• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7113
  • Last Modified:

OCS 2007 R2 NTLM Authentication & Server Time-Out Issues

Hello,

We have recently attempted to deploy OCS 2007 R2 on a single front-end server (mostly for IM connectivity) & an Edge server, both using Server 2008 Standard.  We are working on federating with the outside, but before we can, we have encountered strange issues.

Our domain name is "tneusa.com," pool name is listed as "tneocs" & the server FQDN is "tneocs.tneusa.com."

We have 2 zones that are SIP-enabled: TNEUS.com & TNEUSA.com (neither are external, the TNEUS is an artifact of our old directory structure).

We have our DNS set up like so:

TNEUSA zone:

(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneusa.com (port 5061)

TNEUS zone:
(A) TNEOCS -> 10.100.253.16
(A) TNEPOOL -> 10.100.253.16
(A) SIP -> 10.100.253.16
(A) TNEEDGE -> 10.100.253.20
(SRV) _sipinternaltls -> sip.tneus.com (port 5061)

Everything is working internally (auto-logon, IM, conferencing, AV).  When we attempt to validate on the front-end server, the only warnings we are getting other than NTLM issues are regarding CWA & the Reponse Group Service, of which we are using neither.

[code]
Maximum hops: 2
Successfully established security assocation with the server: User test Domain tneusa.com Protocol Kerberos Target sip/TNEOCS.tneusa.com
User registration succeeded: User sip:test@tneus.com @ Server sip.tneus.com

*-*-*-*-*-*-*-*

Maximum hops: 2
Successfully established security association with the server: User test Domain tneusa.com Protocol NTLM Target TNEOCS.tneusa.com
Failed to register user: User sip:test@tneus.com @ Server sip.tneus.com
Failed registration response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;epid=epid01;tag=21279d106c
TO: <sip:test@tneus.com>;tag=4C4645246D5BE768D47396F40C850C80
CSEQ: 5 REGISTER
CALL-ID: a3d612455bc24b3d816351a3ba75bf11
VIA: SIP/2.0/TLS 10.100.253.16:58492;branch=z9hG4bK9757151c;ms-received-port=58492;ms-received-cid=1900
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000000000000AD3C0F3BF2955842", srand="34BB1FD4", snum="1", opaque="8DAD4518", qop="auth", targetname="TNEOCS.tneusa.com", realm="SIP Communications Service"
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOCS.tneusa.com";Destination="sip:tneus.com:5061;maddr=sip.tneus.com;transport=Tls"]

Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
[/code]

The pool is set to accept both NTLM & Kerberos authentication--Kerberos works fine.  The front end server is set to MTLS transport, though changing this to TLS has no affect.

Being everything is working without error on our clients, we figured this would not be a problem--until we began attempting to validate the Edge server.  NTLM works properly when attempting to authenticate each user, but when we reach the "Check two-party IM->Attempting to establish SIP dialog from test@tneus.com to test2@tneus.com using sip.tneus.com," we are given the following error (very similar):

[code]
Maximum hops: 3
Received a failure SIP response: User sip:test2@tneus.com @ Server sip.tneus.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: <sip:test@tneus.com>;tag=67381f73e16ab380f23c;epid=epid01
TO: <sip:test2@tneus.com>;tag=4C4645246D5BE768D47396F40C850C80
CSEQ: 7 INVITE
CALL-ID: 26f875a53e9e45e1b4d56ee0ecfc20f4
VIA: SIP/2.0/TLS 10.100.253.20:49287;branch=z9hG4bK5057034;ms-received-port=49287;ms-received-cid=2700
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000000000000588A330C18602C6F", srand="BF338977", snum="3", opaque="79D91DAB", qop="auth", targetname="TNEOCS.tneusa.com", realm="SIP Communications Service"
ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOCS.tneusa.com";Destination="sip:rkelsey@tneus.com:5061;maddr=sip.tneus.com;transport=tls"

]

Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
[/code]

All servers can ping eachother fine by FQDN & IP address.

Any ideas of what exactly the issue is here?!
0
tnesupport
Asked:
tnesupport
1 Solution
 
jaycaCommented:
Do you have sip.sipdomain1.com and sip.sipdomain2.com as SANS in the certificates?  Just curious as you had good detail up to that point... your FE FQDN should be inther also.

ALso, in your SRV records... just to clarify.

Sipinternaltls_tcp.tneus.com.... points to sip.tneus.com... which points to the IP address of the pool.

Wait... I think I see the problem... your POOL IP and FE IP ADDRESS should not be the same.  Add another IP to the NIC alternative IP Settings (If single NIC) and fix DNS.  Restart services and then test it out.

Same IP for both entities causes issues (Has since LCS 2005).  If you had used a Load Balancer, this would not have been an issue because it would have forced you to have 2 IPs :) (Waste for a single server setup though).

Also, if you have any more probs, you really should be using Std Edition, much simpler, and easier as you gain ZERO with a single FE pool.. no redundancy, no failover, added complexity.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now