tnesupport
asked on
OCS 2007 R2 NTLM Authentication & Server Time-Out Issues
Hello,
We have recently attempted to deploy OCS 2007 R2 on a single front-end server (mostly for IM connectivity) & an Edge server, both using Server 2008 Standard. We are working on federating with the outside, but before we can, we have encountered strange issues.
Our domain name is "tneusa.com," pool name is listed as "tneocs" & the server FQDN is "tneocs.tneusa.com."
We have 2 zones that are SIP-enabled: TNEUS.com & TNEUSA.com (neither are external, the TNEUS is an artifact of our old directory structure).
We have our DNS set up like so:
TNEUSA zone:
(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneusa.com (port 5061)
TNEUS zone:
(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneus.com (port 5061)
Everything is working internally (auto-logon, IM, conferencing, AV). When we attempt to validate on the front-end server, the only warnings we are getting other than NTLM issues are regarding CWA & the Reponse Group Service, of which we are using neither.
[code]
Maximum hops: 2
Successfully established security assocation with the server: User test Domain tneusa.com Protocol Kerberos Target sip/TNEOCS.tneusa.com
User registration succeeded: User sip:test@tneus.com @ Server sip.tneus.com
*-*-*-*-*-*-*-*
Maximum hops: 2
Successfully established security association with the server: User test Domain tneusa.com Protocol NTLM Target TNEOCS.tneusa.com
Failed to register user: User sip:test@tneus.com @ Server sip.tneus.com
Failed registration response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;epid=
TO: <sip:test@tneus.com>;tag=4
CSEQ: 5 REGISTER
CALL-ID: a3d612455bc24b3d816351a3ba
VIA: SIP/2.0/TLS 10.100.253.16:58492;branch
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000000000000A
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOC
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
[/code]
The pool is set to accept both NTLM & Kerberos authentication--Kerberos works fine. The front end server is set to MTLS transport, though changing this to TLS has no affect.
Being everything is working without error on our clients, we figured this would not be a problem--until we began attempting to validate the Edge server. NTLM works properly when attempting to authenticate each user, but when we reach the "Check two-party IM->Attempting to establish SIP dialog from test@tneus.com to test2@tneus.com using sip.tneus.com," we are given the following error (very similar):
[code]
Maximum hops: 3
Received a failure SIP response: User sip:test2@tneus.com @ Server sip.tneus.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;tag=6
TO: <sip:test2@tneus.com>;tag=
CSEQ: 7 INVITE
CALL-ID: 26f875a53e9e45e1b4d56ee0ec
VIA: SIP/2.0/TLS 10.100.253.20:49287;branch
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="01000000000000005
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOC
]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
[/code]
All servers can ping eachother fine by FQDN & IP address.
Any ideas of what exactly the issue is here?!
We have recently attempted to deploy OCS 2007 R2 on a single front-end server (mostly for IM connectivity) & an Edge server, both using Server 2008 Standard. We are working on federating with the outside, but before we can, we have encountered strange issues.
Our domain name is "tneusa.com," pool name is listed as "tneocs" & the server FQDN is "tneocs.tneusa.com."
We have 2 zones that are SIP-enabled: TNEUS.com & TNEUSA.com (neither are external, the TNEUS is an artifact of our old directory structure).
We have our DNS set up like so:
TNEUSA zone:
(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneusa.com (port 5061)
TNEUS zone:
(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneus.com (port 5061)
Everything is working internally (auto-logon, IM, conferencing, AV). When we attempt to validate on the front-end server, the only warnings we are getting other than NTLM issues are regarding CWA & the Reponse Group Service, of which we are using neither.
[code]
Maximum hops: 2
Successfully established security assocation with the server: User test Domain tneusa.com Protocol Kerberos Target sip/TNEOCS.tneusa.com
User registration succeeded: User sip:test@tneus.com @ Server sip.tneus.com
*-*-*-*-*-*-*-*
Maximum hops: 2
Successfully established security association with the server: User test Domain tneusa.com Protocol NTLM Target TNEOCS.tneusa.com
Failed to register user: User sip:test@tneus.com @ Server sip.tneus.com
Failed registration response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;epid=
TO: <sip:test@tneus.com>;tag=4
CSEQ: 5 REGISTER
CALL-ID: a3d612455bc24b3d816351a3ba
VIA: SIP/2.0/TLS 10.100.253.16:58492;branch
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000000000000A
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOC
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
[/code]
The pool is set to accept both NTLM & Kerberos authentication--Kerberos works fine. The front end server is set to MTLS transport, though changing this to TLS has no affect.
Being everything is working without error on our clients, we figured this would not be a problem--until we began attempting to validate the Edge server. NTLM works properly when attempting to authenticate each user, but when we reach the "Check two-party IM->Attempting to establish SIP dialog from test@tneus.com to test2@tneus.com using sip.tneus.com," we are given the following error (very similar):
[code]
Maximum hops: 3
Received a failure SIP response: User sip:test2@tneus.com @ Server sip.tneus.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;tag=6
TO: <sip:test2@tneus.com>;tag=
CSEQ: 7 INVITE
CALL-ID: 26f875a53e9e45e1b4d56ee0ec
VIA: SIP/2.0/TLS 10.100.253.20:49287;branch
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="01000000000000005
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOC
]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
[/code]
All servers can ping eachother fine by FQDN & IP address.
Any ideas of what exactly the issue is here?!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.