0

I'm currently in the process of setting up a SP2016 test environment (although will be exactly the same as production), using HTTPS for the sites and Office Online Server for document editing/creation in the browser.

In my test environment, I'm using AD Certificate Services to create the certificates however in production, these will be paid for certificates from a 3rd party such as GoDaddy.

The environment is as follows:

TEST-DC TEST-SQL TEST-SP TEST-OOS

All servers are running Windows Server 2012 R2 Standard. The DC is the server which also holds the CA role and the SQL, SP and OOS have the root certificate of the CA put into the Trusted Root Certification Authorities via GPO.

I have created web applications and sites and those work fine using HTTPS. My issue is with Office Web Apps.

I have three certificates issued (intranet.company.com, mysite.intranet.company.com and oos.company.com) by the root CA and they work fine. I have imported the OOS cert into IIS on the OOS server and it seems fine. I can browse to the OOS server from another server by going to https://oos.company.com/hosting/discovery and it loads the XML without issue.

The powershell I used to create the office web apps farm is:

New-OfficeWebAppsFarm -Verbose -InternalURL "https://oos.company.com" -ExternalURL "https://oos.company.com" -CertificateName "OOS Certificate" -ClipArtEnabled -TranslationEnable

The 'OOS Certificate' is the friendly name of the cert which is signed by the root CA with the CN of "oos.company.com"

This works fine and the farm is created. When I try to bind SP to the Office Web Apps farm is where things go askew.

I run the following PS from the SP server in SP Management Shell and get the following error:

New-SPWOPIBinding -ServerName oos.company.com WARNING: The server did not respond. Trying again (attempt 1 of 5). WARNING: The server did not respond. Trying again (attempt 2 of 5). WARNING: The server did not respond. Trying again (attempt 3 of 5). WARNING: The server did not respond. Trying again (attempt 4 of 5). WARNING: The server did not respond. Trying again (attempt 5 of 5). New-SPWOPIBinding : Sorry, we have encountered an error and New-SPWOPIBinding has failed. If you are using a server configured with HTTP, you must include the -AllowHTTP parameter. At line:1 char:1 + New-SPWOPIBinding -ServerName oos.company.com

I've ran ULS viewer as it runs this command and I can see the following error, which I believe is why it's failing (shouldn't it be getting the HTTPS response?).

LoadDiscoveryXMLFromAddress getting HTTP response failed LoadDiscoveryXMLFromAddress: End [result=NoWebResponse, elapsed time (ms)=54]

This error occurs five times and has the category as WOPI. I've tried browsing to the OOS server via HTTP to hosting/discovery and of course this fails, as I have configured it to use HTTPS.

I have run Get-SPWOPIZone and it reports back with "internal-https". I've also tried changing this to "external-https" however it fails with the same error and same ULS log. I do not get any certificate error when browsing on HTTPS to hosting/discovery from the SP server.

Does anyone have any idea why it wont do as it's told? Google is failing and I have been following the TechNet documentation to the letter.

EDIT Output of Get-OfficeWebAppsFarm:

FarmOU : InternalURL : ExternalURL : https://oos.company.com/ AllowHTTP : False AllowOutboundHttp : False SSLOffloaded : False CertificateName : OOS Certificate S2SCertificateName : EditingEnabled : False LogLocation : C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS LogRetentionInDays : 7 LogVerbosity : Proxy : CacheLocation : C:\ProgramData\Microsoft\OfficeWebApps\Working\d MaxMemoryCacheSizeInMB : 75 DocumentInfoCacheSize : 5000 CacheSizeInGB : 15 ClipartEnabled : True TranslationEnabled : True MaxTranslationCharacterCount : 125000 TranslationServiceAppId : TranslationServiceAddress : RenderingLocalCacheLocation : C:\ProgramData\Microsoft\OfficeWebApps\Working\waccache RecycleActiveProcessCount : 5 AllowCEIP : False ExcelRequestDurationMax : 300 ExcelSessionTimeout : 450 ExcelWorkbookSizeMax : 10 ExcelPrivateBytesMax : -1 ExcelConnectionLifetime : 1800 ExcelExternalDataCacheLifetime : 300 ExcelAllowExternalData : True ExcelUseEffectiveUserName : False ExcelWarnOnDataRefresh : True ExcelUdfsAllowed : False ExcelMemoryCacheThreshold : 90 ExcelUnusedObjectAgeMax : -1 ExcelCachingUnusedFiles : True ExcelAbortOnRefreshOnOpenFail : True ExcelAutomaticVolatileFunctionCacheLifeTime : 300 ExcelConcurrentDataRequestsPerSessionMax : 5 ExcelDefaultWorkbookCalcMode : File ExcelRestExternalDataEnabled : True ExcelChartAndImageSizeMax : 1 OpenFromUrlEnabled : False OpenFromUncEnabled : True OpenFromUrlThrottlingEnabled : True PicturePasteDisabled : True RemovePersonalInformationFromLogs : False AllowHttpSecureStoreConnections : False Machines : {TEST-OOS}

Output of Get-OfficeWebAppsHost:

allowList --------- {}
Improve this question
10
  • Can you provide the full output of Get-OfficeWebAppsFarm and Get-OfficeWebAppsHost. Edit your post with these details. Commented May 9, 2016 at 18:13
  • Edited to include the info :) Commented May 9, 2016 at 18:23
  • I have just noticed something. On the OOS server in System logs. Every time I run the New-SPWOPIBinding -ServerName oos.company.com from the SP server, I get a large amount of Schannel errors appear. The two that re-occur are: "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The windows schannel error state is 1205. " and 1/2 Commented May 9, 2016 at 18:45
  • 2/2 "An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed." Commented May 9, 2016 at 18:45
  • If you're using TLS 1.2 on SharePoint, make sure you've made the appropriate registry edits on OOS (and WFM should you deploy it). thesharepointfarm.com/2016/04/… Commented May 9, 2016 at 18:46

2 Answers 2

Reset to default
0

Remove the -InternalUrl from your OOS farm and try again. If the SharePoint farm does not trust the OOS certificate, make sure it is in the SharePoint Central Admin 'Manage Trust'.

Improve this answer
4
  • Tried both, no luck. Added OOS cert to SP Central Admin and also created the new farm without the internal url. Any other ideas? I've also tried turning the firewall off on both SP and OOS server. Commented May 8, 2016 at 21:00
  • Do you have any idea what else to try? Commented May 9, 2016 at 17:56
  • Can you browse SharePoint from the OOS server? Certs need to be good in both directions. Commented May 9, 2016 at 17:58
  • Yep. It's not in the trusted sites, so I do get the prompt for credentials. However it loads fine with no SSL error. I'll try adding to trusted sites and see if that helps. EDIT: Added to local intranet zone and it still didn't work :( Commented May 9, 2016 at 18:03
0

I ran into the same issue.. make sure the certificate you have includes the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. Also trying giving the fully qualified server name for the internal URL.

-Chand

Improve this answer
1
  • Thanks for the response Chand, however the issue turned out to be that my internal CA had issued the cert for the office online server using SHA512 which isn't supported by TLS 1.2. That's why it was failing and causing the schannell errors. Changing the certificates to SHA256 fixed the issue. Commented Apr 10, 2017 at 20:12

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.