Problems with certificate OCS 2007

Posted on 2009-12-16
Last Modified: 2013-11-29

I have the following problem:

I've set up a new clean lab environment. In this environment I have a windows 2003 R2 active directory server, Exchange 2007 server, SQL2005 server. On the active directory server I installed the role of Certificate Authority. Beside these servers I started setting up an OCS 2007 environment.

I installed the front end, requested the certificates for it trough the web interface of my CA and assigned the certificates. No errors there. I created 5 test users, sip-enabled them and they are visible in my OCS front end and configured.

When I try to logon with one of the users I get the following error :
There was a problem verifying the certificate from the server. Please contact your system administrator.

Now what I do trying to solve this problem :
I expored the certificate of the CA with it's private key and imported it on my front end and test computer in the directory trusted root certificate authorities.
This did not solve the problem.

When you run the connectivity test of the OCS deployment process you get the error that the port 5061 is not available on my front end. However when I start a telnet session to my front end using this port I get a response.
When you open your browser and go to https://poolname:5061 you also get a response from the browser that he does not thrust the issuer of the certificate.

What could be the problem. I already checked the links to make sure that I did not miss a step in the process of setting up my CA but this all seems to be fine.

Hope someone can help me.

Thanks in advance
Question by:o-tvw-ee
    LVL 1

    Accepted Solution

    The Certificate on the Front End server servers two purposes. It provides MTLS authentcition between it and other servers connecting which is based on the FQDN of the server itself, i.e. servername.domain.sufix.

    When users connect to the Front End server they are connecting using the their SIP URI, e.g. user@domain.suffix. In some cases the SIP domain suffix is different from the acutal domain suffix. In our case for example users sign-in using their email address, wheras our internal domain is

    This may not be the case in your situation, but if it is then you need to addd the SIP domain as a Subject Alternate Name (SAN) when you use the wizard to create the certificates.

    It would also be wise to run the Validation wizard on the Front End server to see if you get any errors.

    Hope this helps.
    LVL 12

    Assisted Solution

    In addition you need to have the root certificate imported into the local computer trusted roots certification authorities store on the workstation(s).
    If the CA you installed was not active directory integrated (Enterprise CA) which is only available in Enterprise Edition of WIndows then Root Certificate enrollment does not happen automatically.  You'll need to publish the Root Certificate in AD using DSPublish and enable automatic enrollment in the domain group policy.

    Author Comment

    Thanks guys for the response due to lack of time I was not able yet to try it out. I will implement it one of the following days and give you feedback.
    LVL 10

    Assisted Solution


    You first need Certificate with SN=Pool FQDN and SAN=Front-end server FQDN , , and this use for  (M)TLS authentication between pool servers and Communicator clients.

    and this certificate SN match Internal Web Farm FQDN (same as Pool FQDN) you entered during creating the pool .So you need to IIS on Front End server and assign this certificate with Default Web site .

    If you do above , sure you will get everything is fine and also no need to import local CA to machines , since they already join your domain and automatically has this certificate.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
    Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now