locked
Communicator WEB Access authentication fails RRS feed

  • Question


  • We're getting the error

    " The session was ended. Communicator WE Access cannot logon to the OCS. If this problem persists contact your systems administrator. Error Code 2401."

    We made our CWA installation on a dedicated machine which is a domain member and fullfills all the requirements for the cwa installation. OCS 2007 runs fine in a standard edition deployment.
    We got our two needed certificates from our enterprise CA based on the WEB Server templates (duplicates) and did the whole installation without any errors. Subject Name in our certificates is the FQDN of the Communicator Web Access machine.
    The Web Site is existent, is ssl-secured and the first logon using our sip name is absolutely successful. OC WEB based starts and now our problems are raising. Logon using our domain\username fails for every communication-enabled account with the shown messsage after a short timeout. We have just created one virtual Web Server with internal access over port 443 and are using Built-In authentication.
    Does anybody has an idea how we can troubleshoot this error? The event-logs don't show any errors or needful information. It may be a problem with MTLS or with the authentication module (IIS?).
    We're just talking about internal access to the cwa in the same ip subnet. Is there a possibility to troubleshoot this behaviour?

     


    Thanks in advance to all;-)


     

    Tuesday, May 22, 2007 9:52 AM

Answers

  • Hello,

    Sorry for the late response. It sounds like you may be having an issue with MTLS between the CWA Server and the OCS 2007 Access server. Please read the following excerpt and make sure that you followd it closely.


    . The MTLS certificate that was assigned to the CWA sever during the activation phase of the setup will provide MTLS communication between the CWA installation and the OCS 2007 pool or server. Make sure that this certificate was issued by the same Certificate Authority that issued the MTLS certificate to the OCS 2003 FE server or pool and that it is configured correctly with a Web Server template along with the Subject Name that matched the FQDN of the OCS CWA 2007 server. Also, make sure that the “Trusted Root Certification Authorities” certificate that is on the OCS 2007 FE server or pool is also installed in the OCS 2007 CWA server’s “Trusted Root Certification Authorities” store. This certificate information can be located in the local computer’s certificates snap in.

    On your CWA 2007 sever you may be generating an Event in the system's Event viewer that corelates with this issue. If so then please open it and use the Copy button to put the whole Event ID and description into a text file. Also check the OCS 2007 server for these type of events. Please use the following link to download the Microsoft MPSReports / MPSRPT_Network.exe and use the utility on the CWA 2007 server. Attach the output cabinet file / logs to ths post and I will look over them.

    To MPSReports download

    <_http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&DisplayLang=en>


    Thanks,

    MIke Adkins

    Thursday, June 28, 2007 4:28 PM

All replies

  • You can run the validation wizard and then post the results here.
    Tuesday, May 22, 2007 5:07 PM
  • Hi Thom,

     

    which validation wizard do i have to run? The validation wizard for the Front End Services ended without any errors...

    Tuesday, May 22, 2007 8:10 PM
  • I have been trying to find more info about this and will keep looking.
    Can you give me an update on your configuration? Are you still having htis problem? Has there been any changes?
    If you do not have this problem anymore, can you share your resolution with the forums?
    Thanks.
    Wednesday, June 13, 2007 8:41 PM
  • Please turn on WPP tracing, and review/send the logs so the root of the issue can be determined. 

     

    You can find ocslogger.exe on the CWA server at: 

    %programfiles%\Office Communications Server 2007\Tracing
     
    Select the components:
    • CWAServer
    • CWAAuth
    Select the appropriate level (when in doubt select all)
    Select All Flags for both components
    By default, the WPP trace files will be found under %systemroot%\tracing directory
     
    Friday, June 15, 2007 12:55 AM
  • Hi Kmitt,

    Can you let us know your status? Were you able to turn on tracing as suggested? Can you post the results?

    Wednesday, June 27, 2007 8:36 PM
  • Hello,

    Sorry for the late response. It sounds like you may be having an issue with MTLS between the CWA Server and the OCS 2007 Access server. Please read the following excerpt and make sure that you followd it closely.


    . The MTLS certificate that was assigned to the CWA sever during the activation phase of the setup will provide MTLS communication between the CWA installation and the OCS 2007 pool or server. Make sure that this certificate was issued by the same Certificate Authority that issued the MTLS certificate to the OCS 2003 FE server or pool and that it is configured correctly with a Web Server template along with the Subject Name that matched the FQDN of the OCS CWA 2007 server. Also, make sure that the “Trusted Root Certification Authorities” certificate that is on the OCS 2007 FE server or pool is also installed in the OCS 2007 CWA server’s “Trusted Root Certification Authorities” store. This certificate information can be located in the local computer’s certificates snap in.

    On your CWA 2007 sever you may be generating an Event in the system's Event viewer that corelates with this issue. If so then please open it and use the Copy button to put the whole Event ID and description into a text file. Also check the OCS 2007 server for these type of events. Please use the following link to download the Microsoft MPSReports / MPSRPT_Network.exe and use the utility on the CWA 2007 server. Attach the output cabinet file / logs to ths post and I will look over them.

    To MPSReports download

    <_http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&DisplayLang=en>


    Thanks,

    MIke Adkins

    Thursday, June 28, 2007 4:28 PM