locked
cannot start federation on ocs r2 running on server 2008 r2 RRS feed

  • Question

  • ocs front end server running on 2008 r2, access edge also running 2008 r2 and is in DMZ. no other server used.
    2 nics used on access edge, 1st connected to internal network and 2nd to external with 3 IP for av and web.

    ocs works fine for internal use but problem is we cannot federate with microsoft or login remotely.

    error on access edge -

    Federated partner sipfed.microsoft.com has sent a significant number of messages that have resulted in domain validation failures. There have been 14 such failures in the last 15 minutes.There have been 138 errors in total. This can happen when messages are sent to local users that don't exist, messages are sent from domains that the partner isn't allowed to send from, or when the partner sends messages destined to domains that this organization isn't responsible for.

    error on front end -

    TLS outgoing connection failures.

    Over the past 17 minutes Office Communications Server has experienced TLS outgoing connection failures 16 time(s). The error code of the last failure is 0x80004005 (Unspecified error) while trying to connect to the host "ocs.DOMAIN.co.uk".

    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

    Resolution:

    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    OCS.DOMIN.CO.UK is fqdn of access edge.

    I thought its a certificate issue but CA is installed on front end and access edge got the certificate from front end so there is no way it does not trust the certificate.
    we are using public cert for access edge external interface.

    i checked the network packets and both front end and access edge are sending and receiving packets.
    we have  a srv for our access edge with our isp which resolves to fqdn of access edge...

    please help to resolve this issue :( 

    Monday, September 28, 2009 2:57 PM

Answers

  • Both.  OCS does not completely function on Server 2008 R2.  Microsoft is testing this and are targeting a supportability statement around the end of the year.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 29, 2009 11:43 AM
    Moderator

All replies

  • Also what i am getting is

    A significant number of connection failures have occurred with remote server ocsfrontend.domain.co.uk IP 172.17.4.102. There have been 60 failures in the last 11 minutes. There have been a total of 60 failures.

    The specific failure types and their counts are identified below.

    Instance count - Failure Type

    60 80072746

     

     

    This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.

    Monday, September 28, 2009 3:06 PM
  • OCS is not supported on Windows Server 2008 Release 2 yet, so this may be another issue related to that an not something you've configured incorrectly in your environment.

    That said, what Certificate Authority issued the certificates on your Edge server?  You should be using a trusted third-party and not an internal Enterprise CA.  Other incorrect certificate settings (unsupported signing algorithm or key-length) could also cause 'unspecified errors' as well.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, September 28, 2009 5:00 PM
    Moderator
  • i have used digicert for my access edge,

    When you say 2008 r2 is not supported, do you mean it cannot run on it or MS do not provide support for it?
    Tuesday, September 29, 2009 7:23 AM
  • Both.  OCS does not completely function on Server 2008 R2.  Microsoft is testing this and are targeting a supportability statement around the end of the year.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 29, 2009 11:43 AM
    Moderator
  • Thanks for your help, i'll move down to 2008 r1 then.
    Wednesday, September 30, 2009 7:36 AM
  • Hi Jeff,
    I'm experiencing slighly siimilar issue.  On the Edge server (Windows server 2008 R2) I got the below errors from all the federation partners:

    Over the past 15 minutes Office Communications Server has experienced TLS outgoing connection failures 6 time(s). The error code of the last failure is 0x80004005 (Unspecified error) while trying to connect to the host "SIP.FedPartner.COM".
    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
    Resolution:
    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    It's been a month since your statement above. What's the status now?

    Cheers

    KA.
    Friday, November 13, 2009 8:30 PM