Solved

Cannot IM Contacts in a conference IM

Posted on 2010-08-16
14
2,048 Views
Last Modified: 2013-11-29
When I add serveral users to an IM and try to IM them I get a 3098 error. I can however IM users one at a time. This is all internal use at this point. No remote users.
I saw a thread on here that said:
In the Certficates Snap-in for local computer open the Root Certificate located in the Trusted Roots Certification store.  Click on the Details Tab and then click the Edit Properties.

Here you will see Certificate Purposes.  If Enable only the following purposes is checked you need to ensure Client Authentication is check here or Enable all purposes for this certificate since the certificate issue to the Pool from this CA chain includes Client Authentication in it's EKU.

I checked the cert for the pool and "Enable all purposes for this certificate" is checked, but in the cert detials under EKU I only see "Server Authentication". Is this an issue? FYI, this is an interanl cert issued by our internal CA Server.

My Environment Details:
All OCS  servers are running Windows server 2008 Ent R2 x64
OCS Version: OCS 2007 Server EE R2
2 FE servers behind a Coyote load balancer
0
Comment
Question by:07vette
  • 8
  • 4
  • 2
14 Comments
 
LVL 7

Expert Comment

by:Illusionist
ID: 33447459
Its possible that the certificate is causing the issue.
How many SAN entries do you have.
Does the POOL Cert have the SAN entries of Both the FE?
0
 
LVL 3

Expert Comment

by:Girish_2500
ID: 33447510
Hey,

I think the certs are ok because you can still communicate with the existing cert.
It's just you are not able to escalate IM communication to IM conference.

Here is few things that you can check.

1) All services should be running .
2) You have mentioned about Windows 2008 ENT R2
Did you update your server with KB982021 ?
update number 3,5 and number 6.
3) Post the complete description of error 3098
4) Turn on the Loggin in Communicator client and see if it generates any kind of event or check the Tracing log which is in %userprofile%  \Tracing\Uccapi log.
0
 

Author Comment

by:07vette
ID: 33447542
There are 8 entries in the SAN. The pool cert on OCSFE1 has OCSFE1 name listed in the SAN, but does not have OCSFE2 name in the SAN and the pool cert on OCSFE2  has OCSFE2 name listed in the SAN, but does not have OCSFE1 name in the SAN.
0
 
LVL 7

Expert Comment

by:Illusionist
ID: 33447887
You Need to have one Certificate for the POOL which will have the SAN entries for both the FE. Associate the same cert on both the FE.
The SAN entry for the cert should also have the POOL name as a SAN entry apart from the Subject Name.
0
 

Author Comment

by:07vette
ID: 33448721
I changed the Pool cert to have all FE server names listed in the SAN. The pool name was already listed in the SAN so I left it. I am still not able to IM conference. Here is the Application event log on my laptop  when I try to IM in a multi users conferece.

Event Type:      Warning
Event Source:      Communicator
Event Category:      None
Event ID:      11
Date:            8/16/2010
Time:            2:05:14 PM
User:            N/A
Computer:      ALEDISPITSS1880
Description:
A SIP request made by Communicator failed in an unexpected manner (status code 80ef025b). More information is contained in the following technical data:
 
 RequestUri:   sip:rhall@company.net;gruu;opaque=app:conf:chat:id:948E4E4AB5F5144AB979314E27991E3F
From:         sip:rhall@company.net;tag=1404c8f82e
To:           sip:rhall@company.net;gruu;opaque=app:conf:chat:id:948E4E4AB5F5144AB979314E27991E3F;tag=BA75ED3A19388E9E48D7BCEA4AE26622
Call-ID:      b28772b7709449f9948376c82f03939b
Content-type: application/sdp;call-type=im

v=0
o=- 0 0 IN IP4 10.100.9.128
s=session
c=IN IP4 10.100.9.128
t=0 0
m=message 5060 sip null
a=accept-types:text/plain multipart/alternative image/gif text/rtf text/html application/x-ms-ink application/ms-imdn+xml text/x-msmsgsinvite


Response Data:

603  Decline
ms-diagnostics:  3098;reason="No MCU Factory Available";source="CLOOCSPOOL02PP.COMPANY.LOCAL"

 
 Resolution:
 If this error continues to occur, please contact your network administrator. The network administrator can use a tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit in order to interpret any error codes listed above.
0
 
LVL 3

Expert Comment

by:Girish_2500
ID: 33452805
hi,


Check the following on the server

All certs should be in there respective store.
Root must not contain Intermediate cert or vice-versa.
then

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
5. Right-click SendTrustedIssuerList, and then click Modify.
6. In the Value data box, type 0 if that value is not already displayed, and then
click OK.
7. Exit Registry Editor.

