OCS 2007 users cannot communicate with LCS 2005 users

We have recently installed OCS 2007 on an additional machine to coexist with LCS 2005.  We have configured the OCS server, all services are running and users can log on.  The problem is when we try to send messages to user under LCS 2005 we cannot send messages.

When I view the logs I see this error:

Event ID:14428            Source: OCS Protocol Stack

TLS outgoing connection failures.

Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "qcklcs01.kaisa.ramcar.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Can someone lend me some ideas how to get trough this problem?

Thanks in advance
Who is Participating?
gaanthonyConnect With a Mentor Commented:
First for LCS 2005 SP1 integration with OCS 2007 you need to have KB 911996 and 921543 applied to your LCS 2005 SP1 environment.  This is probably not your certificate issue though.

Need addtional information about your environment.
Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?
Is there an LCS Access Proxy?

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.
Have you reviewed the OCS 2007 migration guide?

Does your OCS server have the Root Certificate and CA certificate chain?
snakeadelicAuthor Commented:
Hi qaanthony,

Thanks for the reply.  We have patched our LCS 2005 with KB 911996 and 921543 .
Regarding addtionial infos you need is as follows:

Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?   -  None
Is there an LCS Access Proxy?   -  None

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?   -  None
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.   -   Yes we are using internal certificates (windows CA) but using different certificates for LCS and OCS.  Are you suggesting aaplying the certificate we use in LCS to OCS?

Both servers have a certificate chain.

Hope to hear again from you.

gaanthonyConnect With a Mentor Commented:
I apologize for the delayed reply.  I didn't catch that there was a reply.  
I'm not suggesting that you apply the same certificate used in LCS to OCS as that would not work.
Both systems should have certificates issued from the same internal root certificate authority.
All server to server communication occurs over Mutual TLS (MTLS) on port 5061.  
Is qcklcs01.kaisa.ramcar.com the FQDN of the LCS Home server or the LCS Pool.  The certificate on LCS should have both the pool FQDN as the Subject name with the Pool and server name listed in the Subject Alternate Name (SAN) of the certificate.  What is your sip URI and are you using automatic configuration for the clients.

Check your DNS also to make sure you are resolving to internal names/IPs and not external.
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

snakeadelicAuthor Commented:
I have a certificate applied to my LCS server that has a different subject name and FQDN but I have created a DNS entry to point the the server whenever a query is made to the subject name of the certificate to point ot our LCS server.  All clients under the same domain as the LCS server uses automatic configuration whereas clients on different domains uses specific TCP address to log on.

Another thing that I'm thinking is, when I installed my OCS 2007 the forest,schema and domains have been preped all ready.  I think this is because I did prep this when I install the LCS.  Do I have to unprep the forest to prep it again for the OCS 2007?

Thanks a lot for your help.  It is highly appreciated.
jaycaConnect With a Mentor Commented:
No leave the schema alone - it should be fine or would have not allowed you to continue.

A simple test is to use LCSDIAG from the reskit for 2005 and check connectivity for TLS to the OCS server.  

Then check from the connectivity checker in OCS and test to LCS2005.  If it fails either way, then it is a cert issue.

The cert should look like this:

Certificate Information for LCS:
SN = LCSPool01.ADDomain.com
SAN1 = LCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = LCS01.ADDomain.com

Certificate Information for OCS:
SN = OCSPool01.ADDomain.com
SAN1 = OCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = OCS01.ADDomain.com

Verify your cert matches this or issue new and add, restart, then TLS check between servers.  Once complete and tested, you will be fine.

You do not need a director - to test, manually point an LCS client to sign into the OCS server and you will see it redirect to LCS and sign in.  You do want to get to a point where automatic config for clients points to the OCS pool and allow OCS ro redirect to LCS as appropriate.
snakeadelicAuthor Commented:
Thanks for the reply.

I am not that good regarding certificates.  Do certificates for LCS and OCS must have multiple SANs?  And how can I accomplish such certificate.  I have search microsoft website to instruct me how to ad SAN to my online CA and came out with this command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have run those command from both my enterprise CA and its subordinate and all runs successfully.  However when i request for a new certificate for my LCS to follow your advice, still its properties hows no SAN.  Can you please help me on this.

Thanks for all your replies.
gaanthonyConnect With a Mentor Commented:
Information for LCS 2005 certificates can be found at http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_8.mspx.
Applies to OCS 2007 as well or you can use the OCS 2007 Certificate wizard.
snakeadelicAuthor Commented:
Hi I have followed the link to install a certificate to my LCS but my problem is when I'm trying to request a new certificate my CA does not have a server authentication cetificate template.  I check my CAs and no template is available even if I check for all certificate that can be deploy as a templatae. Sorry if I this sounds dumb.

Thanks for the help
snakeadelicAuthor Commented:
Hi qaanthony,

Good News! I have able to solve this problem.  From right then and then I was just changing the certificate of my lcs server on the security tab (using the FQDN of my lcs server).  What I'm not doing is also changing the certificate in the "General" tab which the LCS be using to communicate via MTLS.  Thanks for all your help as well as jayca.  Il'll both reward you the points.
snakeadelicAuthor Commented:
Thanks a lot for your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.