Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problems with certificate OCS 2007

Posted on 2009-12-16
4
Medium Priority
?
773 Views
Last Modified: 2013-11-29
Hello,

I have the following problem:

I've set up a new clean lab environment. In this environment I have a windows 2003 R2 active directory server, Exchange 2007 server, SQL2005 server. On the active directory server I installed the role of Certificate Authority. Beside these servers I started setting up an OCS 2007 environment.

I installed the front end, requested the certificates for it trough the web interface of my CA and assigned the certificates. No errors there. I created 5 test users, sip-enabled them and they are visible in my OCS front end and configured.

When I try to logon with one of the users I get the following error :
There was a problem verifying the certificate from the server. Please contact your system administrator.

Now what I do trying to solve this problem :
I expored the certificate of the CA with it's private key and imported it on my front end and test computer in the directory trusted root certificate authorities.
This did not solve the problem.

When you run the connectivity test of the OCS deployment process you get the error that the port 5061 is not available on my front end. However when I start a telnet session to my front end using this port I get a response.
When you open your browser and go to https://poolname:5061 you also get a response from the browser that he does not thrust the issuer of the certificate.

What could be the problem. I already checked the links to make sure that I did not miss a step in the process of setting up my CA but this all seems to be fine.
http://www.petri.co.il/install_windows_server_2003_ca.htm
http://www.petri.co.il/obtain_digital_certificate_from_online_ca.htm

Hope someone can help me.

Thanks in advance
0
Comment
Question by:o-tvw-ee
4 Comments
 
LVL 1

Accepted Solution

by:
strandedman earned 668 total points
ID: 26065572
The Certificate on the Front End server servers two purposes. It provides MTLS authentcition between it and other servers connecting which is based on the FQDN of the server itself, i.e. servername.domain.sufix.

When users connect to the Front End server they are connecting using the their SIP URI, e.g. user@domain.suffix. In some cases the SIP domain suffix is different from the acutal domain suffix. In our case for example users sign-in using their email address user@domain.com, wheras our internal domain is @domain.int.

This may not be the case in your situation, but if it is then you need to addd the SIP domain as a Subject Alternate Name (SAN) when you use the wizard to create the certificates.

It would also be wise to run the Validation wizard on the Front End server to see if you get any errors.

Hope this helps.
0
 
LVL 12

Assisted Solution

by:gaanthony
gaanthony earned 668 total points
ID: 26068559
In addition you need to have the root certificate imported into the local computer trusted roots certification authorities store on the workstation(s).
If the CA you installed was not active directory integrated (Enterprise CA) which is only available in Enterprise Edition of WIndows then Root Certificate enrollment does not happen automatically.  You'll need to publish the Root Certificate in AD using DSPublish and enable automatic enrollment in the domain group policy.
0
 

Author Comment

by:o-tvw-ee
ID: 26112722
Thanks guys for the response due to lack of time I was not able yet to try it out. I will implement it one of the following days and give you feedback.
0
 
LVL 11

Assisted Solution

by:Ahmed Shahba
Ahmed Shahba earned 664 total points
ID: 26154260
Hi,

You first need Certificate with SN=Pool FQDN and SAN=Front-end server FQDN , Sip.yourdomain.com , and this use for  (M)TLS authentication between pool servers and Communicator clients.

and this certificate SN match Internal Web Farm FQDN (same as Pool FQDN) you entered during creating the pool .So you need to IIS on Front End server and assign this certificate with Default Web site .


If you do above , sure you will get everything is fine and also no need to import local CA to machines , since they already join your domain and automatically has this certificate.


Thanks
Regards,
Ahmed
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question