Also, try to run validation for OCS servers .
0
 

Author Comment

by:07vette
ID: 33454103
Hi Girish,

I am looking in the cert mmc and I see that the Root cert is in the Trusted root Certification Autorities\Certificates folder and the Intermediate Certification Authories\Certificate folder as well. Should the Pool cert be in the intermediate folder? The Pool cert is only under Personal certificates.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:07vette
ID: 33455376
Ok here is where I am at now.

I added the Pool cert to the intermediate Certificate folder. - Still get 3098 error in conference

Added SendTrustedIssuerList registery key with value of "0" to FE servers. I then rebooted. - I still get 3098 error in conference.
When I run the "Validate Web Conferencing Server Functionality" Everything is successful except for these errors:
-----------------------------------------------------------------------------------------------------------------------------
Check MCU Factory Connectivity  
 MCU Type: meeting
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL:444/LiveServer/MCUFactory/
HTTP Connectivity Error : ConnectFailure
HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
the server certificate must be present.

   Failure
[0xC3FC200D] One or more errors were detected  

Attempting to send a CCCP HTTP request https://CLOOCSPOOL01.FRACTECH.LOCAL:444/LiveServer/Focus
HTTP Connectivity Error : ConnectFailure
HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
the server certificate must be present.

   Failure
[0xC3FC200D] One or more errors were detected  
-----------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:07vette
ID: 33455817
I just ran the "Validate Web Components server functionality" Wizard. I receive serveral errors. Here is the whole log. I checked like it suggested and IIS is running on both FE servers.

-----------------------------------------------------------------------------------------------------------------------------

Initialize  
Machine FQDN: CLOOCSPOOL01PP.FRACTECH.LOCAL
WMI Repository Path: \\.\root\cimv2
Host Name: CLOOCSPOOL01PP.FRACTECH.LOCAL
Product Version: Microsoft Office Communications Server 2007 R2 3.5.6907.41
Installed components:
ASMCU
APPLICATIONSERVER
DATAMCUWEB
ACPMCU
GROUPEXPANSION
IMMCU
DATAMCU
AUDIOVIDEOMCU
ARCHIVINGAGENT
ADMINTOOL
EE

Service Status:

RTCAVMCU: Running
RTCDATAMCU: Running
RTCASMCU: Running
RTCIMMCU: Running
RTCSRV: Running
RTCACPMCU: Running

Backend: FTSSQLCLST01
   Success
 

Diagnose WebComponents  
Check Configuration: True
Check Connectivity: True
   Failure
[0xC3FC200D] One or more errors were detected  

Check Configuration       Success
WMI Class MSFT_SIPGroupExpansionSetting   WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPGroupExpansionSetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPGroupExpansionSetting.Backend="FTSSQLCLST01",InstanceID="{302B6696-523F-4BD4-9673-05AEE289C392}"
Backend (String): FTSSQLCLST01
EnableDLOperation (Boolean): True
ExternalDLExpansionWebURL (String): https://extweb.fractech.net/GroupExpansion/Ext/service.asmx
InstanceID (String): {302B6696-523F-4BD4-9673-05AEE289C392}
InternalDLExpansionWebURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/GroupExpansion/Int/service.asmx
MaxGroupSize (UInt32): 100
   Success
 

WMI Class MSFT_SIPAddressBookSetting  
WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPAddressBookSetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPAddressBookSetting.Backend="FTSSQLCLST01",InstanceID="{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}"
Backend (String): FTSSQLCLST01
DaysToKeep (UInt32): 30
ExternalURL (String): https://extweb.fractech.net/Abs/Ext/Handler
IgnoreGenericRules (Boolean): False
InstanceID (String): {D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}
InternalURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/Abs/Int/Handler
MaxDeltaFileSizePercentage (UInt32): 1250
OutputLocation (String): \\CLOFS01PP\OCS_ADDRESS_BOOK
PartitionOutputByOU (Boolean): False
RunTime (UInt32): 130
SynchronizeNow (Boolean): False
SynchronizePollingIntervalSecs (UInt32): 300
UseNormalizationRules (Boolean): True
WebServiceEnabled (Boolean): True
   Success
 

