locked
OCS 2007 R2 Validation Error RRS feed

  • Question

  • I have recently implemented installed OCS 2007 R2 into a domain that had no OCS/LCS installations previously. All appears to work correct as users can log in on TCP and TLS and chat with each other ubt when I run a validation test on the front end server I receive errors regarding NTLM authentication as well as a failure to initiate a SIP conversation between the two users. The NTLM validation error is below:


    ------------------------------------------------------------------------------------------------
    Attempting to login user using NTLM

    Maximum hops: 2
    Successfully established security association with the server: User test.user01 Domain TESTDOMAIN Protocol NTLM Target OCSCORE.TESTDOMAIN.local
    Failed to register user: User sip:test.user01@testdomain.com @ Server sip.testdomain.com
    Failed registration response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:test.user01@testdomain.com>;epid=epid01;tag=4fb9c22dc6
    TO: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
    CSEQ: 5 REGISTER
    CALL-ID: 8281e87f01cf41b291d857db88e46c25
    VIA: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bKea8cc4ff;ms-received-port=60264;ms-received-cid=1300
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000074612E74F7C03ECE2271D8ED", srand="A78D4697", snum="1", opaque="349BD43A", qop="auth", targetname="OCSCORE.TESTDOMAIN.local", realm="SIP Communications Service"
    ms-diagnostics: 1022;reason="Cannot process routing destination";source="OCSCORE.TESTDOMAIN.local";Destination="sip:testdomain.com:5061;maddr=sip.testdomain.com;transport=Tls"

    ]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
    Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.


    Failure [0xC3FC200D] One or more errors were detected 

    ------------------------------------------------------------------------------------------------



    I have also run a debug session tracing the S4 and SIPSTACK protocols and it is showing alot of SIP/2.0 401 Unauthorized errors when trying to register to the OCS server, although there is no issue when using OC2007 on a workstation.

    ------------------------------------------------------------------------------------------------
    TL_INFO(TF_PROTOCOL) [2]107C.09D4::06/17/2009-01:30:45.689.000001b1 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
    Instance-Id: 00000123
    Direction: outgoing;source="local"
    Peer: 10.10.30.112:60264
    Message-Type: response
    Start-Line: SIP/2.0 401 Unauthorized
    From: <sip:test.user01@testdomain.com>;epid=epid00;tag=b8cabe222b
    To: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
    CSeq: 1 REGISTER
    Call-ID: d971b296c4654aa7a36ba12974e1cb20
    Date: Wed, 17 Jun 2009 01:30:45 GMT
    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="OCSCORE.testdomain.local", version=4
    WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/OCSCORE.testdomain.local", version=4
    Via: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bK5f5668b2;ms-received-port=60264;ms-received-cid=1300
    Content-Length: 0
    Message-Body: –
    $$end_record
    ------------------------------------------------------------------------------------------------

    Any ideas or help is greatly appreciated.

    Regards,

    Shayne

    Wednesday, June 17, 2009 5:28 AM

All replies


  • Hi Shayne,

    I ran into the same problem. Did you find a solution?

    Best regards

    Herbert
    Monday, August 10, 2009 2:04 PM
  • Hi hkillerm,

    Unfortunately no and as it did not appear to affect the functionality of OCS 2007 I ceased troubleshooting it. I had read some posts from people saying that having the test user accounts logged in via an actual OCS client while you do the test had helped them but it didn't assist me at all, maybe give it a try though seeing as it is simple.

    Sorry I can't be of much help.
    Regards,

    Shayne
    Wednesday, August 12, 2009 3:18 AM