locked
TLS outgoing Connection Failures on Edge Server RRS feed

  • Question

  • We are getting TLS Connection Failures in the event log when external users launch Communicator.  The error details are below.  The Edge and Std server are both using certs issued from our internal CA.  Both machinse are members of the domain and have the CA in their trusted list.

    The Validation tests (both Connectivity and 2 Party IM) succeed from both machines.

    Both machines are running Windows Server 2008 R2 (Std Ed) and OCS 2007 R2.  I'm really at a loss on this one, anyone seen this error before?  It seems certificate related, but wouldn't the validation tests fail if there was a cert issue?

    Event Log Error Details: 
    Over the past 1 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80004005 (Unspecified error) while trying to connect to the host "servername".
    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
    Resolution:
    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    Saturday, August 29, 2009 6:16 PM

Answers

  • Ah, that's definitely going to be your root cause.  I've already seen a bunch of problems with OCS running on Server 08 R2.  It's definitely not supported at the moment, a statement has yet to be officially released on any future support plans for the current release of OCS.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 2, 2009 2:47 PM
    Moderator
  • Yep...rolling the edge server back to Windows Server 2008 corrected the issue.  OCS 2008 R2 definitely has issues running on Windows Server 2008 R2.

    Thanks everyone.

    jon
    Thursday, September 3, 2009 7:19 PM

All replies

  • Or client machine don't trust CA used to issue certificates to Edge, or the certificate issue to Access Edge Server was issue to a wrong address.
    Bruno Estrozi - MCSE/MCTS/MCITP - Unified Communications Specialist | http://brunoestrozi.spaces.live.com
    Sunday, August 30, 2009 1:51 AM
  • Hm, thanks Bruno.  The event log error I am getting is on the Edge server and the servername listed in the error is the next hop internal server (OCS STD ED server).  That seems to indicate that it is a problem with the Edge server not being able to establish a TLS session with the OCS STD server - right?

    I don't get any certificate errors on the client machine that Communicator is running on, I just get an error dialog indicating that the server is not avaialbe.

    Thanks in advance if you have any other thoughts....

    jon
    Sunday, August 30, 2009 8:35 PM
  • Jon,

    Is your edge server a domain machine or non-domain.  Also, have you issued the certificates from your root CA for the Front End server.  The quick things to check would be if the name the edge is using for the "next hop FQDN" can be resolved and matches the CN or a SAN on the cert for the front end.  If those conditions are all good than please verify your root CA is in your trusted root certificate folder for the computer account (not user account) in the certificates snap-in on the edge server.

    HTH

    -kp
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Sunday, August 30, 2009 11:00 PM
  • Make a simple test.

    From Edge open in IE httpS://<front-end fqdn> and can't give any error of certificates.
    Bruno Estrozi - MCSE/MCTS/MCITP - Unified Communications Specialist | http://brunoestrozi.spaces.live.com
    Monday, August 31, 2009 12:59 AM
  • The Edge server is domain joined - to the same Domain as the next-hop Std Ed FE server.

    The Edge and FE have certs issued by the same internal CA and the name does match the SAN on the cert.

    CA is in the Trusted CAs on the Edge server.

    Really stumpped by this one...I've setup this config lots of times in the past...the only difference here is that we are running on 2008 R2.  Wondering/worried that there is an incompatibility here.

    jon
    Monday, August 31, 2009 9:59 PM
  • Comes up fine in IE - no cert warnings and I get a good padlock in the address bar.
    Monday, August 31, 2009 10:00 PM
  • Are you experiencing any actual issues, or just trying to identify the event log root cause?

    I have seen false-positive warnings before that report connection errors to other hosts in 100% functional environments.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, August 31, 2009 10:05 PM
    Moderator
  • hi
    Per your description, you are running the Window Server 2008 R2 for the OCS 2007R2.
    But Windows 2008R2 is not fully supported for OCS2007R2, that said, it will cause some odd issue.

    Regards! 
    Tuesday, September 1, 2009 3:58 PM
    Moderator
  • Yes, we are seeing an actual issue.  We're not able to log into Communicator outside the network.  When we do try to sign in, the event log error at the top of the thread is generated on the Edge server and the client get's an error dialog in Communicator indicating that the server is not available.
    Wednesday, September 2, 2009 1:56 PM
  • Yes, the Edge server is deployed on a WS2008 R2 machine.  I'll try re-building it with WS2008 and see if the behavior changes.

    jon
    Wednesday, September 2, 2009 1:57 PM
  • Ah, that's definitely going to be your root cause.  I've already seen a bunch of problems with OCS running on Server 08 R2.  It's definitely not supported at the moment, a statement has yet to be officially released on any future support plans for the current release of OCS.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 2, 2009 2:47 PM
    Moderator
  • Yep...rolling the edge server back to Windows Server 2008 corrected the issue.  OCS 2008 R2 definitely has issues running on Windows Server 2008 R2.

    Thanks everyone.

    jon
    Thursday, September 3, 2009 7:19 PM