WMI Class MSFT_SIPDataMCUCapabilitySetting  
WMI Class Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPDataMCUCapabilitySetting
WMI Instance Path: \\CLOOCSPOOL01PP\root\cimv2:MSFT_SIPDataMCUCapabilitySetting.Backend="FTSSQLCLST01",InstanceID="{086D006C-8672-4A73-A488-3F9346D4F98C}"
Backend (String): FTSSQLCLST01
ContentExpirationGracePeriod (UInt32): 14
ContentStorageLimit (UInt32): 500
ExternalClientContentDownloadURL (String): https://extweb.fractech.net/etc/place/null
HandoutsStorageLimit (UInt32): 150
InMeetingHelpURL (String): http://r.office.microsoft.com/r/rlidLiveMeeting
InstanceID (String): {086D006C-8672-4A73-A488-3F9346D4F98C}
InternalClientContentDownloadURL (String): https://CLOOCSPOOL01.FRACTECH.LOCAL/etc/place/null
MeetingMetadataLocation (String): \\CLOFS01PP\OCS_MEETING_METADATA
MeetingPresentationContentLocation (String): \\CLOFS01PP\OCS_MEETING_CONTENT
   Success
 

Check Connectivity       Failure [0xC3FC200D] One or more errors were detected  

Check GroupExpansion       Failure [0xC3FC200D] One or more errors were detected  
Check Http URL
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/GroupExpansion/Int/service.asmx
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running.
   Failure
[0xC3FC200D] One or more errors were detected  

Check Http URL  
URL: https://extweb.fractech.net/GroupExpansion/Ext/service.asmx
Error: ConnectFailure
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
   Warning
[0x43FC200C] Not all checks were successful  

Checking Address Book Server configuration   Failure [0xC3FC200D] One or more errors were detected
Check Http URL   URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/Abs/Int/Handler/D-0db1-0db2.dabs
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running.
   Failure
[0xC3FC200D] One or more errors were detected  

Check Web Conferencing Server Virtual Directory Setting Failure [0xC3FC200D] One or more errors were detected
Check Http URL  
URL: https://CLOOCSPOOL01.FRACTECH.LOCAL/etc/place/null/slidefiles/blank.png
Internal Error: ConnectFailure
Suggested Resolution: Check to make sure the IIS service is running. Failure [0xC3FC200D] One or more errors were detected  

Check Http URL  
URL: https://extweb.fractech.net/etc/place/null/slidefiles/blank.png
Error: ConnectFailure
Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.
   Warning
[0x43FC200C] Not all checks were successful  
___________________________________________________________________________________
0
 
LVL 3

Expert Comment

by:Girish_2500
ID: 33456351
Hi,

Pool cert should be under the "personal only" and Root under "trusted root only".
Verify these
1) you should be telnet <FQDN of the FE server > 444 on the server itself.
Port 444 should be allowed in load balancer.
Also , you should be able to do telnet < FQDN of the Pool > 444 and in response you get a blank command prompt.

2) Do have a cert assigned to IIS "Default web Site " ? If not assigned it immediately.
To bind cert to the Default Web site
Go to Default web site > right click
Edit Bindings > select
select 443 and assign the same cert assigned to the pool.
0
 

Author Comment

by:07vette
ID: 33456647
I can telnet into both FE FQDN and the POOL FQDN on port 444. The Cert for the pool is binding to the Default website on port 443 and All Unassigned IP is selected.
0
 

Author Comment

by:07vette
ID: 33468435
It looks like it is the load balancer. I edited the host file on the FE servers to bypass the Load Balancer. After a few minutes I was able to Conference IM serveral users and also do meeting invites and have users join. I am going to do more testing before I call Coyote.

On a side note. Is there a way to delete comments on a post? I just realized I have my company info in the logs I pasted here.
0
 
LVL 3

Expert Comment

by:Girish_2500
ID: 33473787
Hi,

good catch !!
regarding the logs , I guess only moderators can delete it.

0
 

Accepted Solution

by:
07vette earned 0 total points
ID: 33589632
Since I determined that it was the load balancer. i took a closer look at it and found that Spoofing was enabled. After I unchecked spoofing the issue resolved itself. Sorry for the late status update. I am not working on the external facing peice of OCS.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now