Solved

OCS 2007 users cannot communicate with LCS 2005 users

Posted on 2008-06-25
10
4,538 Views
Last Modified: 2013-11-29
We have recently installed OCS 2007 on an additional machine to coexist with LCS 2005.  We have configured the OCS server, all services are running and users can log on.  The problem is when we try to send messages to user under LCS 2005 we cannot send messages.

When I view the logs I see this error:

Event ID:14428            Source: OCS Protocol Stack

TLS outgoing connection failures.

Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "qcklcs01.kaisa.ramcar.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
Resolution:
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Can someone lend me some ideas how to get trough this problem?

Thanks in advance
0
Comment
Question by:snakeadelic
  • 6
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
gaanthony earned 200 total points
ID: 21879107
First for LCS 2005 SP1 integration with OCS 2007 you need to have KB 911996 and 921543 applied to your LCS 2005 SP1 environment.  This is probably not your certificate issue though.

Need addtional information about your environment.
Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?
Is there an LCS Access Proxy?

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.
Have you reviewed the OCS 2007 migration guide?
http://www.microsoft.com/downloads/details.aspx?FamilyID=20F67AFC-6AF5-4A03-99BF-4150DEF36457&displaylang=en

Does your OCS server have the Root Certificate and CA certificate chain?
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21880691
Hi qaanthony,

Thanks for the reply.  We have patched our LCS 2005 with KB 911996 and 921543 .
Regarding addtionial infos you need is as follows:

Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?   -  None
Is there an LCS Access Proxy?   -  None

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?   -  None
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.   -   Yes we are using internal certificates (windows CA) but using different certificates for LCS and OCS.  Are you suggesting aaplying the certificate we use in LCS to OCS?

Both servers have a certificate chain.

Hope to hear again from you.

Thanks
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 200 total points
ID: 21911549
I apologize for the delayed reply.  I didn't catch that there was a reply.  
I'm not suggesting that you apply the same certificate used in LCS to OCS as that would not work.
Both systems should have certificates issued from the same internal root certificate authority.
All server to server communication occurs over Mutual TLS (MTLS) on port 5061.  
Is qcklcs01.kaisa.ramcar.com the FQDN of the LCS Home server or the LCS Pool.  The certificate on LCS should have both the pool FQDN as the Subject name with the Pool and server name listed in the Subject Alternate Name (SAN) of the certificate.  What is your sip URI and are you using automatic configuration for the clients.

Check your DNS also to make sure you are resolving to internal names/IPs and not external.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:snakeadelic
ID: 21913263
I have a certificate applied to my LCS server that has a different subject name and FQDN but I have created a DNS entry to point the the server whenever a query is made to the subject name of the certificate to point ot our LCS server.  All clients under the same domain as the LCS server uses automatic configuration whereas clients on different domains uses specific TCP address to log on.

Another thing that I'm thinking is, when I installed my OCS 2007 the forest,schema and domains have been preped all ready.  I think this is because I did prep this when I install the LCS.  Do I have to unprep the forest to prep it again for the OCS 2007?

Thanks a lot for your help.  It is highly appreciated.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 50 total points
ID: 21920061
No leave the schema alone - it should be fine or would have not allowed you to continue.

A simple test is to use LCSDIAG from the reskit for 2005 and check connectivity for TLS to the OCS server.  

Then check from the connectivity checker in OCS and test to LCS2005.  If it fails either way, then it is a cert issue.

The cert should look like this:

Certificate Information for LCS:
SN = LCSPool01.ADDomain.com
SAN1 = LCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = LCS01.ADDomain.com

Certificate Information for OCS:
SN = OCSPool01.ADDomain.com
SAN1 = OCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = OCS01.ADDomain.com

Verify your cert matches this or issue new and add, restart, then TLS check between servers.  Once complete and tested, you will be fine.

You do not need a director - to test, manually point an LCS client to sign into the OCS server and you will see it redirect to LCS and sign in.  You do want to get to a point where automatic config for clients points to the OCS pool and allow OCS ro redirect to LCS as appropriate.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21922294
Thanks for the reply.

I am not that good regarding certificates.  Do certificates for LCS and OCS must have multiple SANs?  And how can I accomplish such certificate.  I have search microsoft website to instruct me how to ad SAN to my online CA and came out with this command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have run those command from both my enterprise CA and its subordinate and all runs successfully.  However when i request for a new certificate for my LCS to follow your advice, still its properties hows no SAN.  Can you please help me on this.

Thanks for all your replies.
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 200 total points
ID: 21922384
Information for LCS 2005 certificates can be found at http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_8.mspx.
Applies to OCS 2007 as well or you can use the OCS 2007 Certificate wizard.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21923023
Hi I have followed the link to install a certificate to my LCS but my problem is when I'm trying to request a new certificate my CA does not have a server authentication cetificate template.  I check my CAs and no template is available even if I check for all certificate that can be deploy as a templatae. Sorry if I this sounds dumb.

Thanks for the help
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21924635
Hi qaanthony,

Good News! I have able to solve this problem.  From right then and then I was just changing the certificate of my lcs server on the security tab (using the FQDN of my lcs server).  What I'm not doing is also changing the certificate in the "General" tab which the LCS be using to communicate via MTLS.  Thanks for all your help as well as jayca.  Il'll both reward you the points.
0
 
LVL 1

Author Closing Comment

by:snakeadelic
ID: 31470850
Thanks a lot for your help
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Case Summary: In this Article we introduce the new method to configure the default user profile using Automated profile copy with sysprep rather than the old ways such as the manual copy of a configured profile to default user profile Old meth…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question