locked
OCS Proxy Server Activation - Access denied failure RRS feed

  • Question

  • Am trying to activate an OCS Proxy Server on a machine that is a member of my OCS server domain.  Installation of OCS Proxy server was successful  However, when I try to activate the server using the command line:

    lcscmd.exe /server /password:test /action:activate /role:workgroupProxy

    I get the following error in the event viewer:

    Unable to use a certificate as configured

    Transport:TLS, IP address:*, Port:5061. Error:0x0xC3E93C0D (SIP_E_STACK_TRANSPORT_CERT_NOT_FOUND).
    Cause: The certificate may have been deleted or the configuration is erroneous.
    Resolution:
    Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

    Office Communications Server AppDomain host process started
    C:\Program Files\Microsoft Office Communications Server 2007 R2\Server\Core\RtcHost.exe v3.5.6907.0
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll v2.0.50727.4016
    C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll v2.0.50727.4016
    C:\Program Files\Microsoft Office Communications Server 2007 R2\Server\Core\MS.ErrorReporting.dll v?.?.?.? GetFileVersionInfoSize 0

    Unable to start the stack.

    Error: 0x0xC3E93C62 (SIPPROXY_E_NO_DEFAULT_OUTGOING_CERT).

    Failed starting the protocol stack. The service has to stop

    Office Communications Server AppDomain host process stopped

    Failed to activate Office Communications Server 2007 R2, Proxy Server (workgroup) on machine rtptsrvr6.ocs07r2s1.us.nortel.com.
    Error: 80070005
    Description: Access is denied.

    Error code is:0xC3E93C62 (SIPPROXY_E_NO_DEFAULT_OUTGOING_CERT).
    Cause: Check the previous entries in the event log for the failure reason.
    Resolution:
    Try restarting the server after resolving the failures listed in the previous event log entries.

    I am running Windows Server 2008 SP2 and I don't know if this certificate is missing and I am required to obtain one, if so how?  Any help toward resolution would be most appreciated.

    Tuesday, October 6, 2009 7:49 PM

All replies

  • Are you doing this with an elevated command prompt?  (Right Click command prompt "Run As Administrator")
    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Tuesday, October 6, 2009 7:53 PM
  • Yes, I am running this as Administrator from the command prompt.
    Wednesday, October 7, 2009 1:35 PM
  • Have you seen this blog entry?

    http://ocsblogs.blogspot.com/2009/08/what-is-ocs-r2-proxy-server.html

    I notice you tried: lcscmd.exe /server /password:test /action:activate /role:workgroupProxy
    Did you try: lcscmd.exe /server /user:username /password:test /action:activate /role:workgroupProxy

    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Wednesday, October 7, 2009 2:32 PM
  • Thanks, I have seen that blog entry and I did try the addition of the user parm.  Still don't understand what the user and password applies to, but it gave me the same results. Apparently I missing this certificate and I don't know where to obtain it.
    Wednesday, October 7, 2009 7:17 PM
  • Have you enrolled the server for a certificate on your CA?  You will have to enroll manually.  The certificate CN should have the server fqdn and it should use the Web Server Template. 
    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Wednesday, October 7, 2009 7:26 PM
  • Not all that familiar with certificates, did a little work to get the Address Book Server to download to the client machines.  Have not enrolled the server for a certificate.  Is this done on the OCS server or via a web interface? Could you provide some help, or point me to some instructions or information that can assist me?  Thanks
    Thursday, October 8, 2009 3:06 PM
  • Assuming you have an internal CA (we will call it CA1) do the following on the proxy server:
    1. open IE and browse to http://CA1/Certsrv
    2. Select Request a Certificate
    3. select advanced cert request
    4. select create and submit a request to this ca
    5. select the web server template
    6. enter the information in the form.  The name field should equal the FQDN of the proxy server
    7. select submit
    8. Download the certificate to the computer as a .cer file
    9. open the mmc and add the certificates (local computer) mmc
    10. expand certificates (local computer) - Personal
    11. Right click on the personal store and select all tasks - import
    12. locate the .cer file and follow the wizard

    Try the activation again.  Again, this is all reliant on the fact that you have an internal certificate authority. 
    Mark
    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Thursday, October 8, 2009 3:21 PM
  • I am trying to execute the steps you are recommending, but when I get to the point of selecting the web server template, I get the following error dialog:

    "You need to install the following CSPs before enrollment, Microsoft RSA SChannel Cryptographic Provider, and Microsoft DH SChannel Cryptogrpahic Provider."

    I do have the IIS installed on the machine.  I am running Windows Server 2008 SP2.  I found the following update, wondering if it is related.

    http://support.microsoft.com/kb/922706/en-us

    Need to do more invesigation on CSPs, don't have any experience with them.

    Thanks
    Friday, October 9, 2009 2:51 PM