locked
Users accounts from one domain do not work, though user accounts from another domain do work. RRS feed

  • Question

  • We are not able to use accounts from one domain of 2 domains in our forest. We have a Single Forest with Multiple Trees and disjoint DNS namespaces, this is a supported forest structure.

    • domain1.TheU.edu contains an install of OCS 2007 Enterprise (not R2) and user accounts.
    • domain2.TheU.edu is in a separate tree and disjoint dns namespace and contains an install of OCS 2007 R2 Standard Edition and user accounts.


      User accounts from domain1 work in BOTH OCS installs. User accounts in domain2 do NOT work in either domain/ocs install. No Domain2 account has worked.

       

      Front End Server Validation tests work fine for both domains (assuming you use domain1 user accounts) When using Domain2 user accounts result:

      Attempting to login user using Kerberos

       

      Maximum hops: 2
      Successfully established security association with the server: User tbruce Domain domain2 Protocol Kerberos Target sip/ocsServer.domain2.TheU.edu
      Failed to register user: User sip:EMAIL REMOVED @ Server ocsServer.domain2.wsu.edu
      Failed registration response: [
      SIP/2.0 404 Not Found
      FROM: <sip:EMAIL REMOVED>;epid=epid10;tag=12bcd712a9
      TO: <sip:EMAIL REMOVED>;tag=1A9F5070FA929DCB4F7938D3F04E95B4
      CSEQ: 7 REGISTER
      CALL-ID: 1d33cdf2800d4861b8aa5cfa963a2021
      VIA: SIP/2.0/TLS 134.121.131.8:53885;branch=z9hG4bK4e296252;ms-received-port=53885;ms-received-cid=B0000
      CONTENT-LENGTH: 0
      AUTHENTICATION-INFO: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFF18C43A7A81CCBFFE0CDEDC32F74DA6B5", srand="0837C63A", snum="1", opaque="885527A2", qop="auth", targetname="sip/ocsServer.domain2.TheU.edu", realm="SIP Communications Service"
      ms-diagnostics: 4005;reason="Destination URI either not enabled for SIP or does not exist";source="ocsServer.domain2.TheU.edu"

      ]

      Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
      Suggested Resolution: If authentication failed, then make sure the user is SIP-enabled and is homed properly.

       

      Failure
      [0xC3FC200D] One or more errors were detected

               
               
                     

       

      Using ocslogger while enabling a domain2 account produces various errors like:

      ·         SIP/2.0 404 Not Found

      ·         ms-diagnostics: 1003;reason="User does not exist";source="ocsServer.domain2.TheU.edu";TargetUri="TheU.edu"

      ·         TL_WARN(TF_DIAG) [15]2374.1B24::10/07/2009-22:31:36.326.00000173 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(142))$$begin_record
      LogType: diagnostic
      Severity: warning
      Text: Non-trusted source sent an FQDN/IP that doesn't match a routing table rule
      Result-Code: 0xc3e93c5e SIPPROXY_E_ROUTING
      SIP-Start-Line: REGISTER sip:TheU.edu SIP/2.0
      SIP-Call-ID: b6b56d7c5ac64f82a4d6683f7a77df9d
      SIP-CSeq: 1 REGISTER
      Data: user="TheU.edu"
      $$end_record

      Intervening factors include a previous failed install of OCS 2007 R2 in domain2; we’ve done everything we can to clear the old bad install including forced deactivation in both domains and the forest.

      Also Set Domain users account permissions set on OU containing domain2 user accounts: LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou:"OU=People" /objectType:user

      Also Set computer Permission Set in domain2 OU containing computer accounts: LcsCmd.exe /domain:domain2.TheU.edu /action:CreateLcsOuPermissions /ou:"OU=CVM Computers" /objectType:computer

      Desperate for HELP! Thanks,

       Bruce


      The symptoms are: accounts from either domain can be enabled, the accounts show up in the ‘users’ folder of whichever OCS server it was enabled for. HOWEVER, users in domain2 cannot log on and user accounts from domain2 do NOT show up in the database (using the OCS management GUI “Per-User Reports”) and Event logs all indicate that the users are not in the database.

      Schema, forest, and both domains have been prepped and verified. There are 3 SIP domains TheU.edu, domain1.TheU.edu and domain2.TheU.edu
    • Changed type bheimbigner Thursday, October 8, 2009 8:57 PM
    Thursday, October 8, 2009 6:08 PM