locked
Please Help - OCS Protocol Stack Event ID 14428 RRS feed

  • Question

  •  

    Dear Technet community,

     

    Hoping you can help us out. We have an LCS 2005 SP1 environment with a proxy server and an internal server.   We are attempting to bring up an OCS environment by pointing the firewall at the new OCS Edge server first, and then if that test succeeds, we will proceed on with replacing the internal LCS server with an OCS server.  On the existing LCS internal server we have configured the proxy address with the new OCS edge server and restarted services.  We have installed an external and an internal certificate on the new OCS 2007 edge server.

    When LCS 2005 Communicator clients attempt to sign-in, they get an error message stating “the server is temporarily unavailable” and we see a brief TCP connection to port 5061 on the OCS Edge server. These two errors are logged on the OCS proxy server. It appears this is not a client to edge server issue. We have imported the chain to both the Internal LCS server as well as the External OCS server. The external domain name has not been changed so we exported the external LCS cert (Verisign) and imported to our OCS edge server and configured it via the certificate configuration utility in OCS. We are definitely suspicious of a certificate issue but are missing something.

     

     

     

    Event Type:         Error

    Event Source:     OCS Protocol Stack

    Event Category: (1001)

    Event ID:              14501

    Date:                    7/9/2008

    Time:                    5:26:12 PM

    User:                    N/A

    Computer:           EDGEOCS01

    Description:

    A significant number of invalid certificates have been provided by remote IP address 10.1.1.5 (Our internal LCS 2005 server) when attempting to establish an MTLS peer. There have been 10 such failures in the last 0 minutes.

    Certificate Names associated with this peer were

     

     

    The serial number of this certificate is

    .

    The issuer of this certificate is

    The specific failure types and their counts are identified below.

    Instance count   - Failure Type

    10                 80090322

    _______________________________________________________________________________________________

     

    Event Type:         Error

    Event Source:     OCS Protocol Stack

    Event Category: (1001)

    Event ID:              14428

    Date:                    7/9/2008

    Time:                    5:25:50 PM

    User:                    N/A

    Computer:           EDGEOCS01

    Description:

    TLS outgoing connection failures.

     

    Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "catinlcs01.(name removed to protect the guilty).com".

    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

    Resolution:

    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    Wednesday, July 9, 2008 10:58 PM

Answers

  •  

    You have to look really close at the certificate.

     

    This was identified by enabling IIS on both servers and testing between the two via web sessions. The servers in question were abcinlcs01.companyx.com (LCS 2005) and abcexocs01.companyx.com (New OCS 2007 Edge server being placed in to migrate to OCS 2007).

     

    If you go from abcinlcs01 to https://abcexocs01.companyx.com the browser goes straight in and the cert is loaded without issue as the lock in IE shows. Observing the cert via IE you can see that the subject in the cert aligns with the FQDN of the server. All is good.

     

    Go from abcexocs01 to https://abcinlcs01.companyx.com and you are presented with a faulty certificate message and must click continue to site “not recommended” This is now showing a certificate error in IE opposed to the happy lock.

     

    A closer look at the certificate revealed the subject is abclcs01.companyx.com not abcinlcs01.companyx.com. The FQDN and subject don’t match. We looked at that &%$% certificate too many times and it looks fine at a glance.

     

    A browser gives cool messages when certificates aren’t good because they are supposed to be super user friendly. Applications like a livemeeting plug-in for Outlook or OCS servers, etc. that require a cert will not work.  

     

    Thursday, July 10, 2008 2:22 AM

All replies

  •  

    You have to look really close at the certificate.

     

    This was identified by enabling IIS on both servers and testing between the two via web sessions. The servers in question were abcinlcs01.companyx.com (LCS 2005) and abcexocs01.companyx.com (New OCS 2007 Edge server being placed in to migrate to OCS 2007).

     

    If you go from abcinlcs01 to https://abcexocs01.companyx.com the browser goes straight in and the cert is loaded without issue as the lock in IE shows. Observing the cert via IE you can see that the subject in the cert aligns with the FQDN of the server. All is good.

     

    Go from abcexocs01 to https://abcinlcs01.companyx.com and you are presented with a faulty certificate message and must click continue to site “not recommended” This is now showing a certificate error in IE opposed to the happy lock.

     

    A closer look at the certificate revealed the subject is abclcs01.companyx.com not abcinlcs01.companyx.com. The FQDN and subject don’t match. We looked at that &%$% certificate too many times and it looks fine at a glance.

     

    A browser gives cool messages when certificates aren’t good because they are supposed to be super user friendly. Applications like a livemeeting plug-in for Outlook or OCS servers, etc. that require a cert will not work.  

     

    Thursday, July 10, 2008 2:22 AM
  • We had the exact same issue. Everything seemed to work ok, but the users were getting a warning on the communicator 2007 client:

    ---------------------------
    Microsoft Office Communicator 2007
    ---------------------------
    Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.
    ---------------------------
    OK  
    ---------------------------


    Turns out one letter on our certificate subject name was off, reissuing the certificate with the correct FQDN solved the issue.
    Wednesday, August 19, 2009 8:39 PM