locked
NTLM Authentication & Server Time-Out Validation Issues RRS feed

  • Question

  • Hello,

    We have recently attempted to deploy OCS 2007 R2 on a single front-end server (mostly for IM connectivity) & an Edge server, both using Server 2008 Standard.  We are working on federating with the outside, but before we can, we have encountered strange issues.

    Our domain name is "tneusa.com," pool name is listed as "tneocs" & the server FQDN is "tneocs.tneusa.com."

    We have 2 zones that are SIP-enabled: TNEUS.com & TNEUSA.com (neither are external, the TNEUS is an artifact of our old directory structure).

    We have our DNS set up like so:

    TNEUSA zone:

    (A) TNEOCS -> 10.100.253.16
    (A) TNEPOOL -> 10.100.253.16
    (A) SIP -> 10.100.253.16
    (A) TNEEDGE -> 10.100.253.20
    (SRV) _sipinternaltls -> sip.tneusa.com (port 5061)

    TNEUS zone:
    (A) TNEOCS -> 10.100.253.16
    (A) TNEPOOL -> 10.100.253.16
    (A) SIP -> 10.100.253.16
    (A) TNEEDGE -> 10.100.253.20
    (SRV) _sipinternaltls -> sip.tneus.com (port 5061)

    Everything is working internally (auto-logon, IM, conferencing, AV).  When we attempt to validate on the front-end server, the only warnings we are getting other than NTLM issues are regarding CWA & the Reponse Group Service, of which we are using neither.

    [code]
    Maximum hops: 2
    Successfully established security assocation with the server: User test Domain tneusa.com Protocol Kerberos Target sip/TNEOCS.tneusa.com
    User registration succeeded: User sip:test@tneus.com @ Server sip.tneus.com

    *-*-*-*-*-*-*-*

    Maximum hops: 2
    Successfully established security association with the server: User test Domain tneusa.com Protocol NTLM Target TNEOCS.tneusa.com
    Failed to register user: User sip:test@tneus.com @ Server sip.tneus.com
    Failed registration response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:test@tneus.com>;epid=epid01;tag=21279d106c
    TO: <sip:test@tneus.com>;tag=4C4645246D5BE768D47396F40C850C80
    CSEQ: 5 REGISTER
    CALL-ID: a3d612455bc24b3d816351a3ba75bf11
    VIA: SIP/2.0/TLS 10.100.253.16:58492;branch=z9hG4bK9757151c;ms-received-port=58492;ms-received-cid=1900
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000AD3C0F3BF2955842", srand="34BB1FD4", snum="1", opaque="8DAD4518", qop="auth", targetname="TNEOCS.tneusa.com", realm="SIP Communications Service"
    ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOCS.tneusa.com";Destination="sip:tneus.com:5061;maddr=sip.tneus.com;transport=Tls"]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
    Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
    [/code]

    The pool is set to accept both NTLM & Kerberos authentication--Kerberos works fine.  The front end server is set to MTLS transport, though changing this to TLS has no affect.

    Being everything is working without error on our clients, we figured this would not be a problem--until we began attempting to validate the Edge server.  NTLM works properly when attempting to authenticate each user, but when we reach the "Check two-party IM->Attempting to establish SIP dialog from test@tneus.com to test2@tneus.com using sip.tneus.com," we are given the following error (very similar):

    [code]
    Maximum hops: 3
    Received a failure SIP response: User sip:test2@tneus.com @ Server sip.tneus.com
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:test@tneus.com>;tag=67381f73e16ab380f23c;epid=epid01
    TO: <sip:test2@tneus.com>;tag=4C4645246D5BE768D47396F40C850C80
    CSEQ: 7 INVITE
    CALL-ID: 26f875a53e9e45e1b4d56ee0ecfc20f4
    VIA: SIP/2.0/TLS 10.100.253.20:49287;branch=z9hG4bK5057034;ms-received-port=49287;ms-received-cid=2700
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000588A330C18602C6F", srand="BF338977", snum="3", opaque="79D91DAB", qop="auth", targetname="TNEOCS.tneusa.com", realm="SIP Communications Service"
    ms-diagnostics: 1022;reason="Cannot process routing destination";source="TNEOCS.tneusa.com";Destination="sip:rkelsey@tneus.com:5061;maddr=sip.tneus.com;transport=tls"

    ]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
    Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
    Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
    [/code]

    All servers can ping eachother fine by FQDN & IP address.

    Any ideas of what exactly the issue is here?!

    Wednesday, April 15, 2009 7:16 PM