Unable to login via Edge server with error C3E93D86
-
1 iunie 2009 10:36When trying to login via a newly configured Edge Server from within the company network the client receives the following message:
Microsoft Office Communicator 2007
After a few tries, the following is logged on the Edge server:
Cannot sign in because the server is temporarily unavailable. If the problem persists, contact your system administrator.
EventID: 14501
If I try from outside the network on a non-domain system I get a slightly different error (presumably because there's no client certificate):
Event Source: OCS Protocol Stack
A significant number of invalid certificates have been provided by remote IP address 10.5.6.98 when attempting to establish an MTLS peer. There have been 10 such failures in the last 0 minutes.
Certificate Names associated with this peer were
The serial number of this certificate is
.
The issuer of this certificate is
The specific failure types and their counts are identified below.
Instance count - Failure Type
10 C3E93D86
EventID: 14502
Passing C3E93D86 through `lcserror' results in the following:
Event Source: OCS Protocol Stack
A significant number of connection failures have occurred with remote server Unknown IP 78.136.49.150. There have been 60 failures in the last 60 minutes. There have been a total of 60 failures.
The specific failure types and their counts are identified below.
Instance count - Failure Type
60 C3E93D86
This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.
>lcserror C3E93D86
No errors get logged on our standard pool server. We're running OCS 2007 R2 Standard on Windows 2008. Our Edge server is not a member of a domain but in a workgroup.
0x83E93D86 -> None matched
0x80003D86 -> None matched
The only validation error we get is due to the fact we haven't configured a voice location profile.
There is no internal firewall between the clients and the OCS server. Externally the following TCP ports have been opened: 443; 5060; 5061.
Any suggestions on how to progress from here would be greatly appreciated.
Toate mesajele
-
2 iunie 2009 03:10Hey David,
First question for you, any reason you are having your internal folks hit the edge? You can simply configure the SRV for your sip domain to point to your FE server on port 5061. No need for them to go through the edge.
As far as the edge goes, couple of questions:
1. Does the edge trust the CA the certificates were issued from
2. Can the edge resolve the FQDN of the SE Pool to the proper IP
3. Is the SE server in the list of authorized hosts on the edge
4. Is the Edge server listed on the SE pool as an available edge server
For the Edge outside interfaces, make sure each service gets a cert with a subject that matches the FQDN, if you have the IP's I'd highly recommend using port 443 for all of the services.
Let's start there with the basics and we can dive further once those are verified.
Thanks!
-KP
Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com -
2 iunie 2009 12:41ModeratorHow are you directing internal client's to attempt login against the Edge server? If they are hitting the Edge internal interface that will defintely fail. Also you mention not having a client certificates; if you are using TCP for internal (by adding 5060 to the FE listener configuration) that is fine for internal sign-in, but Edge only supports TLS so you must have a trusted certificate applied regardless of where the client is trying to sign in from.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS -
2 iunie 2009 17:40
Hey David,
First question for you, any reason you are having your internal folks hit the edge? You can simply configure the SRV for your sip domain to point to your FE server on port 5061. No need for them to go through the edge.
As far as the edge goes, couple of questions:
1. Does the edge trust the CA the certificates were issued from
2. Can the edge resolve the FQDN of the SE Pool to the proper IP
3. Is the SE server in the list of authorized hosts on the edge
4. Is the Edge server listed on the SE pool as an available edge server
For the Edge outside interfaces, make sure each service gets a cert with a subject that matches the FQDN, if you have the IP's I'd highly recommend using port 443 for all of the services.
Let's start there with the basics and we can dive further once those are verified.
Thanks!
-KP
Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
Hi Kevin,
First of all, thanks for taking the time to reply.
At the moment it's just me hitting the edge from within the firewall as a test to see if it works. The rest of the users use the FE server as you'd expect (and they work).
In response to your questions:
1: Yes. The Edge server has the CA certificate in the computer 'Trusted Root Certificate Authorities' store. The Edge certificates are signed by the same CA as the standard edition FE servers.
2: Yes. The FQDN resolves correctly.
3. Yes.
4. Yes
it took some tweaking to begin with but the certificates are all setup correctly. I don't get any certificate errors (other than the MTLS error when I try and connect to the Edge access interface (not the internal interface).
Hi Jeff,
First of all, thanks for taking the time to reply. The clients are using the edge access interface, not the internal one. The only reason I included the error from a non-MTLS client was to see if it gave me a different error (since both scenarios give a very similar error). My client machine has a client certificate signed by our enterprise CA (the same CA which signed the rest of our OCS certificates).
- Editat de David Hope 2 iunie 2009 17:40 typo
-
4 iunie 2009 13:13 I've managed to solve my problem. I've been manually entering the connection details since our DNS provider (ZoneEdit) don't support SRV records. I should have been entering the FQDN with :443 rather than just the FQDN. My edge access now works, I just need to move to start hosting the zone ourselfs so we can create SRV records. Thanks for your help guys.
If anyone runs into the same problem, I've posted about it over on my blog .
Thanks again,
Dave- Marcat ca răspuns de David Hope 4 iunie 2009 17:00
