locked
Connecting LCS 2005 and OCS 2007: Failure [0xC3FC200D] One or more errors were detected RRS feed

  • Question

  • Just tinkering with an OCS 2007 SE server, trying to get it to talk to our existing LCS 2005 SE server.  When running connectivity validation, it fails in places.  The text below is from the deployment log.  My account is on the LCS 2005 server, sclcs1 and Batman is on the OCS 2007 server, sclcs2.  Any suggestions would be appreciated!

     

    Global Federation Route: Failure [0xC3FC200D]


    DNS Resolution succeeded: 192.168.2.xxx
    TLS connect succeeded: 192.168.2.xxx:5061
    Routing trust check and MTLS connectivity: Received a failure SIP response
    Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP
    failure response. This usually indicates lack of routing trust between the remote
    server and the current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

     

     

    Check two-party IM: Failure [0xC3FC200D]

    Received a failure SIP response: User sip:batman@company.com @ Server sclcs1.CORP2000.Org
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:chris.burkard@company.com>;epid=epid01;tag=ac2ddac3ab2f95f9d75
    TO: <sip:batman@company.com>;epid=epid11;tag=9e75a9fc6a
    CSEQ: 14 MESSAGE
    CALL-ID: 5723e799d729498c9fd4855da393780a
    VIA: SIP/2.0/TLS 10.11.2.202:1751;branch=z9hG4bK86a38e35;ms-received-port=1751;ms-received-cid=ab00
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="01000000D2B6610314C92E8E304675CE", srand="4FD8B7A2", snum="4", opaque="D8B92586", qop="auth", targetname="sclcs1.CORP2000.Org", realm="SIP Communications Service"
    ms-diagnostics: 2;reason="Unknown Failure";source="sclcs2.CORP2000.Org";HRESULT="C3E93C5E"

    ]

    Received a failure SIP response: User sip:batman@company.com @ Server sclcs1.CORP2000.Org
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:chris.burkard@company.com>;epid=epid01;tag=ac2ddac3ab2f95f9d75
    TO: <sip:batman@company.com>;epid=epid11;tag=9e75a9fc6a
    CSEQ: 15 BYE
    CALL-ID: 5723e799d729498c9fd4855da393780a
    VIA: SIP/2.0/TLS 10.11.2.202:1751;branch=z9hG4bK9083f660;ms-received-port=1751;ms-received-cid=ab00
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="01000000D2B661039AC90E1C304675CE", srand="AE6081D1", snum="5", opaque="D8B92586", qop="auth", targetname="sclcs1.CORP2000.Org", realm="SIP Communications Service"
    ms-diagnostics: 2;reason="Unknown Failure";source="sclcs2.CORP2000.Org";HRESULT="C3E93C5E"

    ]

     

    Test Conference: Failure [0xC3FC200D]

    Validate Conference Scheduling and Joining: Failure [0xC3EC79FC] One or more validation errors occurred.

    Create Conference: Failure [0xC3EC79FC] One or more validation errors occurred.

    Thursday, March 29, 2007 2:25 AM

Answers

  • Chris,

     

    Here's a quick question. Have you installed the LCS 2005 SP1 updates KB911996 and KB921543. These updates are required in the LCS 2005 SP1 environment. KB911996 has to be applied before KB921543. KB921543 contains updates that allows LCS 2005 SP1 to interpret SIP headers that are third party or in this case part of the SIP extensibility that is offered in OCS 2007

     

    Thanks,

     

    Mike Adkins OCS 2007 beta support team

    Thursday, April 26, 2007 10:54 PM

All replies

  • Ran some tracing and had several of these errors logged when running "validate front-end server" from the OCS 2007 SE server:


    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:09.421.0000001a ((Shared),ADSearch::ExecuteSearch:1228.idx(179))GetFirst returned S_ADS_NOMORE_ROWS!  hr = 8240(ERROR_DS_NO_SUCH_OBJECT)
    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:09.421.0000001b ((Shared),ExecuteSearch:962.idx(369))pSearch->ExecuteSearch() failed!  hr = 8240(ERROR_DS_NO_SUCH_OBJECT)

