locked
Identity property of EndpointAddress? RRS feed

  • Question

  • I'm getting this error on my new R2 pool. This is a parallel R1 to R2 migration. I've started to move users and everything is working as expected. Has anyone seen this before? Is this anything to be concerned about?

    Log Name:      Office Communications Server
    Source:        OCS Response Group Service
    Date:          3/4/2009 12:13:36 PM
    Event ID:      31193
    Task Category: (2001)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      ROCOCS1.contoso.com
    Description:
    The provided certificate is not valid.

    There was a problem validating certificate: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'OCSPOOL2007R2.contoso.com' but the remote endpoint provided DNS claim 'ROCOCS1.contoso.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'ROCOCS1.contoso.com' as the Identity property of EndpointAddress when creating channel proxy.

    Jamie Schwinn
    www.systmsny.net

    Wednesday, March 4, 2009 7:13 PM

All replies

  • Jamie Schwinn said:

    I'm getting this error on my new R2 pool. This is a parallel R1 to R2 migration. I've started to move users and everything is working as expected. Has anyone seen this before? Is this anything to be concerned about?

    Log Name:      Office Communications Server
    Source:        OCS Response Group Service
    Date:          3/4/2009 12:13:36 PM
    Event ID:      31193
    Task Category: (2001)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      ROCOCS1.contoso.com
    Description:
    The provided certificate is not valid.

    There was a problem validating certificate: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'OCSPOOL2007R2.contoso.com' but the remote endpoint provided DNS claim 'ROCOCS1.contoso.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'ROCOCS1.contoso.com' as the Identity property of EndpointAddress when creating channel proxy.

    Jamie Schwinn
    www.systmsny.net



    I am trying to find out how to delete my old pool.  I guess something is trying to connect somewhere. I dont see it showing up in AD anymore and my new setup appears to be working.  Any help??
    • Edited by Jwaggz82 Tuesday, March 24, 2009 1:51 PM add question
    Tuesday, March 24, 2009 1:48 PM
  • Jamie,

    Check the Release Notes for R2.  The problem is that in your SAN certificate for the frontend servers you need to make sure that the last DNS entry in the SAN list matches the certificate subject name, which should be your pool name.

    BTW, Comodo, who we have been using for certificates, can't seem to deal with this so I'm trying to find out which public CA can handle this quirky requirement.

    If you are using certificates signed by your Active Directory CA, then just make sure you spec the SAN list with the pool name last on the SAN list and it will generate the correct certificate.

    -tracy a. cerise
    university of kentucky
    Thursday, March 26, 2009 3:20 PM
  • Tracy,

    We just had a customer report the same problem, and sent us this thread as a proposed solution.  We issued their certificate with the Subject Common Name positioned last in the Subject Alternative Names list, and they were happy to report that doing this resolved the issue.  I'm sure this issue will be fixed soon in R2, but if you need a certificate to solve it right away,  please feel free to contact me (you can call our 800 number and ask for me...)

    Best wishes,
    Paul Tiemann
    CTO, DigiCert Inc.
    Friday, March 27, 2009 6:16 PM