locked
OCS Validation failed RRS feed

  • Question

  • Finally I got basic features of OCS running. My Domain controller and DNS are running on server 10.10.0.1 and OCS2007 is running on 10.10.0.101. I can start Communicator on both machines and two users can sign-in correspondingly and see each other.

     

    But when I run "Validate your server configuration" wizard (from the OCS deployment  tool), I got the following errors. Can anyone help me to analyze it?

    I guess the main error is TLS test failed on 10.10.0.1. Do I need create SIP listening port on this machine?

     

    Action

     

    Action Information

     

    Execution Result

     

    Checking all trusted servers

     

     

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Internal Server sglabwinsrv1.SGADCLab.local

     

    DNS Resolution succeeded: 10.10.0.1
    TLS connect failed: 10.10.0.1:5061 Error Code: 0x274d No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
    Suggested Resolution: Ensure that the DNS records have been setup correctly. If this server is an Access Edge Server, make sure outside user access is enabled.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Internal Server sglabwinsrv2.SGADCLab.local

     

    DNS Resolution succeeded: 10.10.0.101
    TLS connect succeeded: 10.10.0.101:5061
    Routing trust check and MTLS connectivity: Succeeded

     

    Success

     

    Attempting to send a CCCP HTTP request https://sglabwinsrv2.SGADCLab.local:444/LiveServer/Focus

     

    Received a successful HTTP response: HTTP Response: 200
    Content-Length:0
    Date:Wed, 11 Apr 2007 08:39:26 GMT
    Server:Microsoft-HTTPAPI/1.0

    Received a successful HTTP response: OK

     

    Success

     

    Check user logon

     

     

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using Kerberos

     

    Maximum hops: 2
    Failed to register user: User sip:xiaofanz@sgadclab.local @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using NTLM

     

    Maximum hops: 2
    Failed to register user: User sip:xiaofanz@sgadclab.local @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using Kerberos

     

    Maximum hops: 2
    Failed to register user: User sip:bowenz@sgadclab.local @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using NTLM

     

    Maximum hops: 2
    Failed to register user: User sip:bowenz@sgadclab.local @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Check two-party IM

     

    Check two-party IM: Skipped due to user registration failure

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Test Conference

     

    Error: Conference servers or pools are not specified. Please disable client auto-logon and specify valid conference servers or pools for both users.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

     

     

    Wednesday, April 11, 2007 9:05 AM

Answers

  • We have got external IM and AV running with the one certificate with Subject Name: sip.contoso.com and Subject Alternative Names im..contoso.com, av..contoso.com, live.contoso.com, and livehelp.contoso.com

     

    However we still probably wont have our ISA reverse proxy running for at least another day or two, so will wait to see if we can use the one cert for this too.

    Tuesday, June 5, 2007 10:48 PM

All replies

  • Hi,

    Can you let us know the status of your issue? Did you find a solution? If so, can you post it for the rest of the forum to see? If you still have the issue please let us know ASAP?

    Monday, May 7, 2007 9:17 PM
  • I'm getting the same Check two-party IM error, and am having problemswith certificates / accessing OCS externally.

     

    Wondering if the cause of this could be causing some of these problems?

     

    Cheers

    Wednesday, May 16, 2007 11:42 PM
  • Hi NorthTec,

    Can you tell us what problems you are having with certificates and with accessing OCS externally? Can you post any of your errors or logs?

    Thursday, May 17, 2007 10:59 PM
  • We are still getting an NTLM error, but we've done quite a few changes over last few days and the 2 party IM error has changed / gone Smile

    We are trying to use one pruchased publicly trusted certificate for sip, live, av, livehelp, and im...

    We have got our ISA server in DMZ acting as a reverse proxy and looking into whether problem might be our firewall config...

     

    Thanks for the reply Thom Smile

    Friday, May 18, 2007 12:29 AM
  • Hi NorthTec,

    How did your reconfiguration with the new certificates go? Did you run the validation wizard?

    Thursday, May 24, 2007 7:28 PM
  • Please let us know the status of your issue? If you have found a resolutions, would you be able to share it with the forums? If not, please let us know of any changes to your environment or status. Thanks.

    Tuesday, June 5, 2007 5:32 PM
  • We have got external IM and AV running with the one certificate with Subject Name: sip.contoso.com and Subject Alternative Names im..contoso.com, av..contoso.com, live.contoso.com, and livehelp.contoso.com

     

    However we still probably wont have our ISA reverse proxy running for at least another day or two, so will wait to see if we can use the one cert for this too.