    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:25.375.000001c6 ((Shared),ADSearch::GetAttribute:1228.idx(312))m_piDirSearch->GetColumn() failed!  hr = HRESULT=80005010
    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:25.375.000001c7 ((Shared),GetAttribute:962.idx(491))pSearch->GetAttribute() failed!  hr = HRESULT=80005010

    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002cc ((Shared),ADSearch::ExecuteSearch:1228.idx(179))GetFirst returned S_ADS_NOMORE_ROWS!  hr = 8240(ERROR_DS_NO_SUCH_OBJECT)
    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002cd ((Shared),ExecuteSearch:962.idx(369))pSearch->ExecuteSearch() failed!  hr = 8240(ERROR_DS_NO_SUCH_OBJECT)
    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002ce (LcsWMI,InitiateSearch:1208.idx(4995))8240(ERROR_DS_NO_SUCH_OBJECT), ExecuteSearch failed for SearchFilter: (&(objectCategory=msRTCSIP-TrustedService))
    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002cf (LcsWMI,CLcStoreAd::EnumInstancesWhenNotAllAttributesOfInterestAreInGC:1208.idx(1459))( 010DA294 ) MSFT_SIPTrustedServiceSetting, 8240(ERROR_DS_NO_SUCH_OBJECT), InitiateSearch failed for: (&(objectCategory=msRTCSIP-TrustedService))
    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002d0 (LcsWMI,CLcStoreAd::EnumerateInstancesBasedOnFilter:1208.idx(1135))( 010DA294 ) MSFT_SIPTrustedServiceSetting, 8240(ERROR_DS_NO_SUCH_OBJECT), EnumInstancesWhenNotAllAttributesOfInterestAreInGC failed for query: (&(objectCategory=msRTCSIP-TrustedService))
    TL_ERROR(TF_COMPONENT) [0]0FA0.10D0::03/29/2007-18:27:25.859.000002d1 (LcsWMI,CLcStoreAd::EnumerateInstances:1208.idx(147))( 010DA294 ) MSFT_SIPTrustedServiceSetting, 8240(ERROR_DS_NO_SUCH_OBJECT), EnumerateInstancesBasedOnFilter failed for query: (&(objectCategory=msRTCSIP-TrustedService))

    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:26.421.00000594 (LcsWMI,CLcWmiBase::ExecQuery:45.idx(565))( 010DB6D4 ) MSFT_SIPESServerSetting, HRESULT=80041024, ExecQuery failed

    TL_ERROR(TF_COMPONENT) [0]0FA0.1590::03/29/2007-18:27:26.515.000005b1 ((Shared),GetBindingInfo:184.idx(6734))Error (HRESULT=80004001) GetOption(ADS_OPTION_SERVERNAME) failed

    I ran a lcscmd to check the forest and domain, both completed successfully with no errors.

    Thursday, March 29, 2007 6:47 PM
  • Your front end is complaining about MTLS...are the certificates trusted on both sides?
    Thursday, March 29, 2007 7:08 PM
  • Both the LCS 2005 and OCS 2007 servers have certificates generated from the same Enterprise CA.  I removed the certificate, revoked it on the Enterprise CA and requested a new certificate for the OCS 2007 server using the OCS Certificate wizard to make sure I didn't mess something up in the request.  Looking through the Office Communications Server log in Computer Management I see the following logged every few seconds:


    Event Type: Error
    Event Source: OCS MCU Infrastructure
    Event Category: (1022)
    Event ID: 61030
    Date:  3/30/2007
    Time:  1:35:20 PM
    User:  N/A
    Computer: SCLCS2
    Description:
    The process RtcHost(5764) did not receive a certificate from the client.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    And this in the System log:


    Event Type: Error
    Event Source: Schannel
    Event Category: None
    Event ID: 36870
    Date:  3/30/2007
    Time:  1:17:09 PM
    User:  N/A
    Computer: SCLCS2
    Description:
    A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Friday, March 30, 2007 5:41 PM
  • Perhaps your second error is causing the first error. Is this a new server config or an app uninstall/OCS install? Perhaps the crypto has become corrupt on your server? There are many web hits surrounding various security communication failures when this happens...If you launch an MMC for the local certificates, can you double-click on them and do they appear ok? Does the certification path show trusted the whole way through?
    Monday, April 2, 2007 6:39 PM
  • It was happening on the initial install so I uninstalled OCS, revoked and removed all certificates from the server then reinstalled OCS and requested new certificates using the FQDN and got the same errors.  I can view the certificate in MMC and the certification path shows "This certificate is OK." on the certificate for the OCS server, the subordinate enterprise CA and the root enterprise CA.  Errors are:

