Asked by:
Error Validating Web Components Server Functionality

Question
-
I am currently in the process of installing a consolidated Enterprise Edition deployment on my test domain (2003 native, single domain controller). I go through the entire installation process, and then go to do the validations. The Web Components Server Funcationality validation fails with the following error:
------------------------------------------------------------------
Check Http URL:
URL: https://ocspool.phizz.net/GroupExpansion/Int/service.asmx
Received a failure HTTP response.: HTTP Response: 401 UnauthorizedHTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)------------------------------------------------------------------
I turned on Kerberos logging and get the following event:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 10/23/2007
Time: 9:36:17 AM
User: N/A
Computer: APP1
Description:
A Kerberos Error Message was received: on logon session
Server Time: 16:36:17.0000 10/23/2007 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Server Realm: PHIZZ.NET
Server Name: DC1.phizz.net
Target Name: DC1.phizz.net@PHIZZ.NET
Error Text:
File: 9
Line: ae0I then registered the SPN for the service account (RTCComponentService) on the OCS server:
http/app1.phizz.net\RTCComponentService
http/app1\RTCComponentServiceRebooted the server and tried running the validation again, same error. Any ideas?
-Seth
Tuesday, October 23, 2007 5:26 PM
All replies
-
What happens when you go to that URL in your browser?
Did you already apply a certificate to the default website in IIS?
I believe there's something about that in the admin guide.
Tuesday, October 23, 2007 7:36 PM -
Yes the cert is applied and working properly.
When I manually put the URL in a browser it prompts me for credentials (nothing I put it works), then gives me the same HTTP Error 401.1. The default site loads fine, it's at GroupExpansion where it starts giving that error. GroupExpansion is set for Integrated Windows Authentication only. The perms on GroupExpansion has RTC Component Local Group set to read. If I set GroupExpansion to allow Anonymous, it works fine. Can someone verify the perms on their GroupExpansion folder?
Either way I think it is something deeper than just permissions because of the Kerberos error I'm getting. It seems like the DC can't translate the SPN's for some reason. Should I have registered those SPN's on the OCS server or on my DC?
-Seth
Tuesday, October 23, 2007 8:42 PM -
Seth Scardefield wrote: Yes the cert is applied and working properly.
When I manually put the URL in a browser it prompts me for credentials (nothing I put it works), then gives me the same HTTP Error 401.1. The default site loads fine, it's at GroupExpansion where it starts giving that error. GroupExpansion is set for Integrated Windows Authentication only. The perms on GroupExpansion has RTC Component Local Group set to read. If I set GroupExpansion to allow Anonymous, it works fine. Can someone verify the perms on their GroupExpansion folder?
Either way I think it is something deeper than just permissions because of the Kerberos error I'm getting. It seems like the DC can't translate the SPN's for some reason. Should I have registered those SPN's on the OCS server or on my DC?
-Seth
Hi Seth,
Mine is set to Anonymous and Basic Authentication (with the domain and realm filled in with my fqdn).
I have a similar environment set up but didn't have to register any SPN's. Have you tried using the Office Communicator client or Live Meeting client against your environment yet? If so, have you encountered issues or are you just trying to run the validation checks?
-JasonWednesday, October 24, 2007 2:24 PM -
Hi Seth,
We had the same problem. Everything seemed to be working fine, but the validation check for Web Components was failing with the error message you received. We had someone from Microsoft come out to look at the problem and they provided the following solution / work around (not sure which term to use yet).
I hope the problem you're experiencing is the same we had.
http://support.microsoft.com/kb/896861/en-us
Extract...
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
The article contains a couple of methods to resolve the issue to a point where the validation check will succeed.
Rgds,
Morris
Friday, October 26, 2007 12:11 AM