Skype for Business Server 2019 IM Integration with Exchange Server 2019

I am having difficulty getting the IM/Presence integration to work between my on-prem Skype for Business 2019 Server and my Exchange 2019 Server.

I believe I am having a certificate trust issue. On important note is that my internal domain is domain.local and the external is domain.com. So, my public wildcard certificate is for *.domain.com.

When I look at the certificates on the exchange server, there is another certificate that is assigned to IIS issued by the local certificate authority which protects domain.local. I have tried a variety of combinations using either the local certificate with the domain.local name of the servers as well as the public wildcard certificate thumbprint and the dns a record with domain.com that points to each server. None of these combinations seem to work for me.

I have run these commands on the SfB Server:

New-CsTrustedApplicationPool -Identity exchangeserver.domain.local -Registrar sfbserver.domainlocal -Site "My Site" -RequiresReplication $False

New-CsTrustedApplication -ApplicationId OutlookWebApp -TrustedApplicationPoolFqdn exchangeserver.domain.local -Port 5199

I have run these commands on the Exchange Server:

New-SettingOverride -Name "IM Override" -Component OwaServer -Section IMSettings -Parameters @("IMServerName=sfbserver.domain.local","IMCertificateThumbprint=mycertificatethumbprint") -Reason "Configure IM"

Get-ExchangeDiagnosticInfo -Server EXCHANGESERVER -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart-WebAppPool MSExchangeOWAAppPool

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $True -InstantMessagingType OCS

When I check the instant messaging logs on the Exchange Server I see the following:

If I try to use the domain.com name and the wildcard certificate I get this error:

ERROR:InstantMessageOCSProvider.GenerateInstantMessageUnavailablePayload. Context: User=email address removed for privacy reasons, Sip address=sip:email address removed for privacy reasons, Lyncserver=sfbserver.domain.local. endPoint: Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint, MethodName: InstantMessageOCSProvider.SignInCallback, InstantMessageServiceError: SipEndpointConnectionFailure, Exception: UCWEB Failure: Code=TlsFailure, SubCode=TlsIncorrectNameInRemoteCertificate, Reason=\r\nMicrosoft.Rtc.Internal.UCWeb.Utilities.UCWException: The target principal name is incorrect ---> Microsoft.Rtc.Signaling.TlsFailureException: The target principal name is incorrect ---> Microsoft.Rtc.Internal.Sip.TLSException: outgoing TLS negotiation failed; HRESULT=-2146893022\r\n at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.HandleNegotiationFailure(Int32 status, Boolean incoming)\r\n at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.OutgoingTlsNegotiation(TransportsDataBuffer receivedData, TransportsDataBuffer& pDataToSend)\r\n at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.NegotiateConnection(TransportsDataBuffer receivedData, TransportsDataBuffer& pDataToSend)\r\n at Microsoft.Rtc.Internal.Sip.TlsTransport.DelegateNegotiation(TransportsDataBuffer receivedData)\r\n at Microsoft.Rtc.Internal.Sip.TlsTransport.OnReceived(Object data)\r\n --- End of inner exception stack trace ---\r\n at Microsoft.Rtc.Signaling.SipAsyncResult`1.ThrowIfFailed()\r\n at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult result)\r\n at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.OotyUserEndpointEstablish_callback(IAsyncResult asyncResult)\r\n --- End of inner exception stack trace ---\r\n at Microsoft.Rtc.Internal.UCWeb.Utilities.AsyncHelper.EndAsyncCall[T](IAsyncResult asyncResult, String methodName, T ucwScopeInstance)\r\n at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.EndSignIn(IAsyncResult asyncResult)\r\n at Microsoft.Exchange.Clients.Owa2.Server.Core.InstantMessageOCSProvider.<>c__DisplayClass89_0.<SignInCallback>b__0(RequestDetailsLogger logger)",

When I use the internal domain.local server name and the certificate issued by the local certificate authority, I see:

2024-02-25T14:36:21.783Z,19,5,,,,0,"DEBUG:InstantMessageOCSProvider.SignInCallback. Ignoring exception after the connection is closed: Context User=email address removed for privacy reasons, Sip address=sip:email address removed for privacy reasons, Lyncserver=sfbserver.domain.local, Exception: UCWEB Failure: Code=TlsFailure, SubCode=TlsRemoteDisconnected, Reason=\r\nMicrosoft.Rtc.Internal.UCWeb.Utilities.UCWException: Unknown error (0x80131500) ---> Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x80131500) ---> Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Peer disconnected while outbound capabilities negotiation was in progress ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host\r\n at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)\r\n at Microsoft.Rtc.Internal.Sip.TcpTransport.OnReceived(Object arg)\r\n --- End of inner exception stack trace ---\r\n --- End of inner exception stack trace ---\r\n at Microsoft.Rtc.Signaling.SipAsyncResult`1.ThrowIfFailed()\r\n at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult result)\r\n at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.OotyUserEndpointEstablish_callback(IAsyncResult asyncResult)\r\n --- End of inner exception stack trace ---\r\n at Microsoft.Rtc.Internal.UCWeb.Utilities.AsyncHelper.EndAsyncCall[T](IAsyncResult asyncResult, String methodName, T ucwScopeInstance)\r\n at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.EndSignIn(IAsyncResult asyncResult)\r\n at Microsoft.Exchange.Clients.Owa2.Server.Core.InstantMessageOCSProvider.<>c__DisplayClass89_0.<SignInCallback>b__0(RequestDetailsLogger logger)",