     

    OCS Log in Computer Management:


    Event Type: Error
    Event Source: OCS MCU Infrastructure
    Event Category: (1022)
    Event ID: 61030
    Date:  4/2/2007
    Time:  6:05:07 PM
    User:  N/A
    Computer: SCLCS2
    Description:
    The process RtcHost(3168) did not receive a certificate from the client.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    OCS Deployment Log:


    Received a failure SIP response: User sip:batman@company.com @ Server sclcs1.CORP2000.Org
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:chris.burkard@company.com>;epid=epid01;tag=3d85a38450433ceab56e
    TO: <sip:batman@company.com>;epid=epid11;tag=44eaf27da1
    CSEQ: 14 MESSAGE
    CALL-ID: 63a1879f92094b15b7bec6af0dbd04aa
    VIA: SIP/2.0/TLS 10.10.1.87:2170;branch=z9hG4bK3f759d15;ms-received-port=2170;ms-received-cid=86900
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000340A1FB32D34C1CF", srand="68655092", snum="4", opaque="BE0E0434", qop="auth", targetname="sclcs1.CORP2000.Org", realm="SIP Communications Service"
    ms-diagnostics: 2;reason="Unknown Failure";source="sclcs2.CORP2000.Org";HRESULT="C3E93C5E"

    ]

    Received a failure SIP response: User sip:batman@company.com @ Server sclcs1.CORP2000.Org
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: <sip:chris.burkard@company.com>;epid=epid01;tag=3d85a38450433ceab56e
    TO: <sip:batman@company.com>;epid=epid11;tag=44eaf27da1
    CSEQ: 15 BYE
    CALL-ID: 63a1879f92094b15b7bec6af0dbd04aa
    VIA: SIP/2.0/TLS 10.10.1.87:2170;branch=z9hG4bK3a405fbb;ms-received-port=2170;ms-received-cid=86900
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000F1350FCF2D34C1CF", srand="27681A8F", snum="5", opaque="BE0E0434", qop="auth", targetname="sclcs1.CORP2000.Org", realm="SIP Communications Service"
    ms-diagnostics: 2;reason="Unknown Failure";source="sclcs2.CORP2000.Org";HRESULT="C3E93C5E"

    ]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
    Suggested Resolution: Check connectivity between servers.
    Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
     
    Tempted to nuke the server and start over from scratch.  Something just isn't wanting to cooperate here.  The install is every bit as easy as Exchange IM was. Wink
    Monday, April 2, 2007 10:09 PM
  • Hi ChrisB,

    Can you let us know the status of your issue? Have you been able to resolve it? If so, would you be willing to share it with the forums?

    Thanks.

    Thursday, April 26, 2007 6:47 PM
  • Chris,

     

    Here's a quick question. Have you installed the LCS 2005 SP1 updates KB911996 and KB921543. These updates are required in the LCS 2005 SP1 environment. KB911996 has to be applied before KB921543. KB921543 contains updates that allows LCS 2005 SP1 to interpret SIP headers that are third party or in this case part of the SIP extensibility that is offered in OCS 2007

     

    Thanks,

     

    Mike Adkins OCS 2007 beta support team

    Thursday, April 26, 2007 10:54 PM
  • The patches got LCS 2005 to accept the validation IM from an OCS 2007 but the validation still failed overall.  Communicator 2007 is not allowing users to log in, complaing about domain names not matching since we use a our external domain names for SIP addresses which differ from our internal domain structure.  Now that LCS 2005 is patched I'm going to re-do the OCS 2007 install... as soon as I have some free time.
    Friday, April 27, 2007 7:04 PM
  • Hi ChrisB,

    Can you start another thread with any issues you may have with your new installation? Thanks!

    Monday, April 30, 2007 11:24 PM