Mino – The UC Guy

Microsoft Unified Communications Blog

Archive for the ‘Certificates’ Category

OCS Response Group Service failed to start with Error event ID 31193

Posted by Mino on October 14, 2009

We have OCS 2007 R2 Pool with 2 front end servers enterprise edition, let us say that the FQDN of the servers are OCSFE01.contoso.com, OCSFE02.contoso.com and the Pool name is OCSPOOL.contoso.com.

I created the certificate request for the front end servers using the OCS wizard where I added the Pool name in the CN and in the SAN also , then I clicked the check box of add local machine name to the SAN certificate.

Then I try to enable the OCS Services and I found that the OCS Response Group Service failed to start with the below error:

Log Name:      Office Communications Server
Source:        OCS Response Group Service
Event ID:      31193
Task Category: (2001)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OCSFE01.contoso.com
Description:
The provided certificate is not valid.

There was a problem validating certificate: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘OCSPOOL.contoso.com’ but the remote endpoint provided DNS claim ‘OCSFE01.contoso.com’. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity ‘OCSFE01.contoso.com’ as the Identity property of EndpointAddress when creating channel proxy.

 

How to Resolve:

The problem is in SAN certificate for the frontend servers you need to make sure that the last DNS entry in the SAN list matches the certificate subject name, which should be your pool name.

And since I clicked the checkbox of add local machine name to the SAN , so it added the FQDN of the machine as the last entry in the SAN and this was the problem.

So make sure that the CN should be the pool name ocspool.contoso.com and the last name in the SAN should also be pool name ocspool.contoso.com

 

Update : this is a known issue that  has been fixed with Hotfix in KB 969695

Posted in Certificates, Common Errors, Front End Server, OCS 2007 R2 | Tagged: , , , , , , | Leave a Comment »

Single certificate for OCS/Exchange/ISA usage

Posted by Mino on July 7, 2009

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

 

SAN Name

Usage

Notes

1

SIP.domain.com

OCS Edge Server

IM, Presence, Federation, PIC

2

webconf.domain.com

OCS Edge Server

Web Conferencing

3

AV.domain.com

OCS Edge Server

A/V

4

revproxy.domain.com

ISA Reverse Proxy

Web Components

5

CWA.domain.com

ISA Web Listener

Communicator Web Access

6

DOWNLOAD.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

7

AS.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

8

MAIL.domain.com

ISA publisher

Outlook Anywhere, OWA, POP, IMAP

9

AUTODISCOVER.domain.com

ISA Web Listener

Autodiscover for outlook and OCS.

Posted in A/V Edge Server, Certificates, Communicator Web Access, Consolidated Edge, Edge Server, Good Articles take from Other Blogs, OCS & Exchange07, OCS 2007 R2 | Tagged: , , , , , , , , , , , , , , , , , , | 10 Comments »

Address Book Download Issue (Vista Only)

Posted by Mino on July 6, 2009

This is a case I have faced right after the MVP award thing; it proves one thing to me.  You will always learn till the last minute of your life whether you are a Ranger or MVP or even one of the product team themselves. 

Ok here is the case; I have a Pilot on Isolated Environment where I have deployed 3 machines (AD+ CA+ Exchange, OCS Front End, OCS Mediation) And the users are on another production environment and they are planning to test the OC locally from their computers joined to the Production domain not the pilot one.

I have everything configured fine, hosts file edited correctly, Certificate Chain imported and Communicator is able to login correctly with no Problem. All of a Sudden all Vista machines are not able to download address book or to retrieve outlook free /busy information. However XP machines are working smoothly with no Problem

OK….then we think logic , what is common between Address Book and Exchange Free/ Busy?  Both are Web Services retrieved through HTTPS, so it has to be IE problem.

After some Googleing I found the solution on the UC No Evil blog as he describes details of troubleshooting steps he did and in the end it appeared to be the IE setting of Check for sever certificate revocation along with Disabling Windows Vista User Access Control

Below Are the Detailed Steps as described on the Blog:

  1. Make sure this symptom is the same on all of your Vista clients.
  2. Flush DNS by using ipconfig /flushdns on the client.
  3. Verify within IE that ‘Check for server certificate revocation* is disabled.  To do this go to IE > Advanced > Security section > Check for sever certificate revocation*.   Deselect the check box.
  4. Now  close Internet Explorer, close Communicator (Completely — sign-out and close application)
  5. Start Communicator| Sign in
  6. If you’re not presented with an error or the warning stating an issue accessing the Address Book, go to the %userprofile%\Local Settings\Application data\Microsoft\Communicator and verify that a GalContacts.db file exists.  If it does exist, GREAT! You’re done.   If not then continue with the rest of the procedure.
  7. Within IE add the Address Book URL that users will download the AB files.  IE > Internet Options > Security > Trusted Sites > Add the URL to trusted sites (ex.  https://ocsfrontend.company.com)
  8. Repeat steps 4-6
  9. If you still cannot download the address book try, move to step 10.
  10. Verify that User Access Control is off and then repeat steps 4-6.

