locked
Cannot sign in with Office Communicator 2007

    Question

  •  

    Hello All,

     

    I have Microsoft Communication Server 2005 installed on one server...it has been running fine for two years without a problem.

     

    I installed OCS 2007 on a new server. The installation went fine. I set my AD account to use the new pool I created on the new server. I had originally forgotten to do this and the client wouldnt even allow me to try and sign in...once I did do this it allowed me to try and sign in and it seems to think forever and then I eventually get Cannot Sign in Because The Server is temporarily unavailable...Please Contact Your System Admin.

     

    I rebooted the server and verified the services are running.

     

    Any thoughts as to what I can look at to try and remedy this?

     

    Patrick

    Tuesday, August 14, 2007 12:49 AM

Answers

  • Hi Patrick,

    Yep, the SRV record thing is tricky because you can't create two srv records in the same domain for _sipinternatls. There are a few ways to deal with it, though.

     

    I think the easiest way is to just manually configure your OCS clients for ocspool.company.com:5061. This will keep you from needing a separate SRV record.

     

    However, the best long-term solution is this: If you are using an LCS access proxy, you can replace it with an OCS edge server. Then you can configure your internal SRV records to point to the outside interface of the Edge server (sip.company.com) on port 443. This way LCS clients all point to the Edge & then the edge distributes the request to the LCS front end. The OCS clients also point at the edge & it distributes the requests to the OCS front end. This is the way I have things woking in our environment and it has been working very well.

     

    And I also agree with your strategy on the user migration, that's probably the best way to do it.

     

    Regards,

    Matt

     

    Friday, August 31, 2007 6:20 PM

All replies

  • Hi Patrick

     

    By default LCS listened on port 5060 (TCP) and 5061 (TLS) for connections but OCS by default only listens to port 5061, so if you are using TCP on your clients you need to change the OCS server to allow TCP connections in the server properties.

     

    Cheers

     

    Karl

     

    Tuesday, August 14, 2007 10:18 AM
  • If I go tot the server rpoperties MTLS is using port 5061. If I add tcp on port 5060 and go to sign in it seems to think about it and then the client says Communicator will sign you in soon....then it tries again and keeps repeating this process.

     

    Any ideas on what I am missing?

    Tuesday, August 14, 2007 10:45 AM
  • a couple things:

     

    1) in your client, you need to make sure that you are using TLS only. you can manually set your client to use TLS.

    2) if you are using OC 2007 client now, you need to make sure your account is enabled for enhanced presence. it won't let you log in to OC2007 client without enhanced presence enabled.

    3) make sure that if you are using autoconfig on the client that your DNS entries are set to the OCSpool

     

     

    Regards,

    Matt

     

    Thursday, August 30, 2007 7:35 PM
  • Thank you for the response.

     

    Here is what happened when I attempted each of your suggestions:

     

    1. If I set it to tls I get an error saying that there is a problem trying to verify the certificate and to please contact my systems administrator...I dont know how there would be something wrong with the certificate but thats what it says. In the properties of the communicator server I have it set for MTLS to listen on port 5061 (the default setting) and and TCP on 5060.

     

    2. If I change it to TCP it says the user is not configured for the communication service even though it is.

     

    3. I removed TCP 5060 from my server and went to sign in (change it to autoconfiguration) and it would take forever to try and sign in and eventually I get the error listed in the original post which says the server is temporarily unavaiable.

     

    4. I changed MTLS to TLS on 5061 to see if that would make a difference and it didnt. I removed TLS and just did TCP 5060 (just trying to try different things) and that didnt make a difference. I changed it back to its original setting of MTLS 5061 and obviously it still doesnt work.

     

    5. I dont want to change my user setting to enanced mode because it is my understanding that if I do this I will not be able to communicate with lcs 2005 users...we still have a 2005 server and many users on it so I cant do that until we fully migrate.

     

     

    So I am still stuck...can anyone offer any further advice?

     

    Patrick

    Friday, August 31, 2007 2:21 PM
  • Hi Patrick,

    When you get the "error verifying the certificate" error that generally means you are very close to getting things to work. The cause is usually 1 of two things:

     

    1) when you are manually configuring your client, you may be putting in the wrong name, or perhaps even the IP address. You can't use the IP address in the client config, even though it says you can. The server name here has to be the FQDN of the enterprise pool (if you are doing OCS enterprise) or the name of the OCS standard server. This name that you enter must match _exactly_ the name on the certificate you created in OCS.

