locked
Help - What am I Doing Wrong? RRS feed

  • Question

  •  

    I am setting up a test environment with OCS 2007 Std.  I'm using domain.local for internal and domain.com for external (web, mail, etc).  I would like to have all users sign into OCS using domain.com, however I have only been able to get domain.local to work.  I am using VMWare LabManager with the following VMs:

     

    Windows Server 2003 R2 Standard w/SP2

    DC01 -> Domain Controller, DNS

    OCS01 -> OCS 2007 Std

     

    Windows Server 2003 R2 Standard x64 w/SP2

    MAIL01 -> Exchange Server 2007 Std

     

    This is the process I used:

     

    1.)  Create internal domain domain.local
    2.)  Raise domain functional level to Windows Server 2003
    3.)  Raise forest functional level to Windows Server 2003
    4.)  Create domain.com zone in DNS
    5.)  Add SRV record for _sipinternaltls and point to ocs.domain.com
    6.)  Create CNAME record for ocs.domain.com pointing to ocs01.domain.local
    7.)  Run Prep Schema
    8.)  Run Prep Forest
     A.)  Domain = domain.local
     B.)  SIP Domain = domain.com
    9.)  Run Prep Current Domain
    10.) Run Deploy Server
     A.)  Use default service accounts
     B.)  Internal web farm FQDN = ocs01.domain.local
     C.)  External web farm FQDN = blank
    11.) Run Configure Pool/Server
     A.)  Existing Pool = ocs01.domain.local
     B.)  SIP domains in your environment = domain.com
     C.)  Some or all clients will use DNS SRV records for automatic logon is selected
     D.)  Use this server or pool to authenticate and redirect automatic client logon requests is checked
     E.)  SIP domains supported by this server or pool for automatic logon = domain.com (checked)
     F.)  Do not configure for external user access now is selected
    12.) Run Configure Certificate
     A.)  Certificate name = ocs01
     B.)  Organization = test
     C.)  Organizational Unit = dev
     D.)  Subject Name = ocs01.domain.local
     E.)  Subject Alternate Name = sip.domain.com
    13.) Request Certificate from domain controller (enterprise CA)
     A.)  Request certificate-> Advanced Certificate Request -> Submit a certificate request by using a base-64-encoded CMC...
     B.)  Copy and paste text from cert text file
     C.)  Certificate Template = Web Server
     D.)  Download Base 64 encoded certificate
    14.) Process a pending request
     A.)  Assign certificate
    15.) Run Start Services
    16.) Create 2 test domain users
    17.) Enable each user for Office Communications Server
     A.)  Sign-in name = sip:<username> @ domain.com
     B.)  Server or pool = ocs01.domain.local
    18.) Run Validate Front End Serer Configuration -> FAILS with could not authenticate users via Kerberos (gives an error message regarding maximum hops)
    19.) Modify Global Properties and add domain.local to supported SIP domains
    20.) Modify test domain users to use @ domain.local
    21.) Run Validate Front End Server Configuration -> PASSES
    22.) Add SRV record for _sipinternaltls in domain.local and point to ocs01.domain.local
    23.) Automatic logon works

     

    Any/all help is appreciated.  I have been pulling my hair out for the past week.  I have looked though the OCS 2007 guides (Active Directory, Planning, Deployment, etc) but didn't find anything.  It's possible that I may have overlooked it.

    Monday, June 2, 2008 8:00 PM

All replies

  • What specifically isn't working?

     

    You mention that 'domain.local isn't working' but your steps show that Automatic login is working and you setup the SRV record for domain.local.

    Monday, June 2, 2008 8:40 PM
    Moderator



  • In the office communication server global properties, under general tab I'll make sure that domain.com is listed.

    If that is fine.. I'll assign domain.com SIP URI to any user.

    I'll login in communicator with manual configuration. (I'll specify the OCS server or pool fqdn in manual configuration)

    Will make sure i am using right transport protocol (TLS or TCP) at the client side.

    Will try to login. I could then I'll create a proper SRV record...

    I should have Domain.com zone, and will create the srv record

    _sipinternaltls._tcp.domain.com   5061   ocs01.domain.com

    I'll create ocs01.domain.com A record pointing an IP address of the OCS Server or pool

    And I'll make sure ocs01.domain.com is there in the SAN on the OCS server cert (MTLS).

    Hope this helps...


    Regards,
    R. Kinker
    MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com/LCS_Home.htm






    Monday, June 2, 2008 8:47 PM
  •  Kinker wrote:



    In the office communication server global properties, under general tab I'll make sure that domain.com is listed.

    If that is fine.. I'll assign domain.com SIP URI to any user.

    I'll login in communicator with manual configuration. (I'll specify the OCS server or pool fqdn in manual configuration)

    Will make sure i am using right transport protocol (TLS or TCP) at the client side.

    Will try to login. I could then I'll create a proper SRV record...

    I should have Domain.com zone, and will create the srv record

    _sipinternaltls._tcp.domain.com   5061   ocs01.domain.com

    I'll create ocs01.domain.com A record pointing an IP address of the OCS Server or pool

    And I'll make sure ocs01.domain.com is there in the SAN on the OCS server cert (MTLS).

    Hope this helps...


    Regards,
    R. Kinker
    MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com/LCS_Home.htm


     

    Sorry if it was unclear.  When I set the sign-in address to be @domain.com it doesn't work.  When sign-in is set to @domain.com and I run the Front-End Server Validation I get errors during authentication via kerberos regarding "maximum hops 2" or something to that effect.  When I add domain.local to the SIP domain list under global properties and change the sign-in to use @domain.local everything works.

     

    When I change it back to @domain.com and try manual configuration I get a "problem verifying certificate from the server" error.  When I check the even properties this is what I see:

     

    "Communicator could not connect securely to server ocs.domain.com because the certificate presented by the server did not match the expected hostname (ocs.domain.com)."

     

    But they do match....or am I just crazy?

     

    One thing I did notice is that if I change the server to the internal server/pool name (ocs01.domain.local) I am able to sign in using @domain.com.  So I'm guessing that means a DNS resolution error?  But I already have a domain.com zone with a SRV record for ocs.domain.com and an A record pointing to the IP address of the OCS pool and it's not working.

     

    Just for fun I changed the "public" server to sip.domain.com (from ocs.domain.com) and updated the SRV and A records and everything worked.  I guess naming does matter.  Smile  And perhaps I was putting too much faith into the validation feature.

     

    Thanks for all the help.

    Wednesday, June 4, 2008 1:18 PM
  • Try walking through the steps in this blog: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=14

     

    It just sounds like you have a misconfiguration somewhere with the defined SIP domains, DNS SRV records, and what is populated in your certificate's Subject Name and/or Subject Alternative Name (SAN) fields.

     

    The FQDN that the client uses to connect to the OCS servers must match the SN or a SAN, otherwise you will get certificate errors.  Are you using a Standard deployment or an Enterprise (using a pool name) deployment?

     

    Also, I don't put too much weight into the Validation Wizard errors.  Work backwards through your configuration and match sure it matches documented scenarios.  Also, are you using a split-DNS configuration so that internal requests for name resolution for domain.com are handled by internal DNS servers, or is that all forwarded to a single authoritative external server?

    Wednesday, June 4, 2008 1:39 PM
    Moderator
  •  

    Jeff,

     

    Thanks for the help.  I'm using split-dns.  I've now got everything working.  It was a simple naming discrepency in DNS.  I guess sometimes it just helps to think out loud around other people in order to find the solution.  Smile

    Wednesday, June 4, 2008 1:46 PM