Cannot IM Contacts in a conference IM

When I add serveral users to an IM and try to IM them I get a 3098 error. I can however IM users one at a time. This is all internal use at this point. No remote users.
I saw a thread on here that said:
In the Certficates Snap-in for local computer open the Root Certificate located in the Trusted Roots Certification store.  Click on the Details Tab and then click the Edit Properties.

Here you will see Certificate Purposes.  If Enable only the following purposes is checked you need to ensure Client Authentication is check here or Enable all purposes for this certificate since the certificate issue to the Pool from this CA chain includes Client Authentication in it's EKU.

I checked the cert for the pool and "Enable all purposes for this certificate" is checked, but in the cert detials under EKU I only see "Server Authentication". Is this an issue? FYI, this is an interanl cert issued by our internal CA Server.

My Environment Details:
All OCS  servers are running Windows server 2008 Ent R2 x64
OCS Version: OCS 2007 Server EE R2
2 FE servers behind a Coyote load balancer
07vetteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IllusionistCommented:
Its possible that the certificate is causing the issue.
How many SAN entries do you have.
Does the POOL Cert have the SAN entries of Both the FE?
0
Girish_2500Commented:
Hey,

I think the certs are ok because you can still communicate with the existing cert.
It's just you are not able to escalate IM communication to IM conference.

Here is few things that you can check.

1) All services should be running .
2) You have mentioned about Windows 2008 ENT R2
Did you update your server with KB982021 ?
update number 3,5 and number 6.
3) Post the complete description of error 3098
4) Turn on the Loggin in Communicator client and see if it generates any kind of event or check the Tracing log which is in %userprofile%  \Tracing\Uccapi log.
0
07vetteAuthor Commented:
There are 8 entries in the SAN. The pool cert on OCSFE1 has OCSFE1 name listed in the SAN, but does not have OCSFE2 name in the SAN and the pool cert on OCSFE2  has OCSFE2 name listed in the SAN, but does not have OCSFE1 name in the SAN.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

IllusionistCommented:
You Need to have one Certificate for the POOL which will have the SAN entries for both the FE. Associate the same cert on both the FE.
The SAN entry for the cert should also have the POOL name as a SAN entry apart from the Subject Name.
0
07vetteAuthor Commented:
I changed the Pool cert to have all FE server names listed in the SAN. The pool name was already listed in the SAN so I left it. I am still not able to IM conference. Here is the Application event log on my laptop  when I try to IM in a multi users conferece.

Event Type:      Warning
Event Source:      Communicator
Event Category:      None
Event ID:      11
Date:            8/16/2010
Time:            2:05:14 PM
User:            N/A
Computer:      ALEDISPITSS1880
Description:
A SIP request made by Communicator failed in an unexpected manner (status code 80ef025b). More information is contained in the following technical data:
 
 RequestUri:   sip:rhall@company.net;gruu;opaque=app:conf:chat:id:948E4E4AB5F5144AB979314E27991E3F
From:         sip:rhall@company.net;tag=1404c8f82e
To:           sip:rhall@company.net;gruu;opaque=app:conf:chat:id:948E4E4AB5F5144AB979314E27991E3F;tag=BA75ED3A19388E9E48D7BCEA4AE26622
Call-ID:      b28772b7709449f9948376c82f03939b
Content-type: application/sdp;call-type=im

v=0
o=- 0 0 IN IP4 10.100.9.128
s=session
c=IN IP4 10.100.9.128
t=0 0
m=message 5060 sip null
a=accept-types:text/plain multipart/alternative image/gif text/rtf text/html application/x-ms-ink application/ms-imdn+xml text/x-msmsgsinvite


Response Data:

603  Decline
ms-diagnostics:  3098;reason="No MCU Factory Available";source="CLOOCSPOOL02PP.COMPANY.LOCAL"

 
 Resolution:
 If this error continues to occur, please contact your network administrator. The network administrator can use a tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit in order to interpret any error codes listed above.
0
Girish_2500Commented:
hi,


Check the following on the server

All certs should be in there respective store.
Root must not contain Intermediate cert or vice-versa.
then

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
5. Right-click SendTrustedIssuerList, and then click Modify.
6. In the Value data box, type 0 if that value is not already displayed, and then
click OK.
7. Exit Registry Editor.

