Office Communicator

bntech
bntech used Ask the Experts™
on
When trying to connect my Office communicator client to the server (sign in)
it say There was a problem verifying the certificate from the Server. Please contact your system administrator.

This is a new setup. Ran through wiuzards and all services are running.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Had a similar problem as this recently at work... here's what I found out:

IM uses a DigiCert certificate and it seems as though that certificate might be missing. (Found by looking IE -Tools -> Internet Options>Certificates > Trusted Root Certification Authorities).DigiCert should be listed there. If not you will have to get it from DigiCert - or possibly export it from another working system and import it into the system IM is failing on.
That may be if using a third party certificate.  If using a certificate issue from your own internal Windows Certficate Authority (CA) and the CA is running on Window Server Standard Edition instead of enterprise client autoenrollment for the root CA is not automatically enabled.  You may need to publish the root CA in AD and configure group policy for autoenrollment.
Other things to check.  The certificate on the pool has a subject name of the Pool FQDN if OCS Enterprise Edition or subject name of the machine if OCS Standard edition.  This FQDN may not match that of the SIP URI that you are using.  Say your active directory domain is domain.local then the Pool FQDN might be ocspool.domain.local but you may have set your SIP domain to match your email SMTP scheme of domain.com.  Then your Pool cert need a subject alternative name of sip.domain.com.
Communicator automatic client configuration will query DNS for SRV (service locator) records starting with _sipinternaltls._tcp.<domain.com> where <domain.com> is what is on the right hand side of the user's SIP URI.  The host specified in the SRV record had to match the same domain.
Do if you have a forward lookup zone domain.local an SRV recrod there will not suffice for automatic client configuration.  You need a forward lookup zone for domain.com with host recrod of sip.domain.com that points to the IP address of the OCS Pool.
Then the Root certificate from the CA that issue the OCS Pool cert needs to be in the local computer trust Root certification authorities store of the workstation so the workstation/client will trust the cert presented from the Pool.  
Also the client must be able to resolve the CRL of the Pool cert.  You can open the Pool cert details and look at the CRL Distribution pooint filed and copy the http url and paste it in the workstation browser to see if it retrieves the CRL by seeing if you get file open or save.  If you get page not found then it's can resolve the CRL and will also give the cert error.

Author

Commented:
So your are correct in stating that our dc, is standard 2008. I request a CA from this server, and imported into the Pool. However we do have a third party cert that is a wildcard.
*.domain.com

What steps should we take to make sure this works,, still having issue
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

I'm pretty sure a wildcare certificate doesn't work with OCS because if you checked the certifcate SN you will find it named as *.domain.com, however the Edge Configuration will be looking for the FQDN of the service name in the certificate . For example, sip.domain.com and webconf.domain.com and AV.domain.com.

Author

Commented:
Okay, So now it seems worse. Can you provide step by step?

Now it sits trying to connect for several minutes, but after a while it says unavailable.

Correct wildcard certificates are not supported.
Check out http://www.ocspedia.com for some step by step info.

Author

Commented:
IS it best practice to put this on a Mail Server>?  Is it possible?>  Any special configuration or etc, need to happen while co-existing on Exchange 2007?

Author

Commented:
Also How do you cleanup old installs from ADS. as the Server doesnt exist anymore, but entries in ADSI do..
Office Communications Server is not supported collocated with other server roles such as Exchange.  As for cleaning up orphaned entries you can use the command line tool LCSCMD with the appropriate options which would include /force to deactivate a server that was improperly removed before deactivating.  If that doesn't work you'd need to use ADSIEDIT as a last resort to manually remove the orphaned entries.
You can download the Command Line reference from http://technet.microsoft.com/en-us/library/dd440727(office.13).aspx.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial