locked
Error Validating Web Components Server Functionality RRS feed

  • Question

  •  

    I am currently in the process of installing a consolidated Enterprise Edition deployment on my test domain (2003 native, single domain controller). I go through the entire installation process, and then go to do the validations. The Web Components Server Funcationality validation fails with the following error:

     

    ------------------------------------------------------------------

    Check Http URL:

     

    URL: https://ocspool.phizz.net/GroupExpansion/Int/service.asmx
    Received a failure HTTP response.: HTTP Response: 401 Unauthorized

     

    HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
    Internet Information Services (IIS)

    ------------------------------------------------------------------

     

    I turned on Kerberos logging and get the following event:

     

    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 3
    Date:  10/23/2007
    Time:  9:36:17 AM
    User:  N/A
    Computer: APP1
    Description:
    A Kerberos Error Message was received:  on logon session 
     Server Time: 16:36:17.0000 10/23/2007 Z
     Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Extended Error:  
     Server Realm: PHIZZ.NET
     Server Name: DC1.phizz.net
     Target Name: DC1.phizz.net@PHIZZ.NET
     Error Text:
     File: 9
     Line: ae0

     

    I then registered the SPN for the service account (RTCComponentService) on the OCS server:

     

    http/app1.phizz.net\RTCComponentService
    http/app1\RTCComponentService

     

    Rebooted the server and tried running the validation again, same error. Any ideas?

     

    -Seth

     

     

     

    Tuesday, October 23, 2007 5:26 PM

All replies

  • What happens when you go to that URL in your browser?

     

    Did you already apply a certificate to the default website in IIS?

    I believe there's something about that in the admin guide.

     

    Tuesday, October 23, 2007 7:36 PM
  • Yes the cert is applied and working properly.

     

    When I manually put the URL in a browser it prompts me for credentials (nothing I put it works), then gives me the same HTTP Error 401.1. The default site loads fine, it's at GroupExpansion where it starts giving that error. GroupExpansion is set for Integrated Windows Authentication only. The perms on GroupExpansion has RTC Component Local Group set to read. If I set GroupExpansion to allow Anonymous, it works fine. Can someone verify the perms on their GroupExpansion folder?

     

    Either way I think it is something deeper than just permissions because of the Kerberos error I'm getting. It seems like the DC can't translate the SPN's for some reason. Should I have registered those SPN's on the OCS server or on my DC?

     

    -Seth

     

    Tuesday, October 23, 2007 8:42 PM
  •  Seth Scardefield wrote:

    Yes the cert is applied and working properly.

     

    When I manually put the URL in a browser it prompts me for credentials (nothing I put it works), then gives me the same HTTP Error 401.1. The default site loads fine, it's at GroupExpansion where it starts giving that error. GroupExpansion is set for Integrated Windows Authentication only. The perms on GroupExpansion has RTC Component Local Group set to read. If I set GroupExpansion to allow Anonymous, it works fine. Can someone verify the perms on their GroupExpansion folder?

     

    Either way I think it is something deeper than just permissions because of the Kerberos error I'm getting. It seems like the DC can't translate the SPN's for some reason. Should I have registered those SPN's on the OCS server or on my DC?

     

    -Seth

     



    Hi Seth,

    Mine is set to Anonymous and Basic Authentication (with the domain and realm filled in with my fqdn).

    I have a similar environment set up but didn't have to register any SPN's. Have you tried using the Office Communicator client or Live Meeting client against your environment yet? If so, have you encountered issues or are you just trying to run the validation checks?

    -Jason
    Wednesday, October 24, 2007 2:24 PM
  • Hi Seth,

     

    We had the same problem. Everything seemed to be working fine, but the validation check for Web Components was failing with the error message you received. We had someone from Microsoft come out to look at the problem and they provided the following solution / work around (not sure which term to use yet).

     

    I hope the problem you're experiencing is the same we had.

     

    http://support.microsoft.com/kb/896861/en-us

     

    Extract...

     

    This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

     

    The article contains a couple of methods to resolve the issue to a point where the validation check will succeed.

     

    Rgds,

     

    Morris

     

    Friday, October 26, 2007 12:11 AM