Asked by:
OCS 2007 R2 Validation Error

Question
-
I have recently implemented installed OCS 2007 R2 into a domain that had no OCS/LCS installations previously. All appears to work correct as users can log in on TCP and TLS and chat with each other ubt when I run a validation test on the front end server I receive errors regarding NTLM authentication as well as a failure to initiate a SIP conversation between the two users. The NTLM validation error is below:
------------------------------------------------------------------------------------------------
Attempting to login user using NTLMMaximum hops: 2
Successfully established security association with the server: User test.user01 Domain TESTDOMAIN Protocol NTLM Target OCSCORE.TESTDOMAIN.local
Failed to register user: User sip:test.user01@testdomain.com @ Server sip.testdomain.com
Failed registration response: [
SIP/2.0 504 Server time-out
FROM: <sip:test.user01@testdomain.com>;epid=epid01;tag=4fb9c22dc6
TO: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
CSEQ: 5 REGISTER
CALL-ID: 8281e87f01cf41b291d857db88e46c25
VIA: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bKea8cc4ff;ms-received-port=60264;ms-received-cid=1300
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="0100000074612E74F7C03ECE2271D8ED", srand="A78D4697", snum="1", opaque="349BD43A", qop="auth", targetname="OCSCORE.TESTDOMAIN.local", realm="SIP Communications Service"
ms-diagnostics: 1022;reason="Cannot process routing destination";source="OCSCORE.TESTDOMAIN.local";Destination="sip:testdomain.com:5061;maddr=sip.testdomain.com;transport=Tls"]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
Suggested Resolution: Check connectivity between servers. If this is an Edge Server, ensure that it is present in the forest-level Edge Server table.
Failure [0xC3FC200D] One or more errors were detected
------------------------------------------------------------------------------------------------
I have also run a debug session tracing the S4 and SIPSTACK protocols and it is showing alot of SIP/2.0 401 Unauthorized errors when trying to register to the OCS server, although there is no issue when using OC2007 on a workstation.
------------------------------------------------------------------------------------------------
TL_INFO(TF_PROTOCOL) [2]107C.09D4::06/17/2009-01:30:45.689.000001b1 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
Instance-Id: 00000123
Direction: outgoing;source="local"
Peer: 10.10.30.112:60264
Message-Type: response
Start-Line: SIP/2.0 401 Unauthorized
From: <sip:test.user01@testdomain.com>;epid=epid00;tag=b8cabe222b
To: <sip:test.user01@testdomain.com>;tag=C03D14CC979BFDA84455A6AEEA3D1149
CSeq: 1 REGISTER
Call-ID: d971b296c4654aa7a36ba12974e1cb20
Date: Wed, 17 Jun 2009 01:30:45 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="OCSCORE.testdomain.local", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/OCSCORE.testdomain.local", version=4
Via: SIP/2.0/TLS 10.10.30.112:60264;branch=z9hG4bK5f5668b2;ms-received-port=60264;ms-received-cid=1300
Content-Length: 0
Message-Body: –
$$end_record
------------------------------------------------------------------------------------------------
Any ideas or help is greatly appreciated.
Regards,
ShayneWednesday, June 17, 2009 5:28 AM
All replies
-
Hi Shayne,
I ran into the same problem. Did you find a solution?
Best regards
HerbertMonday, August 10, 2009 2:04 PM -
Hi hkillerm,
Unfortunately no and as it did not appear to affect the functionality of OCS 2007 I ceased troubleshooting it. I had read some posts from people saying that having the test user accounts logged in via an actual OCS client while you do the test had helped them but it didn't assist me at all, maybe give it a try though seeing as it is simple.
Sorry I can't be of much help.
Regards,
ShayneWednesday, August 12, 2009 3:18 AM