Address Book Download Issue (Vista Only)
Posted by Mino on July 6, 2009
This is a case I have faced right after the MVP award thing; it proves one thing to me. You will always learn till the last minute of your life whether you are a Ranger or MVP or even one of the product team themselves.
Ok here is the case; I have a Pilot on Isolated Environment where I have deployed 3 machines (AD+ CA+ Exchange, OCS Front End, OCS Mediation) And the users are on another production environment and they are planning to test the OC locally from their computers joined to the Production domain not the pilot one.
I have everything configured fine, hosts file edited correctly, Certificate Chain imported and Communicator is able to login correctly with no Problem. All of a Sudden all Vista machines are not able to download address book or to retrieve outlook free /busy information. However XP machines are working smoothly with no Problem
OK….then we think logic , what is common between Address Book and Exchange Free/ Busy? Both are Web Services retrieved through HTTPS, so it has to be IE problem.
After some Googleing I found the solution on the UC No Evil blog as he describes details of troubleshooting steps he did and in the end it appeared to be the IE setting of Check for sever certificate revocation along with Disabling Windows Vista User Access Control
Below Are the Detailed Steps as described on the Blog:
- Make sure this symptom is the same on all of your Vista clients.
- Flush DNS by using ipconfig /flushdns on the client.
- Verify within IE that ‘Check for server certificate revocation* is disabled. To do this go to IE > Advanced > Security section > Check for sever certificate revocation*. Deselect the check box.
- Now close Internet Explorer, close Communicator (Completely — sign-out and close application)
- Start Communicator| Sign in
- If you’re not presented with an error or the warning stating an issue accessing the Address Book, go to the %userprofile%\Local Settings\Application data\Microsoft\Communicator and verify that a GalContacts.db file exists. If it does exist, GREAT! You’re done. If not then continue with the rest of the procedure.
- Within IE add the Address Book URL that users will download the AB files. IE > Internet Options > Security > Trusted Sites > Add the URL to trusted sites (ex. https://ocsfrontend.company.com)
- Repeat steps 4-6
- If you still cannot download the address book try, move to step 10.
- Verify that User Access Control is off and then repeat steps 4-6.
Also some good technical details for the issue are available here on Microsoft Forums
Tom Pacyk said
This sounds more like a workaround than an actual fix because disabling server cert revocation and UAC are both security holes.
I would imagine the real problem was in your server revocation setting. Check the CRL locations on your certs – is there a URL that is actually reachable by clients?
Mino said
If it was a problem with the CA revoke then it wouldn’t happen with the Exchange Free/Bussy since it is using a self signed certificate and i have added it to the trusted store too .
Plus the XP are working fine although they are not part of the domain ….what do you think ?
Joachim Farla said
Does this issue also occur when the latest hotfixes for Communicator 2007 are installed?
Mino said
yes but again keep in mind , this is a Pilot on a separate Domain and the user is trying from another domain.
richard said
Mino: just a sidenote, galcontacts.db is not appearing immediatelly after successfull signin. There is a random value between 0 and 30 minutes for communicator to actually trying to download the addressbook file. You can force immediate connection via this reg key:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator]
“GalDownloadInitialDelay”=dword:00000000
Mino said
i guess this issue is more related to Pilot implementation where the OCS is placed on separate domain from the users live domain.
but in normal scenarios i dont face such issues.