    Tuesday, June 5, 2007 10:48 PM
  • I am glad to hear you got it working. Please start a new thread if you have any other issues.
    Thursday, June 7, 2007 5:32 PM
  • Hi;

    I am facing the same issue. Can somebody help me out ? Do i need two different certificates for the internal interface & external interface of the edge server ?

    The error follows here.

    ---------------------------------------------------------------------------------


    Found External Edge listening address : 192.168.116.166:5061:TLS - Enabled
    Found External Edge listening address : 192.168.116.166:5061:TLS - Enabled
    Found External Edge listening address : 192.168.116.166:443:TLS - Enabled
    Found External Edge listening address : 192.168.116.166:444:TLS - Enabled
    Failure
    [0xC3FC200D] One or more errors were detected
    ----------------------------------------------------------------------------------------


    WMI Class MSFT_SIPDataProxySetting WMI Class Path: \\LCSCLUSTER2-VM1\root\cimv2:MSFT_SIPDataProxySetting
    WMI Instance Path: \\LCSCLUSTER2-VM1\root\cimv2:MSFT_SIPDataProxySetting.InstanceID="{BB793574-5798-4288-8E3F-A02D0F6888E9}"
    InstanceID (String): {BB793574-5798-4288-8E3F-A02D0F6888E9}
    TLSCertIssuer (UInt8): 48 74 49 19 48 17 06 10 09 146 38 137 147 242 44 100 01 25 22 03 99 111 109 49 26 48 24 06 10 09 146 38 137 147 242 44 100 01 25 22 10 99 101 114 116 100 111 109 97 105 110 49 23 48 21 06 03 85 04 03 19 14 113 97 45 112 121 116 104 111 110 45 119 50 107 51
    TLSCertSN (UInt8): 188 01 00 00 00 00 67 178 203 18
    -------------------------------------------------------------------------

    Check user logon Failure
    [0xC3FC200D] One or more errors were detected

    Attempting to login user using NTLM Maximum hops: 2
    Failed to register user: User sip:asit@ocsfed1.com @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
    Failure
    [0xC3FC200D] One or more errors were detected

    Attempting to login user using NTLM Maximum hops: 2
    Failed to register user: User sip:roopa@ocsfed1.com @ Server
    Failed to send SIP request: No connection could be made because the target machine actively refused it
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
    Failure
    [0xC3FC200D] One or more errors were detected

    Check two-party IM Check two-party IM: Skipped due to user registration failure
    Failure
    [0xC3FC200D] One or more errors were detected

    --------------------------------------------------------------------------------------------------------------------------------------

    Thanks;

    Ast

    Thursday, July 12, 2007 3:04 PM
  • Hi

    I'm getting exactly the same problem from the "Check user logon" section, has anyone got any ideas?

    I have:
                1 forest
                1 root domain containing 1 x OCS standard server,
                2 child domains (they have been prep'd)
                2 users in child domain that have been enabled
                DNS has the correct A and SVR records
                OCS server and other clients can resolve the SRV records
                OCS server has a valid cert from our internal CA (no external access required yet)
                IIS setup and working on the OCS (with cert for SSL)
                AD "seems" to be ok

    As I would expect, the same 2 users can't logon via Communicator 2007

    Any clues?

    Dave
                
    Thursday, July 12, 2007 7:59 PM
  • I have the same problem, is the im..contoso.com and av..contoso.com is the actual alternative names where contoso.com is an example of your domain or is there something else between the im and contoso.com( ex. im.example.contoso.com)?

     

    Thanks in advance

     

    Monday, March 24, 2008 1:39 PM
  •  

    Appears to be an Service Pricipal Name issue.  I have a post on my blog that pertains to the validation error. 

     

    OCS 2007 - Authentication Issues [0xC2FC200D]

     

     

     

     

    Tuesday, March 25, 2008 8:37 PM
  •  

    My Service Pricipal Name is correct. I went through the steps on your blog. Anybody else have any advice on this
    Friday, March 28, 2008 2:41 PM
  • Aside from the Validation Wizard validation errors, are you having communication problems between clients both Internally and Externally?  There are cases where the validation wizard will come up with errors, such as these; however communication works seamlessly.  What actual communication problems are present?

     

    Have you already checked/modifed the following:

    • What is "Authentication" set to on your front-end?  NTLM,  NTLM/Kerberos, ???
    • Are all your OCS servers in the Trusted Server list?
    • Edge Internal Interface FQDN match the certificate subject name? Can both Edge Server and Internal Servers resolve the subject Names to an FQDN to validate the other servers certificate? 
    Friday, March 28, 2008 4:15 PM