Also some good technical details for the issue are available here on Microsoft Forums

Posted in Certificates, Common Errors, communicator client, Front End Server, Good Articles take from Other Blogs, Miscellaneous, OCS 2007 R2 | Tagged: , , , , , , , , , , , | 8 Comments »

How to Fix Exchange UM Certificate errors when Integrating with OCS 2007

Posted by Mino on May 19, 2009

Typically When Exchange 2007 is installed, it generates a self-issued certificate for use with IIS, SMTP, and SIP (if you’re using UM).  This certificate generally isn’t ideal for Outlook and OWA clients because it’s not trusted by any machines except for the Exchange server, and one of the first tasks to do is replace this certificate with one that is trusted by the user’s machines.

So typically you would request to buy a Public certificate for the Exchange and usually people don’t include the internal FQDN of the servers in this request.

On the Other Hand when you deploy the OCS 2007 you will require Certificate for each OCS server and this is required for securing the communication internally between OCS to OCS servers and OCS to Client. So you will deploy internal Enterprise CA in your domain to issue the certificates for the OCS , and since this is Enterprise CA so it will be published in the Active directory and it will be trusted by default for all internal domain user computers.

However when you try to integrate the OCS 2007 with the Exchange UM by this design , the first thing you will notice that the Voice mail is not accessible from the Communicator client  and it is giving you communicator error whenever you click on voice mail ,and you will find lots of Certificate event logs and OCS Protocol stack errors on both OCS front end and Exchange UM Server.

The reason behind that is because the Exchange UM server is still using the Exchange Self Signed certificate for its internal name and it is trying to communicate with the OCS using this certificate , and since the OCS doesn’t know anything about this issuer so it drops the connection.

To solve this problem we will have to replace the Exchange UM self signed certificate with one from the same CA that the OCS 2007 is using. To accomplish this task simply run the below command on the Exchange command shell.

New-ExchangeCertificate -GenerateRequest -Path c:\UMrequest.req -SubjectName “c=US, o=Contoso, cn=umsrv.mydomain.local” -DomainName mydomain.local  -PrivateKeyExportable $true

This will generate a request on the C: drive under the name of UMrequest.req  for the UM server internal FQDN umsrv.mydomain.local , open it with notepad and copy the content and then go to the PKI auto enrolment page https:\\pkisrv.mydomain.local\certsrv   to issue the certificate and save it locally .

Then we need to import the certificate to exchange and Enable it for UM service usage , my certificate is saved on the C: drive with the name of UMCertificate.cer

Import-ExchangeCertificate -Path c:\UMCertificate.cer

The last thing we will do is to enable this certificate for UM usage, first make sure to copy the Thumbprint of the certificate that you will see in the command shell then run the below command .

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e –Services UM

Restart UM service and restart OCS Front End Server and now you will get the UM working fine with the OCS and you will no longer see the protocol stack errors.

Posted in Certificates, Common Errors, communicator client, Front End Server, Mediation Server, OCS & Exchange07, OCS 2007 R2, Phone Edition, Unified Messaging | Tagged: , , , , , , , , , , | 3 Comments »

Tanjay (LG-Nortel) “Cannot download certificate because domain is not accessible. If the problem persists, contact your system administrator”

Posted by Mino on February 20, 2009

I had this problem with the Tanjay new phone when I plugged it to my DHCP network and i was not able to find the problem .

However after little trials i found the below solution.

 Normally there is two ways to logon to Active Directory:

1.       Domain\username

2.        username@domain.local

 

I was getting this certificate error because I was trying username@domain.local  however I have found that if you log into the phone using domain.local\username

 

The phone is able to find the domain and download the certificate.

 

I found this out while doing a packet trace on the phone one day and found this search behavior

 

Netbios AD name: test

UPN Suffix: test.local

DNS Suffix: abc.com – this is given to the phone via DHCP

 So the DNS queries from the phone was this

 

Away from all these complicated trace like stuff, if you want to solve this problem just login with domain.local\username   and it will work fine  J

Posted in Certificates, Phone Edition | Tagged: , , , , , | 6 Comments »