I have recently implemented installed OCS 2007 R2 into a domain that had no OCS/LCS installations previously. All appears to work correct as users can log in on TCP and TLS and chat with each other ubt when I run a validation test on the front end server I receive errors regarding NTLM authentication as well as a failure to initiate a SIP conversation between the two users. The NTLM validation error is below:
------------------------------------------------------------------------------------------------
Attempting to login user using NTLM
Maximum hops: 2
Successfully established security association with the server: User test.user01 Domain TESTDOMAIN Protocol NTLM Target OCSCORE.TESTDOMAIN.local
Failed to register user: User sip:test.user01@testdomain.com @ Server sip.testdomain.com
Failed registration response: [
SIP/2.0 504 Server time-out
FROM: <sip:test.user01@testdomain.com>;epid=epid01;tag=4fb9c22dc6
TO: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
CSEQ: 5 REGISTER
CALL-ID: 8281e87f01cf41b291d857db88e46c25
VIA: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bKea8cc4ff;ms-received-port=60264;ms-received-cid=1300
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000074612E74F7C03ECE2271D8ED", srand="A78D4697", snum="1", opaque="349BD43A", qop="auth", targetname="OCSCORE.TESTDOMAIN.local", realm="SIP Communications Service"
ms-diagnostics: 1022;reason="Cannot process routing destination";source="OCSCORE.TESTDOMAIN.local";Destination="sip:testdomain.com:5061;maddr=sip.testdomain.com;transport=Tls"
]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
Failure [0xC3FC200D] One or more errors were detected
------------------------------------------------------------------------------------------------
I have also run a debug session tracing the S4 and SIPSTACK protocols and it is showing alot of SIP/2.0 401 Unauthorized errors when trying to register to the OCS server, although there is no issue when using OC2007 on a workstation.
------------------------------------------------------------------------------------------------
TL_INFO(TF_PROTOCOL) [2]107C.09D4::06/17/2009-01:30:45.689.000001b1 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
Instance-Id: 00000123
Direction: outgoing;source="local"
Peer: 10.10.30.112:60264
Message-Type: response
Start-Line: SIP/2.0 401 Unauthorized
From: <sip:test.user01@testdomain.com>;epid=epid00;tag=b8cabe222b
To: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
CSeq: 1 REGISTER
Call-ID: d971b296c4654aa7a36ba12974e1cb20
Date: Wed, 17 Jun 2009 01:30:45 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="OCSCORE.testdomain.local", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/OCSCORE.testdomain.local", version=4
Via: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bK5f5668b2;ms-received-port=60264;ms-received-cid=1300
Content-Length: 0
Message-Body: –
$$end_record
------------------------------------------------------------------------------------------------
Any ideas or help is greatly appreciated.
Regards,
Shayne
