?
Solved

OCS 2007 users cannot communicate with LCS 2005 users

Posted on 2008-06-25
10
Medium Priority
?
4,551 Views
Last Modified: 2013-11-29
We have recently installed OCS 2007 on an additional machine to coexist with LCS 2005.  We have configured the OCS server, all services are running and users can log on.  The problem is when we try to send messages to user under LCS 2005 we cannot send messages.

When I view the logs I see this error:

Event ID:14428            Source: OCS Protocol Stack

TLS outgoing connection failures.

Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "qcklcs01.kaisa.ramcar.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
Resolution:
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Can someone lend me some ideas how to get trough this problem?

Thanks in advance
0
Comment
Question by:snakeadelic
  • 6
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
gaanthony earned 800 total points
ID: 21879107
First for LCS 2005 SP1 integration with OCS 2007 you need to have KB 911996 and 921543 applied to your LCS 2005 SP1 environment.  This is probably not your certificate issue though.

Need addtional information about your environment.
Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?
Is there an LCS Access Proxy?

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.
Have you reviewed the OCS 2007 migration guide?
http://www.microsoft.com/downloads/details.aspx?FamilyID=20F67AFC-6AF5-4A03-99BF-4150DEF36457&displaylang=en

Does your OCS server have the Root Certificate and CA certificate chain?
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21880691
Hi qaanthony,

Thanks for the reply.  We have patched our LCS 2005 with KB 911996 and 921543 .
Regarding addtionial infos you need is as follows:

Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?   -  None
Is there an LCS Access Proxy?   -  None

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?   -  None
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.   -   Yes we are using internal certificates (windows CA) but using different certificates for LCS and OCS.  Are you suggesting aaplying the certificate we use in LCS to OCS?

Both servers have a certificate chain.

Hope to hear again from you.

Thanks
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 800 total points
ID: 21911549
I apologize for the delayed reply.  I didn't catch that there was a reply.  
I'm not suggesting that you apply the same certificate used in LCS to OCS as that would not work.
Both systems should have certificates issued from the same internal root certificate authority.
All server to server communication occurs over Mutual TLS (MTLS) on port 5061.  
Is qcklcs01.kaisa.ramcar.com the FQDN of the LCS Home server or the LCS Pool.  The certificate on LCS should have both the pool FQDN as the Subject name with the Pool and server name listed in the Subject Alternate Name (SAN) of the certificate.  What is your sip URI and are you using automatic configuration for the clients.

Check your DNS also to make sure you are resolving to internal names/IPs and not external.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:snakeadelic
ID: 21913263
I have a certificate applied to my LCS server that has a different subject name and FQDN but I have created a DNS entry to point the the server whenever a query is made to the subject name of the certificate to point ot our LCS server.  All clients under the same domain as the LCS server uses automatic configuration whereas clients on different domains uses specific TCP address to log on.

Another thing that I'm thinking is, when I installed my OCS 2007 the forest,schema and domains have been preped all ready.  I think this is because I did prep this when I install the LCS.  Do I have to unprep the forest to prep it again for the OCS 2007?

Thanks a lot for your help.  It is highly appreciated.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 200 total points
ID: 21920061
No leave the schema alone - it should be fine or would have not allowed you to continue.

A simple test is to use LCSDIAG from the reskit for 2005 and check connectivity for TLS to the OCS server.  

Then check from the connectivity checker in OCS and test to LCS2005.  If it fails either way, then it is a cert issue.

The cert should look like this:

Certificate Information for LCS:
SN = LCSPool01.ADDomain.com
SAN1 = LCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = LCS01.ADDomain.com

Certificate Information for OCS:
SN = OCSPool01.ADDomain.com
SAN1 = OCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = OCS01.ADDomain.com

Verify your cert matches this or issue new and add, restart, then TLS check between servers.  Once complete and tested, you will be fine.

You do not need a director - to test, manually point an LCS client to sign into the OCS server and you will see it redirect to LCS and sign in.  You do want to get to a point where automatic config for clients points to the OCS pool and allow OCS ro redirect to LCS as appropriate.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21922294
Thanks for the reply.

I am not that good regarding certificates.  Do certificates for LCS and OCS must have multiple SANs?  And how can I accomplish such certificate.  I have search microsoft website to instruct me how to ad SAN to my online CA and came out with this command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have run those command from both my enterprise CA and its subordinate and all runs successfully.  However when i request for a new certificate for my LCS to follow your advice, still its properties hows no SAN.  Can you please help me on this.

Thanks for all your replies.
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 800 total points
ID: 21922384
Information for LCS 2005 certificates can be found at http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_8.mspx.
Applies to OCS 2007 as well or you can use the OCS 2007 Certificate wizard.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21923023
Hi I have followed the link to install a certificate to my LCS but my problem is when I'm trying to request a new certificate my CA does not have a server authentication cetificate template.  I check my CAs and no template is available even if I check for all certificate that can be deploy as a templatae. Sorry if I this sounds dumb.

Thanks for the help
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21924635
Hi qaanthony,

Good News! I have able to solve this problem.  From right then and then I was just changing the certificate of my lcs server on the security tab (using the FQDN of my lcs server).  What I'm not doing is also changing the certificate in the "General" tab which the LCS be using to communicate via MTLS.  Thanks for all your help as well as jayca.  Il'll both reward you the points.
0
 
LVL 1

Author Closing Comment

by:snakeadelic
ID: 31470850
Thanks a lot for your help
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question