Cannot Sign in because the server temporarily unavailable RRS feed

  • Question

  • Hi,

    I have setup OCS 2007 server Standard version and try to logon to the test MOC 2007 client on PDC (which is a separate server from OCS FES). I couldn't login with any test accounts I tried, keeping getting "Cannot Sign in because the server temporarily unavailable".  Oddly, I did the validation test on Front End server  with tested accounts and I received all check green marked as success except global federation setting and global phone check marked as warning ( I don't intend to perform federation anyway).

    Can anybody advise where else to look at and could be problem for logging in?

    I ruled out network connectivity since I can ping from PDC to OCS server (MOC client is on PDC).


    Thank you


    Wednesday, February 27, 2008 5:39 PM

All replies

  • Are you using autoconfiguration for the client or are you pointing the client directly to your front end server?   If you do not have all your DNS records correctly setup and the client is configured for auto, then you will get a server unavailable error.





    Wednesday, February 27, 2008 6:43 PM
  • Joe,

    You are right. I was able to use manual configuration on the client with TLS and specify the internal OCS server name and able to log on successfully. I have two questions here.


    1) When I am on manual configuration mode, I try to use IP address ( instead of internal server name "ocs-fes.domain.com". It gave me an error saying "there was a problem verifying the certificate from the server" when trying to log on. Does that mean I have problems with certificate?, but why it works for server name, but fail when using IP address.


    2) When I am on Automatic configuration, logon failed. I tried to go back and check all my DNS configuration and couldn't find anything wrong and everything seems to be running fine. I have forward lookup zone and reverse lookup zone configured. I can ping both server back and forth with IP address and servername. Also I tested nslookup on both ocs-fes and pdc and they are fine. Are there anything else I should be looking on the DNS server to troubleshoot the automatical configuration issue?


    Thank you

    Wednesday, February 27, 2008 9:40 PM

    ok, to answer your first question, since OCS uses certificates for authentication the packet information coming into the server must align with what the server certificate needs in order to successfully authenticate.  The certificate is configured for a server name, not an IP address so when the traffic comes into that interface with no server name reference, it cannot successfully authenticate against the server certificate.  This is why when you use an IP address you get a certificate error. 


    question 2 requires a few more questions from me.  client autoconfiguration errors are usually DNS problems.  I would double check that you have the following records created:


    SRV record     _sip._tls.domain.com  -> points to the A record of your front end server or enterprise pool ie "ocspool.domain.com".  Using port 5060


    SRV record     _sipinternaltls._tcp.domain.com  points to the A record of your front end server or enterprise pool ie "ocspool.domain.com".  Using port 5061


    A record  sip.domain.com  points to the A record of your front end server or enterprise pool ie "ocspool.domain.com". 



    These records are critical for client autologin configuration. 





    Thursday, February 28, 2008 2:02 PM
  • Joe,

    No wonder my auto config does not work. I have none of SRVs that you mentioned.

    1) Are these SRV records supposed to be in the DNS server by default after installing OCS?

    2) If not, can I add it manually?. Where are these SRV supposed to be in? I assume that we can add them into Forward Lookup Zones > domain.com > _tcp , correct?.



    Thursday, February 28, 2008 9:55 PM
  • Thank you Joe..

    I have added those SRV records and it fixed the problem.


    Appreciate your help..

    Thursday, February 28, 2008 10:19 PM
  • I wonder if SRV record:     _sip._tls.domain.com  -> points to the A record of your front end server or enterprise pool ie "ocspool.domain.com".  Using port 5060

    is required in the internal network (AFAIK it is used to locate the access edge server during connecting from external network) and anyway, it should be port 5061 and not 5060 (OCS listens only on TLS port 5061 for the sign-in process)
    Friday, February 29, 2008 9:17 AM

    _sip._tls.domain.com  is normally use for Remote Access.

    It can be use port 443 or 5061 but not 5060

    If you configure your external interface of your Access Edge server to use Port 443 then make sure the SRV record is using port 443.



    Friday, February 29, 2008 11:48 AM