.

     1. Logon to ADCS server, open the Certificate Template Console, right-click Web Server and click Duplicate Template :

     2. Enter a Template name , and select Allow private key to be exported :

      3. Click OK to create it, then issue this template:

     4. Logon to Office Web Apps Server, open the Certsrv website :

      5. Click Request a certificate --- advanced certificate request --- Create and submit a request to this CA --- Advanced Certificate Request page , select just created template and enter a certificate name and a Friendly Name :

         6.Click Submit> , then click Install this certificate on the Certificate Issued page:

       7. Then use New-OfficeWebAppsFarm cmdlet to create the Office Web Apps Server farm by HTTPS:

     Note : The URL that you specify for -InternalURL is the FQDN name of the server that runs Office Web Apps Server. The URL that you specify for –ExternalURLis the FQDN name that can be accessed on the Internet. You must specify the friendly name of the certificate by using the –CertificateName parameter. The –EditingEnabled parameter is optional and enables editing in Office Web Apps when it is used together with SharePoint 2013. The –EditingEnabled parameter is not used by Lync Server 2013 or Exchange Server 2013 because those hosts do not support editing.

      8. Last , access https://server.contoso.com/hosting/discovery to verify that the OWA server farm was created successfully, if Office Web Apps Server works as expected, you should see a Web app Open Platform Interface (WOPI)-discovery XML file in your web browser :

 

 

         Enjoy!

         Justin Gao

         Microsoft (China)

Comments

  • Anonymous
    January 01, 2003
    Hi Fabian:When you issued new certificate template, you need to restart OS make sure you can see it.
  • Anonymous
    January 01, 2003
    Hi BiggJake :
    The first question is Yes, supported. The second is OK.
    For Lync certificate more information, please refer : http://technet.microsoft.com/en-us/library/gg425950.aspx
  • Anonymous
    January 01, 2003
    Hi Chet:Yes. :)
  • Anonymous
    January 01, 2003
    I am being asked if we can combine the external WAC farm fqdn on the Lync Edge server certificate (FROM external CA) as a SAN and use it on the external side of the RP for the WAC. Is this supported?
    Also, my internal cert for the internal HLB as well as the 2 WAC servers and Farm are from an internal CA, is this ok? (internal cert has the Farm FQDN as subject and the server names as SANs.
  • Anonymous
    January 01, 2003
    Show
  • Anonymous
    January 24, 2014
    Hi, I'm trying to configure https for OWA, I've followed your "how to" but I can't request the new certificate based on the template I've copied before, I can see the template on the CA but when I go to the website (certsrv) it doesn't appear on the list, I can only see the default ones. By the way, my CA is a 2008 R2 edition. Hope you can help me solve this.Kind regards!
  • Anonymous
    January 28, 2014
    Hi Justin,You specified that •The FQDN in the SAN field must not begin with an asterisk (). Does that mean I cannot use an already owned wildcard certificate which I have also used for our SharePoint 2013 environment - eg ".contoso.com" ?ThanksChet
  • Anonymous
    August 04, 2014
    very nice post liked reading it got very effective information thanks for sharing details on virtual assistant visithttp://www.ivrguru.com for virtual assistant
  • Anonymous
    September 25, 2014
    Microsoft Web Apps Server 2013 now supports wildcard. *.company.com is working fine now and without problems in our deployment.
  • Anonymous
    October 03, 2014
    Erkko Valja: How did you get the wildcard cert to work? Every time I try to setup the farm using *.domain.com power shell tells me that it was "unable to find the specified certificate".

    This is the command I'm running:

    New-OfficeWebAppsFarm -InternalUrl "https://server.domain.com" -ExternalUrl "https://owaps.domain.com" -EditingEnabled -CertificateName *.domain.com
  • Anonymous
    October 03, 2014
    Hi Wayne,

    The -CertificateName switch needs the Friendly Name of the certificate. If you're not sure what this is for your certificate, open the Certificates snapin in mmc (you can run certlm.msc to get there). Open Personal, then Certificates. Find your certificate, right click, select properties. The General tab will show the Friendly Name. You can also change the Friendly Name here.

    Make sure the Friendly Name is unique on this server. If you have multiple servers in a pool, make sure that the Friendly Name is the same across all the servers.

    cheers,
    Torren
  • Anonymous
    December 27, 2014
    Wilcard certs doesn't work after last update for WAC :(
  • Anonymous
    November 12, 2015
    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.
    I will come back & read all your posts soon. Regards, Lucy.
  • Anonymous
    December 18, 2015
    The comment has been removed
  • Anonymous
    December 19, 2015
    Hi Aloysius:
    You need to use different public IP address.