Also, try to run validation for OCS servers .
0
07vetteAuthor Commented:
Hi Girish,

I am looking in the cert mmc and I see that the Root cert is in the Trusted root Certification Autorities\Certificates folder and the Intermediate Certification Authories\Certificate folder as well. Should the Pool cert be in the intermediate folder? The Pool cert is only under Personal certificates.
0
07vetteAuthor Commented:
Ok here is where I am at now.

I added the Pool cert to the intermediate Certificate folder. - Still get 3098 error in conference

Added SendTrustedIssuerList registery key with value of "0" to FE servers. I then rebooted. - I still get 3098 error in conference.
When I run the "Validate Web Conferencing Server Functionality" Everything is successful except for these errors:
-----------------------------------------------------------------------------------------------------------------------------
Check MCU Factory Connectivity  
 MCU Type: meeting
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL:444/LiveServer/MCUFactory/
HTTP Connectivity Error : ConnectFailure
HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
the server certificate must be present.

   Failure
[0xC3FC200D] One or more errors were detected  

Attempting to send a CCCP HTTP request https://CLOOCSPOOL01.FRACTECH.LOCAL:444/LiveServer/Focus
HTTP Connectivity Error : ConnectFailure
HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
the server certificate must be present.

   Failure
[0xC3FC200D] One or more errors were detected  
-----------------------------------------------------------------------------------------------------------------------------
0
07vetteAuthor Commented:
I just ran the "Validate Web Components server functionality" Wizard. I receive serveral errors. Here is the whole log. I checked like it suggested and IIS is running on both FE servers.

-----------------------------------------------------------------------------------------------------------------------------

Initialize  
Machine FQDN: CLOOCSPOOL01PP.FRACTECH.LOCAL
WMI Repository Path: \\.\root\cimv2
Host Name: CLOOCSPOOL01PP.FRACTECH.LOCAL
Product Version: Microsoft Office Communications Server 2007 R2 3.5.6907.41
Installed components:
ASMCU
APPLICATIONSERVER
DATAMCUWEB
ACPMCU
GROUPEXPANSION
IMMCU
DATAMCU
AUDIOVIDEOMCU
ARCHIVINGAGENT
ADMINTOOL
EE

Service Status:

RTCAVMCU: Running
RTCDATAMCU: Running
RTCASMCU: Running
RTCIMMCU: Running
RTCSRV: Running
RTCACPMCU: Running

Backend: FTSSQLCLST01
   Success
 

Diagnose WebComponents  
Check Configuration: True
Check Connectivity: True
   Failure
[0xC3FC200D] One or more errors were detected  

Check Configuration       Success
WMI Class MSFT_SIPGroupExpansionSetting   WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPGroupExpansionSetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPGroupExpansionSetting.Backend="FTSSQLCLST01",InstanceID="{302B6696-523F-4BD4-9673-05AEE289C392}"
Backend (String): FTSSQLCLST01
EnableDLOperation (Boolean): True
ExternalDLExpansionWebURL (String): https://extweb.fractech.net/GroupExpansion/Ext/service.asmx
InstanceID (String): {302B6696-523F-4BD4-9673-05AEE289C392}
InternalDLExpansionWebURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/GroupExpansion/Int/service.asmx
MaxGroupSize (UInt32): 100
   Success
 

WMI Class MSFT_SIPAddressBookSetting  
WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPAddressBookSetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPAddressBookSetting.Backend="FTSSQLCLST01",InstanceID="{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}"
Backend (String): FTSSQLCLST01
DaysToKeep (UInt32): 30
ExternalURL (String): https://extweb.fractech.net/Abs/Ext/Handler
IgnoreGenericRules (Boolean): False
InstanceID (String): {D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}
InternalURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/Abs/Int/Handler
MaxDeltaFileSizePercentage (UInt32): 1250
OutputLocation (String): \\CLOFS01PP\OCS_ADDRESS_BOOK
PartitionOutputByOU (Boolean): False
RunTime (UInt32): 130
SynchronizeNow (Boolean): False
SynchronizePollingIntervalSecs (UInt32): 300
UseNormalizationRules (Boolean): True
WebServiceEnabled (Boolean): True
   Success
 

