?
Solved

OCS 2007 users cannot communicate with LCS 2005 users

Posted on 2008-06-25
10
Medium Priority
?
4,545 Views
Last Modified: 2013-11-29
We have recently installed OCS 2007 on an additional machine to coexist with LCS 2005.  We have configured the OCS server, all services are running and users can log on.  The problem is when we try to send messages to user under LCS 2005 we cannot send messages.

When I view the logs I see this error:

Event ID:14428            Source: OCS Protocol Stack

TLS outgoing connection failures.

Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "qcklcs01.kaisa.ramcar.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
Resolution:
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Can someone lend me some ideas how to get trough this problem?

Thanks in advance
0
Comment
Question by:snakeadelic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
gaanthony earned 800 total points
ID: 21879107
First for LCS 2005 SP1 integration with OCS 2007 you need to have KB 911996 and 921543 applied to your LCS 2005 SP1 environment.  This is probably not your certificate issue though.

Need addtional information about your environment.
Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?
Is there an LCS Access Proxy?

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.
Have you reviewed the OCS 2007 migration guide?
http://www.microsoft.com/downloads/details.aspx?FamilyID=20F67AFC-6AF5-4A03-99BF-4150DEF36457&displaylang=en

Does your OCS server have the Root Certificate and CA certificate chain?
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21880691
Hi qaanthony,

Thanks for the reply.  We have patched our LCS 2005 with KB 911996 and 921543 .
Regarding addtionial infos you need is as follows:

Is LCS 2005 SP1 Standard Edition or Enterprise Edition.
Do you have any load balancers?   -  None
Is there an LCS Access Proxy?   -  None

Is OCS 2007 Standard Edition or Enterprise Edition.
Do you have a Director?   -  None
Are you using an Internal Root Certificate Authority and are you using internal certificates for all the LCS and OCS internal certs.   -   Yes we are using internal certificates (windows CA) but using different certificates for LCS and OCS.  Are you suggesting aaplying the certificate we use in LCS to OCS?

Both servers have a certificate chain.

Hope to hear again from you.

Thanks
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 800 total points
ID: 21911549
I apologize for the delayed reply.  I didn't catch that there was a reply.  
I'm not suggesting that you apply the same certificate used in LCS to OCS as that would not work.
Both systems should have certificates issued from the same internal root certificate authority.
All server to server communication occurs over Mutual TLS (MTLS) on port 5061.  
Is qcklcs01.kaisa.ramcar.com the FQDN of the LCS Home server or the LCS Pool.  The certificate on LCS should have both the pool FQDN as the Subject name with the Pool and server name listed in the Subject Alternate Name (SAN) of the certificate.  What is your sip URI and are you using automatic configuration for the clients.

Check your DNS also to make sure you are resolving to internal names/IPs and not external.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:snakeadelic
ID: 21913263
I have a certificate applied to my LCS server that has a different subject name and FQDN but I have created a DNS entry to point the the server whenever a query is made to the subject name of the certificate to point ot our LCS server.  All clients under the same domain as the LCS server uses automatic configuration whereas clients on different domains uses specific TCP address to log on.

Another thing that I'm thinking is, when I installed my OCS 2007 the forest,schema and domains have been preped all ready.  I think this is because I did prep this when I install the LCS.  Do I have to unprep the forest to prep it again for the OCS 2007?

Thanks a lot for your help.  It is highly appreciated.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 200 total points
ID: 21920061
No leave the schema alone - it should be fine or would have not allowed you to continue.

A simple test is to use LCSDIAG from the reskit for 2005 and check connectivity for TLS to the OCS server.  

Then check from the connectivity checker in OCS and test to LCS2005.  If it fails either way, then it is a cert issue.

The cert should look like this:

Certificate Information for LCS:
SN = LCSPool01.ADDomain.com
SAN1 = LCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = LCS01.ADDomain.com

Certificate Information for OCS:
SN = OCSPool01.ADDomain.com
SAN1 = OCSPool01.ADDomain.com
SAN2 = SIP.SIPDomain.com
SAN3 = OCS01.ADDomain.com

Verify your cert matches this or issue new and add, restart, then TLS check between servers.  Once complete and tested, you will be fine.

You do not need a director - to test, manually point an LCS client to sign into the OCS server and you will see it redirect to LCS and sign in.  You do want to get to a point where automatic config for clients points to the OCS pool and allow OCS ro redirect to LCS as appropriate.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21922294
Thanks for the reply.

I am not that good regarding certificates.  Do certificates for LCS and OCS must have multiple SANs?  And how can I accomplish such certificate.  I have search microsoft website to instruct me how to ad SAN to my online CA and came out with this command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have run those command from both my enterprise CA and its subordinate and all runs successfully.  However when i request for a new certificate for my LCS to follow your advice, still its properties hows no SAN.  Can you please help me on this.

Thanks for all your replies.
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 800 total points
ID: 21922384
Information for LCS 2005 certificates can be found at http://www.microsoft.com/technet/prodtechnol/office/livecomm/library/confcerts/lcscon_8.mspx.
Applies to OCS 2007 as well or you can use the OCS 2007 Certificate wizard.
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21923023
Hi I have followed the link to install a certificate to my LCS but my problem is when I'm trying to request a new certificate my CA does not have a server authentication cetificate template.  I check my CAs and no template is available even if I check for all certificate that can be deploy as a templatae. Sorry if I this sounds dumb.

Thanks for the help
0
 
LVL 1

Author Comment

by:snakeadelic
ID: 21924635
Hi qaanthony,

Good News! I have able to solve this problem.  From right then and then I was just changing the certificate of my lcs server on the security tab (using the FQDN of my lcs server).  What I'm not doing is also changing the certificate in the "General" tab which the LCS be using to communicate via MTLS.  Thanks for all your help as well as jayca.  Il'll both reward you the points.
0
 
LVL 1

Author Closing Comment

by:snakeadelic
ID: 31470850
Thanks a lot for your help
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question