locked
OSC deployment failed to Validate server functionality at last step RRS feed

  • Question

  • I have an issue similar to two previous threads:

    Failed to establish security association with the server

    Sign-in not found 

    but no much info could be found there, so a new thread opened.

     

    The step 7, validate server functionality failed with following message log:

    Check user logon

     

     

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using Kerberos

     

    Maximum hops: 2
    Failed to establish security association with the server: User test1 Domain audio.com Protocol Kerberos Server sip/waynewang-03.audio.com Target Invalidated

    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
    Failed to register user: User sip:test1@audio.com @ Server waynewang-03.audio.com
    Failed to send SIP request: NegotiateSecurityAssociation failed, error: -2146893044
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

    Attempting to login user using NTLM

     

    Maximum hops: 2
    Failed to establish security association with the server: User test1 Domain audio.com Protocol NTLM Server waynewang-03.audio.com Target Invalidated

    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

    Attempting to login user using Kerberos

     

    Maximum hops: 2
    Authentication protocol is not enabled: Ntlm

    Failed to establish security association with the server: User test2 Domain audio.com Protocol Kerberos Server sip/waynewang-03.audio.com Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
    Failed to register user: User sip:test2@audio.com @ Server waynewang-03.audio.com
    Failed to send SIP request: NegotiateSecurityAssociation failed, error: -2146893044
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.

     

    Failure
    [0xC3FC200D] One or more errors were detected

    Attempting to login user using NTLM

     

    Maximum hops: 2
    Authentication protocol is not enabled: Ntlm

    Failed to establish security association with the server: User test2 Domain audio.com Protocol NTLM Server waynewang-03.audio.com Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.

     

    Meanwhile, in the system event log of OCS an error appears every another seconds:

    Event Type:    Error

    Event Source: OCS MCU Infrastructure

    Event Category:     (1022)

    Event ID:       61030

    Date:              8/20/2007

    Time:             7:52:14 PM

    User:              N/A

    Computer:      WAYNEWANG-03

    Description:

    The process RtcHost(3104) did not receive a certificate from the client.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

     

    About the given solution:

    The password and user name is ok. Both test1 and test2 could be used to login into the domain.

    The Active Directory is installed in the same server2003R2, so the server is surely part of AD domain, and the both accounts are in the AD, aren’t they?

    And in OCS mmc\”forest - audio.com”\”standard edition server”\”waynewang-03”\users, test1 and test2 are listed, both enabled.

    As to SIP, I am not sure how to check it, and also Kerberos involving problems.

     

    At present, the communicator could not sign in. It prompts that “There was a problem verifying the certificate the server, please contact your system administrator”. But unluckily just the administrator@audio.com was used to sign in !_! from the same server computer. The automatic configuration is selected in the advanced connection setting of communicator.

     

    This problem fazed me weeks, someone please give some diagnosis kindly. Check list is welcome, detail step please, Orz

    Thanks

     

    Tuesday, August 21, 2007 2:41 AM

All replies

  •  

    Hey there, did you ever resolve this? I am having the same exact issue...

     

    Thanks.

    Wednesday, October 31, 2007 4:00 PM
  • Bummer, I have the same exact error here.  Any Solutions?
    Tuesday, April 22, 2008 2:06 PM
  • Hi,

    For what it's worth, I never check the "2-party login" info in the validation wizard. I find it to be a waste. I just check the first 2 boxes: "server configuration" and "connectivity" options.

     

    If you really want to find out if clients can log in, just install a client and log in - that's always been the best route for me.

     

    Regards,

    Matt

     

    Tuesday, April 22, 2008 6:23 PM
  • Yes, Completely agree with Matt.
    I always skipped this part, and tested in a real communicator client.

    That is a better way to test the connection.

    Regards,
    Arfan Arlanda

    Wednesday, July 16, 2008 6:19 PM