     

    2) You may not have downloaded the certificate chain from the CA. Every client machine that connects to the OCS server needs to have the CA's root cert installed in the "trusted root certs". There is a good post in one of the other forums on doing that. See Mike Stacy's answer here: http://forums.microsoft.com/Ocs2007/ShowPost.aspx?PostID=1900761&SiteID=57

     

    You definitely have to use TLS on port 5061; the error you are getting is very common and is usually fixed by doing one of the two things that I listed.

     

    Lastly, make sure that you are using the 2005 client to connect. As I mentioned before, the 2007 client will not work at all unless you've enabled enhanced presence. So if you don't want to enable enhanced presence, just be sure that you are using the 2005 client.

     

    Regards,

    Matt

     

     

     

    Friday, August 31, 2007 2:44 PM
  • Again, thank you so much for the response. I think I figured out why things arent working...I somehow skipped over creating the srv host records in dns.

     

    My question is now how do I create the srv records if I already have srv records for tls and tcp and the same ports for my lcs 2005 server? I tried creating two more srv records and pointing them to my ocs2007 host but then that took down my lcs 2005 functionality...any thoughts on this?


    Also thank you for the heads up on the oc2007 client not working unless its under enhanced presence. So I guess the best strategy would be to migrate everyone to the new ocs2007 server and then when everyone is over enable enhanced presence while at the same time deploying the oc2007 client.

     

    Let me know if you have any thoughts on my srv question...thanks so much.

    Friday, August 31, 2007 5:57 PM
  • Hi Patrick,

    Yep, the SRV record thing is tricky because you can't create two srv records in the same domain for _sipinternatls. There are a few ways to deal with it, though.

     

    I think the easiest way is to just manually configure your OCS clients for ocspool.company.com:5061. This will keep you from needing a separate SRV record.

     

    However, the best long-term solution is this: If you are using an LCS access proxy, you can replace it with an OCS edge server. Then you can configure your internal SRV records to point to the outside interface of the Edge server (sip.company.com) on port 443. This way LCS clients all point to the Edge & then the edge distributes the request to the LCS front end. The OCS clients also point at the edge & it distributes the requests to the OCS front end. This is the way I have things woking in our environment and it has been working very well.

     

    And I also agree with your strategy on the user migration, that's probably the best way to do it.

     

    Regards,

    Matt

     

    Friday, August 31, 2007 6:20 PM
  •  

    Matt,

     

    You are really good! Just one strange thing to mention...maybe you can tell me if its normal.

     

    I migrated my account to the ocs 2007 server. I then logged into my office communicator 2005 client using the suggestion you gave me..I changed the server name to ocs-poolname:5061 and was able to log in fine.

     

    Then I took out the ocs-poolname:5061 and was still able to login to my oc 2005 client! Does this sound right to you?

     

     

    Patrick

    Friday, August 31, 2007 7:06 PM
  • Hi Patrick,

    Glad that things are working!! I'm not sure why it would continue functioning after you removed that entry. It could just have the ocspool cached in your dns; to test it you could try doing a c:\> ipconfig /flushdns on your PC and then try logging in again. Or maybe communicator can remember the last place it logged in. Not totally sure - it's definitely strange.

     

    Regards,

    Matt

     

    Friday, August 31, 2007 7:33 PM
  • Yup...still works even after the flush...odd stuff.

     

    Also, I created a test account with ehnanced presence enabled. I can log in now to that client with the oc-poolname:5061 in the settings...what I didnt expect is that the user logged into the 2007 client can see and Im the oc 2005 client I am using.

     

    Friday, August 31, 2007 7:42 PM
  • Hi Matt,

     

    We have LCS 2005 front-end/Access Proxy/CWA servers configured.  We would like to migrate to OCS 2007 using Microsoft's migration document.  We are replacing the LCS Access Proxy with the OCS Access Edge.  OC 2005 clients are manually configured to use either 5060/tcp internally or 5061/tls externally or the OC Web client on 443.  Can you give more details regarding your "best long-term solution" above?  If the current OC client/OC web client be affected by the remote access port of 443 on the OCS 2007 Access Edge server?  Currently traffic for 443 is sent via the foundry to the CWA server.  How do you deal with mixed versions of OC clients (OC 2005 using 5061 and OC 2007 using 443) with the LCS front-end, LCS CWA and OCS Access Edge?

     

    Regards,

    HKP

    Sunday, February 24, 2008 6:02 PM