locked
Event ID 1113 - TLS failure RRS feed

  • Question

  • Can anyone help?

     

    We have a working OCS + Ex2k7 UM solution. (OCS is RTM and fully patched, Ex2k7 is SP1 and fully patched)

     

    Eveything works as expected however after a seemingly random period of inactivity the UM service stops working and calls from OCS do not work

     

    On the Ex2k7 UM server the following event is logged:

    Event Type: Warning
    Event Source: MSExchange Unified Messaging
    Event Category: UMService
    Event ID: 1113
    Date:  25/02/2008
    Time:  16:45:27
    User:  N/A
    Computer: CICEXUM01
    Description:
    The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the target name that was specified in the certificate is incorrect. The error code was "1" and the message was "Incorrect function".


     

    If we then re-start the UM service everything works fine again.

    I've checked the certificates on both servers which are simply autoenrolled computer certs from our internal CA.

    There doesn't seem to be any other diagnostic information I can find.

    The event above is less than useful since the 'target name' on both certificates is definitely correct. If they were incorrect then surely it wouldn't work at all!

     

    I've just re-built the UM server using the /recoverserver switch and we get the same problems.

     

    Has anyone seen this?

     

    Thanks in advance for your help.

     

    Yours,

    Andy

    Monday, February 25, 2008 5:36 PM

All replies

  • You must verify that Exchange UM is configured with the correct certificate.

    You can see an event in the Eventlog that says which certificate Exchange UM uses.

     

    Se the correct certificate for UM

    http://technet.microsoft.com/en-us/library/aa997231.aspx

     

    Johan
    Sunday, March 9, 2008 11:22 PM
  • Did you ever find a solution to this?  I have an environment experiencing the same issue.  I have trusted internal cert with the FQDN of the server assigned to UM and SMTP and a second public cert assigned to all the other roles.  After about a day I get a TLS failure from OCS.  A restart of UM fixes the problem temporarily.

     

    Tuesday, May 13, 2008 4:25 PM
    Moderator
  • Hi Mike,

    Sorry but we're still getting the same issue.

    The environment this is happening on does not have live users so it's not been a priority to fix this,

    I havent had much time recently to fix it either...

     

    I need to try the latest update rollup and see if that resolves it?

    My last thoughts ont his was that it could be the certificate services template, we're not using a default one.

     

    Have you made any alterations to the certificate template you're using for either server?

     

    Post here if you geta resolution!

     

    Yours,
    Andy 

    Tuesday, May 13, 2008 6:41 PM
  • We put the rollup on over the weekend and it made no difference.  We are using an unmodified template for our UM certificate.

     

    Thursday, May 15, 2008 2:39 PM
    Moderator
  • Hello, we had the same issue here. Restarting UM service during the day was not an option. So we decided to connect ExUM directly to our IP-PBX. It is some time ago.

     

    But I remember a strange error message in ExUM_Server. It was a warning or error about the "IP-Address of the OCS2007 server is missing in the certificate..." (PlayOnPhone was also impossible to Communicators and quoted with the same error/ warning in the UM-Log. - WITH ACTIVATED  EXPERT-LEVEL UM-LOGGING)

     

    Adding a IP-Adress as a SAN to the certificate seemed not logical to me at this time. Maybe this will stop the TLS-error. Sorry but I cant test it anymore, because it is a productive system.

     

    Please try to enable logging on UM-Server to EXPERT level on all UM-parts, like described here:

     

    http://technet.microsoft.com/en-us/library/bb430783(EXCHG.80).aspx

     

    Maybe you will find the strange certificate / IP-Address Error / Warning too, when using PlayOnPhone to Communicators or by calling ExUM-Pilot or during a normal work-day with the TLS failure.

     

    Best regards,

     

    Jan

    Monday, May 26, 2008 1:46 AM
  • Adding the IP Address in the cert will not help you

    But make sure that the UM Gateway configured in the Exchange Environment connects to the FQDN of the OCS Server and that the FQDN is in the cert

     

     

    Tuesday, May 27, 2008 10:39 PM
  • Like Jan, I can also confirm that this does not impact the PBX <-> UM integration, only OCS <-> UM.

    My suspicion is that this has to do with using multiple certificates.  In my case there is an Entrust certificate for public facing services (SMTP, OWA, etc.) of mail.domain.com and an internal certificate for UM for the internal FQDN of the server.  The behavior seems like Exchange starts to present the wrong certificate to OCS.  However, when you check the UM folder the correct certificate is there.

    It's just a theory - I can't find a way to determine which certificate is actually being presented to OCS at the time of the failure.
    Wednesday, May 28, 2008 7:51 PM
    Moderator