WMI Class MSFT_SIPDataMCUCapabilitySetting  
WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPDataMCUCapabilitySetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPDataMCUCapabilitySetting.Backend="FTSSQLCLST01",InstanceID="{086D006C-8672-4A73-A488-3F9346D4F98C}"
Backend (String): FTSSQLCLST01
ContentExpirationGracePeriod (UInt32): 14
ContentStorageLimit (UInt32): 500
ExternalClientContentDownloadURL (String): https://extweb.fractech.net/etc/place/null
HandoutsStorageLimit (UInt32): 150
InMeetingHelpURL (String): http://r.office.microsoft.com/r/rlidLiveMeeting
InstanceID (String): {086D006C-8672-4A73-A488-3F9346D4F98C}
InternalClientContentDownloadURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/etc/place/null
MeetingMetadataLocation (String): \\CLOFS01PP\OCS_MEETING_METADATA
MeetingPresentationContentLocation (String): \\CLOFS01PP\OCS_MEETING_CONTENT
   Success
 

Check Connectivity       Failure [0xC3FC200D] One or more errors were detected  

Check GroupExpansion       Failure [0xC3FC200D] One or more errors were detected  
Check Http URL
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/GroupExpansion/Int/service.asmx
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running.
   Failure
[0xC3FC200D] One or more errors were detected  

Check Http URL  
URL: https://extweb.fractech.net/GroupExpansion/Ext/service.asmx
Error: ConnectFailure
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
   Warning
[0x43FC200C] Not all checks were successful  

Checking Address Book Server configuration   Failure [0xC3FC200D] One or more errors were detected
Check Http URL   URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/Abs/Int/Handler/D-0db1-0db2.dabs
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running.
   Failure
[0xC3FC200D] One or more errors were detected  

Check Web Conferencing Server Virtual Directory Setting Failure [0xC3FC200D] One or more errors were detected
Check Http URL  
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/etc/place/null/slidefiles/blank.png
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running. Failure [0xC3FC200D] One or more errors were detected  

Check Http URL  
URL: https://extweb.fractech.net/etc/place/null/slidefiles/blank.png
Error: ConnectFailure
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
   Warning
[0x43FC200C] Not all checks were successful  
___________________________________________________________________________________
0
Girish_2500Commented:
Hi,

Pool cert should be under the "personal only" and Root under "trusted root only".
Verify these
1) you should be telnet <FQDN of the FE server > 444 on the server itself.
Port 444 should be allowed in load balancer.
Also , you should be able to do telnet < FQDN of the Pool > 444 and in response you get a blank command prompt.

2) Do have a cert assigned to IIS "Default web Site " ? If not assigned it immediately.
To bind cert to the Default Web site
Go to Default web site > right click
Edit Bindings > select
select 443 and assign the same cert assigned to the pool.
0
07vetteAuthor Commented:
I can telnet into both FE FQDN and the POOL FQDN on port 444. The Cert for the pool is binding to the Default website on port 443 and All Unassigned IP is selected.
0
07vetteAuthor Commented:
It looks like it is the load balancer. I edited the host file on the FE servers to bypass the Load Balancer. After a few minutes I was able to Conference IM serveral users and also do meeting invites and have users join. I am going to do more testing before I call Coyote.

On a side note. Is there a way to delete comments on a post? I just realized I have my company info in the logs I pasted here.
0
Girish_2500Commented:
Hi,

good catch !!
regarding the logs , I guess only moderators can delete it.

0
07vetteAuthor Commented:
Since I determined that it was the load balancer. i took a closer look at it and found that Spoofing was enabled. After I unchecked spoofing the issue resolved itself. Sorry for the late status update. I am not working on the external facing peice of OCS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.