locked
Validate Server; TLS Handshake Failed

    Question

  • Hello,

     

    I've installed OCS 2007 EE Beta 3 in my Dev env. ( 2 front-end + 1 sql db), all is fine until step 9 in the deploy wizard; when I run this last step (Validate Server and Pool Functionnality)  I get the following errors

     

    Pool devpool.eur.xxx.com

      DNS Resolution succeeded: 10.10.245.205
    TLS handshake failed: 10.10.245.205:5061 Error Code: 0x80131500 Remote disconnected while incoming tls negotation was in progress
      Failure
    [0xC3FC200D] One or more errors were detected
     
     

     

    Web Conferencing Server   DNS Resolution succeeded: 10.10.245.205
    TLS handshake failed: 10.10.245.205:8057 Error Code: 0x80090308 outgoing TLS negotiation failed; HRESULT=-2146893048
      Failure
    [0xC3FC200D] One or more errors were detected

     

    I've created DNS A and srv records and certificates are ok, I've opened a MS ticket but it seems that they dont' want to help (as it's a beta), Please  If someone could help me I'm a little bit lost.

     

    thanks

     

    Phil

    mardi 10 avril 2007 13:56

Réponses

  • Due to the lack of response to this thread, it has been locked and marked as closed.

    If you have a similar issue, please start a new thread.

    mercredi 13 juin 2007 23:08

Toutes les réponses

  • It sounds like a certificate issue.

    Can you try what this user tried in this post:

    http://forums.microsoft.com/Ocs2007publicbeta/ShowPost.aspx?PostID=1427862&SiteID=57

     

    lundi 16 avril 2007 05:34
  • I tried it doesn't help, I've installed a new front end (started install from the beginning) but at the end i still have the same error!!

     

     

    TLS handshake failed: 10.10.245.209:5061 Error Code: 0x80090308 outgoing TLS negotiation failed; HRESULT=-2146893048

     

    Please anyone to help me? thanks

    lundi 23 avril 2007 09:16
  • Check your local computer certificate store and make sure you have a certificate for devpool.eur.xxx.com installed on both FE servers.

     

    Try to export the cert and make sure you have the private key (you should get the option to export the private key).

     

    Make sure the issuing CA is trusted by both servers.

     

    Pete

    lundi 23 avril 2007 12:01
  • Thanks for your help,

     

    yes certificate is installed on FE and I've even tried made a new one but same result , and issuing CA is trusted by the server.

    lundi 23 avril 2007 12:32
  • Are there any other details that might be relevant? 

     

    Is  10.10.245.205 the IP address of your load balancer? 

    Remote disconnected while incoming tls negotation was in progress
    Is it possible that there is an error in the load balancer config?  Is the load balancer setup for DNAT and your pool for SNAT or vice versa?

    lundi 23 avril 2007 13:14
  • I've removed the load balancer, now I've only one front end (activated) the new one I've created 10.10.245.209

    I did that trying to find the issue but now way

    SNAT for the the pool

     

    And I've tried to add tcp (using for connection) and with tcp it works ( except web conferencing; Live meeting cannot connect to the meeting. Wait a few moments; and try to join the meeting again...)

    lundi 23 avril 2007 14:08
  • Too many moving parts now.  Let's regroup.

     

    You have a single EE consolidated role server with a backend SQL server.

     

    Your EE and pool have an IP address of .209.

     

    Your pool FQDN resolves to .209.

     

    You have the pool cert on the EE server that includes the pool FQDN in the subject and has the private key.

     

    You have used the Computer Management/Services and Applications/Office Communications Server 2007 Public Beta snappin to verify that both the Front End and Web Conferencing services are using the pool certificate.

     

    Neither MOC or web conferencing work with TLS.

     

    Only MOC works with TCP.

     

    Are these statments correct?

     

     

    lundi 23 avril 2007 18:26
  • Yes all is correct except now with the new front end I started to try expanded and not consolidated ( but it doesn't change anything it was the same result before and now I've installed all components on the same front end)
    mardi 24 avril 2007 09:14
  • If the certs are good, the only other thing I can think of is that there is some sort of firewall or port filtering app or virus protection installed that is not allowing either the incoming or outgoing respose or another application is running on the desired port on the server.

     

    Perhaps it is time to break out Network Monitor and see what the server is seeing when the validation runs.

    mardi 24 avril 2007 22:48
  • All servers are running as virtual on the same host....so I don't think it's something with port or firewall
    mercredi 25 avril 2007 07:51
  • The best thing to do would be to migrate from Beta 3 to Public Beta and then retry.
    jeudi 26 avril 2007 20:18
  • Exatly what I did.... i'm running public beta now... and still the same...
    jeudi 26 avril 2007 20:32
  • This issue does appear to be related to incorrect certificates on the OCS servers.

    We need the following additional information to be able to continue:
    1) FQDN name of the server
    2) The FQDN of the Host Record referenced by the SRV records
    3) The SIP URI of the user trying to login via auto configuration
    4) The Subject Name of the Certificate, as well as the Subject Alternate Name

     

    Can you provide this information?

    lundi 30 avril 2007 17:51
  •  Thom Foreman-Moderator wrote:

    This issue does appear to be related to incorrect certificates on the OCS servers.

    We need the following additional information to be able to continue:
    1) FQDN name of the server TEURLCS05.eur.galmailtest.com
    2) The FQDN of the Host Record referenced by the SRV records

    _sipinternaltls

    Domain eur.galmailtest.com

    [0][0][5061]devpool.eur.galmailtest.com.

    devpool Host (A) = 10.10.245.209=teurlcs05.eur.galmailtest.com=devpool.eur.galmailtest.com
    3) The SIP URI of the user trying to login via auto configuration @galmailtest.com
    4) The Subject Name of the Certificate, as well as the Subject Alternate Name Subject: devpool.eur.galmailtest.com 

    Subject Alternative Name:

    DNS Name=sip.galmailtest.com

    DNS Name=sip.eur.galmailtest.com

    DNS Name=TEURLCS05.eur.galmailtest.com

    DNS Name=devpool.eur.galmailtest.com

    Can you provide this information? thanks

    lundi 7 mai 2007 08:30
  • I am experiencing this same error as well.

    mardi 8 mai 2007 23:17
  • Hello,

     

    I know that it's seams to be to easy but do you check on all your server that date and Time are synchro and that all server are on the same time zone ?

    I had a TLS negotiation problems and it comes from that,

    symptoms were quite likely yours, connection begin but the server close it before the end of the hand shake...

     

     

    jeudi 10 mai 2007 14:00
  • Hi Phil,

    Can you let us know the status of your issue? Have you been able to find a resolution? If so, can you share it with the forums?

    vendredi 1 juin 2007 06:00
  • Hi Phil,

    Can you let me know the status of your issue? Are you still having this problem? I want to bring in some more help on this, but want to make sure you are still having this problem before i do. Please let me know ASAP.

    jeudi 7 juin 2007 17:30
  • Due to the lack of response to this thread, it has been locked and marked as closed.

    If you have a similar issue, please start a new thread.

    mercredi 13 juin 2007 23:08