Solved

OCS 2007 users cannot communicate with LCS 2005 users

Posted on 2008-06-25
10
4,531 Views
Last Modified: 2013-11-29
We have recently installed OCS 2007 on an additional machine to coexist with LCS 2005.  We have configured the OCS server, all services are running and users can log on.  The problem is when we try to send messages to user under LCS 2005 we cannot send messages.

When I view the logs I see this error:

Event ID:14428            Source: OCS Protocol Stack

TLS outgoing connection failures.

Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "qcklcs01.kaisa.ramcar.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
Resolution:
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Can someone lend me some ideas how to get trough this problem?

Thanks in advance
0
Comment
Question by:snakeadelic
  • 6
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
gaanthony earned 200 total points
ID: 21879107
First for LCS 2005 SP1 integration with OCS 2007 you need to have KB 911996 and 921543 applied to your LCS 2005 SP1 environment.  This is probably not your certificate issue though.

Need addtional information about your environment.
Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?
Is there an LCS Access Proxy?

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.
Have you reviewed the OCS 2007 migration guide?
http://www.microsoft.com/downloads/details.aspx?FamilyID=20F67AFC-6AF5-4A03-99BF-4150DEF36457&displaylang=en

Does your OCS server have the Root Certificate and CA certificate chain?
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21880691
Hi qaanthony,

Thanks for the reply.  We have patched our LCS 2005 with KB 911996 and 921543 .
Regarding addtionial infos you need is as follows:

Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?   -  None
Is there an LCS Access Proxy?   -  None

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?   -  None
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.   -   Yes we are using internal certificates (windows CA) but using different certificates for LCS and OCS.  Are you suggesting aaplying the certificate we use in LCS to OCS?

Both servers have a certificate chain.

Hope to hear again from you.

Thanks
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 200 total points
ID: 21911549
I apologize for the delayed reply.  I didn't catch that there was a reply.  
I'm not suggesting that you apply the same certificate used in LCS to OCS as that would not work.
Both systems should have certificates issued from the same internal root certificate authority.
All server to server communication occurs over Mutual TLS (MTLS) on port 5061.  
Is qcklcs01.kaisa.ramcar.com the FQDN of the LCS Home server or the LCS Pool.  The certificate on LCS should have both the pool FQDN as the Subject name with the Pool and server name listed in the Subject Alternate Name (SAN) of the certificate.  What is your sip URI and are you using automatic configuration for the clients.

Check your DNS also to make sure you are resolving to internal names/IPs and not external.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21913263
I have a certificate applied to my LCS server that has a different subject name and FQDN but I have created a DNS entry to point the the server whenever a query is made to the subject name of the certificate to point ot our LCS server.  All clients under the same domain as the LCS server uses automatic configuration whereas clients on different domains uses specific TCP address to log on.

Another thing that I'm thinking is, when I installed my OCS 2007 the forest,schema and domains have been preped all ready.  I think this is because I did prep this when I install the LCS.  Do I have to unprep the forest to prep it again for the OCS 2007?

Thanks a lot for your help.  It is highly appreciated.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 50 total points
ID: 21920061
No leave the schema alone - it should be fine or would have not allowed you to continue.

A simple test is to use LCSDIAG from the reskit for 2005 and check connectivity for TLS to the OCS server.  

Then check from the connectivity checker in OCS and test to LCS2005.  If it fails either way, then it is a cert issue.

The cert should look like this:

Certificate Information for LCS:
SN = LCSPool01.ADDomain.com
SAN1 = LCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = LCS01.ADDomain.com

Certificate Information for OCS:
SN = OCSPool01.ADDomain.com
SAN1 = OCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = OCS01.ADDomain.com

Verify your cert matches this or issue new and add, restart, then TLS check between servers.  Once complete and tested, you will be fine.

You do not need a director - to test, manually point an LCS client to sign into the OCS server and you will see it redirect to LCS and sign in.  You do want to get to a point where automatic config for clients points to the OCS pool and allow OCS ro redirect to LCS as appropriate.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Author Comment

by:snakeadelic
ID: 21922294
Thanks for the reply.

I am not that good regarding certificates.  Do certificates for LCS and OCS must have multiple SANs?  And how can I accomplish such certificate.  I have search microsoft website to instruct me how to ad SAN to my online CA and came out with this command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have run those command from both my enterprise CA and its subordinate and all runs successfully.  However when i request for a new certificate for my LCS to follow your advice, still its properties hows no SAN.  Can you please help me on this.

Thanks for all your replies.
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 200 total points
ID: 21922384
Information for LCS 2005 certificates can be found at http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_8.mspx.
Applies to OCS 2007 as well or you can use the OCS 2007 Certificate wizard.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21923023
Hi I have followed the link to install a certificate to my LCS but my problem is when I'm trying to request a new certificate my CA does not have a server authentication cetificate template.  I check my CAs and no template is available even if I check for all certificate that can be deploy as a templatae. Sorry if I this sounds dumb.

Thanks for the help
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21924635
Hi qaanthony,

Good News! I have able to solve this problem.  From right then and then I was just changing the certificate of my lcs server on the security tab (using the FQDN of my lcs server).  What I'm not doing is also changing the certificate in the "General" tab which the LCS be using to communicate via MTLS.  Thanks for all your help as well as jayca.  Il'll both reward you the points.
0
 
LVL 1

Author Closing Comment

by:snakeadelic
ID: 31470850
Thanks a lot for your help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now