locked
Remote Office Communicator cannot login but OCS enble phone does ?? RRS feed

  • Question

  • Hi guys,

    I am facing a strange problem in my setup. I have build a test environment using Windows Server 2008 and FE server and 2003 as Edge Server. Internally everything works fine. I am using 2 public IP for edge server

    1 Public IP  x for access edge ad web conf services
    1 Public IP  x for AV edge services

    Edge server external interfaces are using Godaddy  UCC Certs. AV edge server is using internal cert as explained in deployment guide. Problem is external users cannot sign in using communicator but they can login there OCS enable IP phones (Snom) and they can call each other snom phones but there is no audio. I have disabled firewall on all my test server and tried that again but no success.

    When Communicator tries to sign in from remote location it give an error message  i.e. There was a problem verifying certificate from the server

    Event Type:    Error
    Event Source:    Communicator
    Event Category:    None
    Event ID:    5
    Date:        17/12/2009
    Time:        15:39:32
    User:        N/A
    Computer:    MNE
    Description:
    Communicator could not connect securely to server sip.provu-ocs.co.uk because the certificate presented by the server was not trusted due to validation error 0x80ee0065.  The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
     
     Resolution:
     A tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit can be used in order to interpret the error code listed above.  If you trust the server certificate, the issuing certificate authority (CA) certificate can be placed in the local trusted root certificate authorities certificate store.  If you have logged into the server before without issues the network administrator should carefully examine the certificate if no known configuration changes have been made.

    Can you please help me ? thanks
    Thursday, December 17, 2009 3:43 PM

All replies

  • You may be using a certificate that is not supported in it's current configuration; take a look at these related discussions to see if you have a error in your original certificate request process.  I've also seen specific issues with some GoDaddy certificates based on key lenght and other variable when used with OCS.

    http://social.microsoft.com/Forums/en/communicationsserversetup/thread/4e0a0db1-b43d-4c3f-8ef9-28a967a2a050
    http://social.microsoft.com/Forums/en/communicationsserversetup/thread/dd973b80-96f7-43e4-960a-c2d0de9db0e6

    You may also need to enable the root CA's certificate for "all purposes", as discussed in the last section of this blog article:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=69

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, December 17, 2009 5:55 PM
    Moderator
  • I have gone through Jeff`s Blog which explains a lot and I have enble all purpose for Root Certificate Auth of Godaddy but still no joy. I can telnet to port 443 and 5061 etc on my edge server without a problem. MY AD , DNS server is 2003 x64, FE server is 2008 x64 and Edge server is 2003 x64.

    One confusion from the above post is  this bit,

    "Your external edge interface needs to have the following SANs associated with it:

    sip.domain.com

    sipexternal.domain.com

    ^These have to be as they are above

    webconf.domain.com

    audiovideo.domain.com

    edge.domain.com

    localserver.domain.com

    ^These names have to be whatever you have assigned in the edge server configuration wizard. 

    I found that it was easiest to just tack on the role of each SAN to the end of ocsedge, so my entries were:

    ocsedgewc.domain.com

    ocsedgeav.domain.com

    ocsedge.domain.com"

    I though the external interface should only have SANs such as FQDN of external interface which in my case is sip.provu-ocs.co.uk and I am trying to use same cert for webconf as well with web.provu-ocs.co.uk added to SAN. But above statement quotes that I have to put something like localserver.domain.com which in my case is the same as  FQDN of internal interface.

    Also in my godaddy SAN Cert I have an addition SAN name which is www.sip.provu-ocs.co.uk which i didnt enter. Do you think it might create issues like this. I have tested this using testocsconnectivity website and it passes the test for remote users. Confused ;(
    Friday, December 18, 2009 9:44 AM
  • Hi Muhammad & Jeff :)

    when you open the link:

    https://sip.provu-ocs.co.uk:443

    in Mozilla Firefox, you will get:

    (errorcode: sec_error_revoked_certificate)

    pretty plain explaination of whats wrong with the cert. Even a selfsigned is better than a revoked one ;)

    btw: feel free to contact me, in case you like to get a UC (SAN) certificate that you can really count on :)

    Or simply check out our current one by opening https://sip.snom.com:443 in Mozilla Firefox and have look at the SAN's / FQDN's in the subject alternate name field.

    Cheers and have a great sunday,

    Jan
    Jan Boguslawski | Technical Product Manager - snom OCS Edition | MCITP: EA, MCTS OCS, MCTS EXCHANGE | snom technology AG, Berlin | www.snom.com | http://ocsphoneguy.blogspot.com
    Saturday, December 19, 2009 9:36 PM