Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
OCS Certifikate Errors RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have created a whole test-domain (called WALHALL) on VMware ESX with 1 domain-controller, 1 exchange-server, 1 ocs-server and 2 clients with the communicator installed. The installation of OCS went fine and I didn't have severe problems. For the OCS I created a free certificate from cacert.org and installed the root-certificate on the server too, so that the created one is recognized correctly. All services were started and are running.

    On the clients I installed this root-cert too and it seems that the certs, if I view them are OK too.

    But now there comes the funny thing. If I want to connect to OCS with one of the clients, the communicator tells me that there is something wrong with the certificate. So I did some of those checks with the OCS-management thingie - there I see some TLS handshake problems for example the Webconferencing:
    IPADDRESS:8057 Errorcode: 0x80092012 outgoing TLS negotiation failed; HRESULT=-2146885614

    In the eventlog I find (I don't have an English translation and I replaced the real domain with MYDOMAIN):
    Anwendungsendpunkt mit OCS auf communication.walhall.MYDOMAIN.at konnte nicht erstellt werden:5061
    Ausnahme: Microsoft.Rtc.Signaling.TlsFailureException - The revocation function was unable to check revocation for the certificate
    Interne Ausnahme: Microsoft.Rtc.Internal.Sip.TLSException - outgoing TLS negotiation failed; HRESULT=-2146885614
    Der Dienst startet alle 30 Sekunden einen erneuten Versuch.

    I don't find anything usefull on this error.

    Later in my desperation I tried another thing. I installed the communicator on a PC that is not in the test-domain and I edited the host file so that this PC is recognizing the test-domain or OCS-server. Then I installed the cacert.org-root-certificate and the connection to the OCS server worked!? So why is it working from a PC that is not in the test-domain but not the other way around???

    I have now searched several forums, google, etc. but can't find anything helpful. Please help. Many thanks in advance

     

    Friday, August 7, 2009 2:51 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you check the revocation list on the certificate?
    Can you access it from both computers?

    Mind that Windows XP does not check revocation but vista does by default
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Friday, August 7, 2009 5:21 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    If you see the root cert in the certificate store for the computer you should be good. But it can be a DNS problem as well. the DNS Name the MOC client is looking for has to match the certificate name or Subject alternative name.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Friday, August 7, 2009 8:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi:

    Per your description, I do not verify your install procedures are right. Usually the OCS servers service seems good, but actually the system service exist many issue caused by certificate, DNS record or other wrong configuration, like Deli and Mitch referred.

    So I have some other suggestions for you.

    1.     Firstly, you could make sure what version did you installed, the standard edition or the enterprise edition? There are many different requirements between them. You can refer to below link:

    http://technet.microsoft.com/en-us/library/dd425098(office.13).aspx

    2.     You can get more information about the Certificate Infrastructure Support for the OCS server, and you should know a list of public CAs who have partnered with Microsoft to ensure that their certificates comply with specific requirements for Office Communications Server. Not all the public CAS is supported for OCS. You can refer to below link:

    http://technet.microsoft.com/en-us/library/dd572286(office.13).aspx

       So I think you can create CA on the DC in your domain for OCS.

    3.     There are detail procedure about deploy the enterprise edition OCS and standard edition OCS in below links. It will help you check the configuration of you done is right or not.

    http://technet.microsoft.com/en-us/library/dd425100(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425245(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425256(office.13).aspx

    4.     Sure, for your issue, it is mostly caused by the certificate. You can pay more attention on how to configure the certificates for OCS. You can refer to below links:

    http://technet.microsoft.com/en-us/library/dd425206(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425206(office.13).aspx

     

    Hope this helpful!

    Regards!

    Wednesday, August 12, 2009 3:48 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you very much for your replies and sorry for the late answer from my side but I've been on holiday.

    So I tried a little bit around again and created a new certificate, besides I installed the CRL from cacert.org on the test-clients. It seems to work now from the clients in the test-domain and from clients outside the test-domain.

    • Marked as answer by BBQigniter Monday, August 31, 2009 11:33 AM
    Monday, August 31, 2009 9:03 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you check the revocation list on the certificate?
    Can you access it from both computers?

    Mind that Windows XP does not check revocation but vista does by default
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Friday, August 7, 2009 5:21 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    If you see the root cert in the certificate store for the computer you should be good. But it can be a DNS problem as well. the DNS Name the MOC client is looking for has to match the certificate name or Subject alternative name.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Friday, August 7, 2009 8:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi:

    Per your description, I do not verify your install procedures are right. Usually the OCS servers service seems good, but actually the system service exist many issue caused by certificate, DNS record or other wrong configuration, like Deli and Mitch referred.

    So I have some other suggestions for you.

    1.     Firstly, you could make sure what version did you installed, the standard edition or the enterprise edition? There are many different requirements between them. You can refer to below link:

    http://technet.microsoft.com/en-us/library/dd425098(office.13).aspx

    2.     You can get more information about the Certificate Infrastructure Support for the OCS server, and you should know a list of public CAs who have partnered with Microsoft to ensure that their certificates comply with specific requirements for Office Communications Server. Not all the public CAS is supported for OCS. You can refer to below link:

    http://technet.microsoft.com/en-us/library/dd572286(office.13).aspx

       So I think you can create CA on the DC in your domain for OCS.

    3.     There are detail procedure about deploy the enterprise edition OCS and standard edition OCS in below links. It will help you check the configuration of you done is right or not.

    http://technet.microsoft.com/en-us/library/dd425100(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425245(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425256(office.13).aspx

    4.     Sure, for your issue, it is mostly caused by the certificate. You can pay more attention on how to configure the certificates for OCS. You can refer to below links:

    http://technet.microsoft.com/en-us/library/dd425206(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425206(office.13).aspx

     

    Hope this helpful!

    Regards!

    Wednesday, August 12, 2009 3:48 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you very much for your replies and sorry for the late answer from my side but I've been on holiday.

    So I tried a little bit around again and created a new certificate, besides I installed the CRL from cacert.org on the test-clients. It seems to work now from the clients in the test-domain and from clients outside the test-domain.

    • Marked as answer by BBQigniter Monday, August 31, 2009 11:33 AM
    Monday, August 31, 2009 9:03 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Last info on this. We went productive with the system and installed the Windows Certificate Service - so it's much easier with the certificates :)
    Friday, September 4, 2009 1:45 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    hi
    Thanks for your confirm!

    Best regards!
    Friday, September 4, 2009 3:16 PM
    Moderator