Cannot Sign in Communicator RRS feed

  • Question

  • Our Environment:

    Exchange 2007 on Windows 2008 Server        
    DC on Windows Server 2003                         
    OCS 2007 on Windows Server 2003               

    The installation of OCS went smoothly; i had an issue with service accounts where the service was not starting but thats sorted out too. All services are running fine. On the OCS server i installed adminpack so that i could create communication users. 

    When creating users i chose to create with their email addresses.
    I had created a certificate earlier and assigned to the computers already. Certificate name is office.schs.org.ae. CA is installed on the OCS server.

    The pool name is office.schs.org.ae and i have a dns record for sip.schs.org.ae pointing to my ocs server 

    I installed communicator on a computer entered his email address and it tried logging in and than it asked me to fill in the domain/username  and password.

    After doing so i got the following error.

    Cannot sign in to Communicator. You may have entered your sign-in address, username, op password incorrectly, or the authentication service may be incompatible with this version of the program.

    We have ISA 2006 in our environment and it does not block any traffic from the computers.

    I have no idea how to progress further; im not sure if what i have done in the dns entry is right or not. Im facing this problem on all computers.

    We are planning to user OCS so far only internally for IM and Webchat

    Can anyone please help on this matter.


    MVP - Most Valuable Primate
    Wednesday, June 24, 2009 10:38 AM

All replies

  • Is your sip address the same as the email address?
    You must check this in the properties of the user account on the communications tab.

    If you can't find that tab start ADUC from the OCS Server
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Wednesday, June 24, 2009 2:14 PM
  • After enabling communication for users in the ADUC there is a seperate column for communincation

    It shows there sip:sheldon@schs.org.ae
    My email address is sheldon@schs.org.ae

    Does this mean the same thing?

    MVP - Most Valuable Primate
    Wednesday, June 24, 2009 5:30 PM
  • The sip address and the email address are 2 different entries, although by default it creates the user with their reply to email address as the sip address.

    sip:sheldon@schs.org.ae is the sip address of the user you listed.

    When you login, you have to provide your sip address for the "sign on" address and then for the username, you have to provide your Windows Domain user name.  You can either provide that as DOMAIN\Username or Username@domain

    If there is a problem with the certificate, it usually complains about that, so it is likely you are supplying the wrong combination of sip address:User Name: Password.

    Hope this helps.

    Thursday, June 25, 2009 2:26 AM
  • In the properties of my user in ADUC, Communication tab there is

    signin name which is sip:sheldon@schs.org.ae
    server on pool is office.schs.org.ae

    My domain is schs
    i use domain\username or email address
    and the correct domain password

    but i still get the same message.

    I'm assuming its a certificate problem but i dont know what it is?
    MVP - Most Valuable Primate
    Thursday, June 25, 2009 4:27 AM
  • okay, if you are getting asked for a password, it is finding the OCS Server.  There are 2 steps to the login, first you enter the signin address and click sign in.

    Then it presents a Q for username/password.

    So, you are getting somewhere... but not all the way.

    Due to the above, I suspect you will not find anything useful, but check the Application Event Log and see if there are any useful Communicator Messages.  As far as I've found you might as well not waste any time checking the "log Communicator Events" in the Options settings, cause I've never found any kind of log to look at.  Still the event log will give you a clue to verify it is finding the OCS Server.

    One thing you can do to check if you have a certificate problem is set your date back 1 yr.  You should get a complaint about the certificate when you do that.  If you don't then we'll have to figure out what that means... but it would tend to confirm your suspicion about a certificate problem.  If you do get the message, I think the problem is not the certificate, because usually when it is a certificate problem the error message usually indicates that in some way... but as you suspect ceritificate problems can present errors that don't make sense.

    Never the less, it will help with some additional diagnostic info.

    Also check the event log on the OCS Front End Server.  See if login failures are being logged.

    What about on the Front End in the OCS Admin Tool, check that user.  I know it may be obvious, but make sure on the User Properties the "Enable User for Office Communications Server" is checked.  If it's not checked the user will show up ad "Disabled".  I assume you enabled yourself, but just checking.

    Also I assume you installed OCS 2007 "R2".  Did you install the R2 version of Communicator?

    YOu can also get login problems if the OCS backend database is down or unreachable by the OCS Server.

    On your front end settings, is your Authentication Protocal set to "Both NTLM & kerberos"?

    I regret not naming my pool the same as the server's computer name, because it seems some administrative tasks distinguish between the 2, yet when it opens the url in IE it uses the pool name in the url, but the link fails unless I use the computer name (on a ssl url "https").

    Never the less, I just checked my certificate and found that when I created the certificate I entered several names for the alternate name.  THe certificate is issued to the Pool name, but I also included in the alternate name all those host names they suggest for the login , likd sip.domain.com, internal.sip.domain.com, servername.domain.com.

