2009년 4월 6일 월요일 오전 9:49Hi,
I've an OCS2007 Std Ed. integrated with Exchange2007SP1. Until last week all worked fine, but the certificates used for TLS authentication between OCS and UM Server has expired.
I've installed my own Enterprise CA (W2003) and I ask for a couple of new certificates, I've installed then on OCS an UM Server, then I configured in OCS the new certificate and in Exchange UM Server with Import-ExchangeCertificate and Enable-ExchangeCertificate but...
Now TLS tunnel is not established, the Error ID is 14428 and the Cathegory is (1001). In the error description says:
"TLS outgoing connection failures.
Over the past 0 minutes Office Communications Server has experienced TLS
outgoing connection failures 1 time(s). The error code of the last failure is
0x80090322 (The target principal name is incorrect.) while trying to connect
to the host "minerva.umdemo.local".
Cause: Wrong principal error could happen if the peer presents a certificate
whose subject name does not match the peer name. Certificate root not trusted
error could happen if the peer certificate was issued by remote CA that is
not trusted by the local machine.
For untrusted root errors, ensure that the remote CA certificate chain is
installed locally. If you have already installed the remote CA certificate
chain, then try rebooting the computer.
and other error:
A significant number of invalid certificates have been provided by remote IP address 192.168.30.13 when attempting to establish an MTLS peer. There have been 31 such failures in the last 61 minutes.
Certificate Names associated with this peer were
The serial number of this certificate is
The issuer of this certificate is umdemoCA
Any idea what's happening?
Thanks in advance
2009년 4월 6일 월요일 오후 12:53중재자Alberto,
Can you clarify whether or not the OCS FE server's FQDN does match that of the new certificate's SN field? Also were the original certificates from the same internal Enterprise CA or were the original certs from a different CA?
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
2009년 4월 6일 월요일 오후 4:47Hi Jeff,
In both cases (OCS Server and Exchange UM Server) the CN field (you typed SN is it correct?) match exactly the FQDN and I'm using the original CA to issue the new certificates to servers.
OCS is installed in Integrated topology and Exchange is installed in 2 server, one for CAS, Hub and Mailbox and another for UM Server. Exchange 2007 is working OK, I can send and received mails, and in OCS I can use IM also OK
Thanks in advance