"Problem verifying the certificate from the server" - Help Please RRS feed

  • Question

  • I"m in the middle of migrating our infrastructure from LCS 2005 to OCS 2007.  All traffic is going through the new OCS Edge server.  We have 1 LCS 2005 standard server and 1 OCS 2007 (front-end) standard server.  I'm in the process of moving pilot users from the 2005 server to the 2007 server.  Everything works except one particular scenario.


    If I launch Communicator 2005 from a stand-alone system that is connected to the network via VPN and login as a user thats been moved to the OCS 2007 pool, I get the following error:  "There was a problem verifying the certificate from the server.  Please contact your system administrator."  If I disconnect from the VPN and login to communicator directly over the internet, I'm able to connect without any issues.  Alternatively, if I move the user back to the 2005 pool, I'm able to login to communicator with a VPN connection.



    The event viewer just shows Event ID 36884:


    The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is ocsedge1.mydomain.com. The SSL connection request has failed. The attached data contains the server certificate.




    Is the issue that when I'm connected to the VPN, the client is attempting to bypass the edge server and authenticate directly with the front-end server?

    Tuesday, March 11, 2008 7:16 PM

All replies

  • You do bypass the EDGE Server when connect through a VPN

    Do you have your clients set to automatic login? Check DNS configuration.


    I would run a debug session on the OCS Pool and verify the log




    Tuesday, March 11, 2008 9:36 PM
  • Clients are configured for automatic login.


    Question, in my scenario, since I still have users on the LCS 2005 front-end server, at what point do I change the following setting on the Edge server?  Properties > Internal > Next hop network address.... Currently, its pointing to the LCS server.  If I change it to point to the OCS FE server, will users on LCS break? 


    Here's some of the details from the client log (from a OC 2007 client)


    03/11/2008|14:41:48.340 A3C:C44 ERROR :: SECURE_SOCKET: negotiation failed: 80090325
    03/11/2008|14:41:48.340 A3C:F30 ERROR :: ASYNC_SOCKET:SurprisenConnectError (0x80ee0065) - enter
    03/11/2008|14:41:48.340 A3C:F30 TRACE :: SIP_MSG_PROCESSOR:SurprisenRequestSocketConnectComplete - Enter this: 01CCFC68, callid=(null), ErrorCode: 0x80ee0065
    03/11/2008|14:41:48.340 A3C:F30 ERROR :: Releasing socket and notifying transactions
    03/11/2008|14:41:48.340 A3C:F30 ERROR :: SIP_MSG_PROCESSOR::NotifyRequestSocketConnectComplete - Error: 80ee0065
    03/11/2008|14:41:48.340 A3C:F30 ERROR :: OUTGOING_TRANSACTION:SurprisenRequestSocketConnectComplete - connection failed error 80ee0065

    Tuesday, March 11, 2008 10:00 PM
  • So you have actually two pools configured

    In my opinion you require a directory that is your first internal server to connect to which distributes the clients to the correct pools

    You should also forward request from the EDGE to the director


    You clearly have certificate issues

    80090325 'The certificate chain was issued by an authority that is not trusted

    80EE0065 server certificate SN does not match the server FQDN


    Your clients connect to wrong server or server with wrong certificate



    Tuesday, March 11, 2008 11:12 PM