    We run the mediation server in a virtual machine on the same box as the front end server (considered a no-no, but it works just fine).  Point is, that because of that, the server had 2 additional ip addresses and I created 2 additional host names for those ip address --- and so I added those 2 host names in the alternate names of the certificate as well.

    It is easy enough to create a  new certificate and add all the host names to that cert that are used with OCS in the alternate names, and the pool name for the main cert name.

    That's a long list of things to try.  The certificate thing has a good chance of working.  You really should not have this problem, so give it a go and report back.  I'll be up for a while tonight!


    Thursday, June 25, 2009 5:23 AM
  • Thanks for your reply.

    Regarding the certificate issue i changed my clock a year back and tried logging in and communicator failed telling me that there is an issue with the certificate. Turn the clock back to current date and i get to enter my credentials so i doubt the certificate may be the issue.

    I have OCS Server 2007 R1 not R2 and the client is also R1 (2.0.6362.0)
    Authentication Protocal set to Both NTLM & kerberos

    Yes i enabled the users in the administration area.

    I will post logs of my pc and the server about the error messages.
    MVP - Most Valuable Primate
    Thursday, June 25, 2009 6:39 AM
  • If you are not getting a message that there is a problem with the certificate then you probably do have a certificate problem.

    When I set my clock back a year and try to login, I do not get the username/password prompt and it complains about the certificate.

    The only thing is that we have R2 installed, so I can't be sure R1 would give the same behavior.

    Did you check your certificate like I said regarding the alternate names?  I think that has a high possibility of being the issue.

    Also, if you are just now installing this, I highly recommend you install R2 if you have the ability to do that.  It has substantially better performance AND a lot of important features that a modern phone system has, and R1 doesn't... like delegates and an Operator Attendant Console...

    If you're up late working on this, post your results, I'll be up a while longer as well.  I can't promise I'll lead you to the solution, but I struggled with our installation for a couple weeks, yet was able to get everything working, including cooperation with Exchange for voicemail, auto attendant, and now I've just got individual fax numbers and fax receive working with Exchange in the OCS environment... although I had to kludge the Exchange configuration until I figure out why Hunt Groups do not appear to work as advertised in Exchange.

    Good Luck!

    Thursday, June 25, 2009 6:48 AM
  • Okay deleted the entire certificate, from the CA and from my system and created a fresh clean one. Now there is the main certificate name it takes my pool name which is office.schs.org.ae and there is an alternate name which is sip.schs.org.ae and dns of that entry is present pointing to the OCS server ip.

    We would love to install the R2 however its only working on a 64bit hardware and we have majority of 32bit servers and only one 64bit which is running MOSS and Exchange 2007.

    So now when i change my clock back i get the message certificate issue and it does not prompt for credentials but if i turn the clock to present day it prompts for credentials and no message.


    Communicator was unable to locate the login server. No DNS SRV records exist for domain schs.org.ae, so Communicator was unable to login.



    Please double-check the server name to make sure that it is typed correctly. If it is correct, the network administrator will either need to use manual configuration to specify the login server's fully-qualified domain name (FQDN), or add DNS SRV records for the schs.org.ae domain in order to allow automatic client configuration. The DNS SRV records _sipinternaltls._tcp.schs.org.ae, _sipinternal._tcp.schs.org.ae and/or _sip._tls.schs.org.ae may need to be configured if automatic configuration is desired.

    Communicator was unable to resolve the DNS hostname of the login server sipinternal.schs.org.ae.



    If you are using manual configuration for Communicator, please check that the server name is typed correctly and in full. If you are using automatic configuration, the network administrator will need to double-check the DNS A record configuration for sipinternal.schs.org.ae because it could not be resolved.

    Communicator failed to connect to server sip.schs.org.ae ( on port 443 due to error 10061. The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist.



    Please make sure that your workstation has network connectivity. If you are using manual configuration, please double-check the configuration. The network administrator should make sure that the service is running on port 443 on server sip.schs.org.ae (


    The process DataMCUSvc(416) failed to send health notifications to the MCU factory at https://office.schs.org.ae:444/LiveServer/MCUFactory/.

    Failure occurrences: 5, since 6/25/2009 8:49:50 AM

    The process IMMcuSvc(2584) failed to send health notifications to the MCU factory at https://office.schs.org.ae:444/LiveServer/MCUFactory/.

    Failure occurrences: 5, since 6/25/2009 8:49:52 AM.

    The process AVMCUSvc(6072) failed to send health notifications to the MCU factory at https://office.schs.org.ae:444/LiveServer/MCUFactory/.

    Failure occurrences: 5, since 6/25/2009 8:49:52 AM.

    I have no idea why sipinternal.schs.org.ae keeps coming in the logs i have used sip.schs.org.ae

    MVP - Most Valuable Primate
    Thursday, June 25, 2009 8:02 AM