locked
Unable to login via Edge server with error C3E93D86 RRS feed

  • Question

  • When trying to login via a newly configured Edge Server from within the company network the client receives the following message:
    Microsoft Office Communicator 2007
    Cannot sign in because the server is temporarily unavailable. If the problem persists, contact your system administrator.
    After a few tries, the following is logged on the Edge server:
    EventID: 14501
    Event Source: OCS Protocol Stack
    A significant number of invalid certificates have been provided by remote IP address 10.5.6.98 when attempting to establish an MTLS peer. There have been 10 such failures in the last 0 minutes.
    Certificate Names associated with this peer were


    The serial number of this certificate is
    .
    The issuer of this certificate is
    The specific failure types and their counts are identified below.
    Instance count   - Failure Type
    10                 C3E93D86
    If I try from outside the network on a non-domain system I get a slightly different error (presumably because there's no client certificate):
    EventID: 14502
    Event Source: OCS Protocol Stack

    A significant number of connection failures have occurred with remote server Unknown IP 78.136.49.150. There have been 60 failures in the last 60 minutes. There have been a total of 60 failures.
    The specific failure types and their counts are identified below.
    Instance count   - Failure Type
    60                 C3E93D86
                    
                   
    This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.
    Passing C3E93D86 through `lcserror' results in the following:
    >lcserror C3E93D86
    0x83E93D86 -> None matched

    0x80003D86 -> None matched
    No errors get logged on our standard pool server. We're running OCS 2007 R2 Standard on Windows 2008. Our Edge server is not a member of a domain but in a workgroup.

    The only validation error we get is due to the fact we haven't configured a voice location profile.

    There is no internal firewall between the clients and the OCS server. Externally the following TCP ports have been opened: 443; 5060; 5061.

    Any suggestions on how to progress from here would be greatly appreciated.
    Monday, June 1, 2009 10:36 AM

Answers

  • I've managed to solve my problem. I've been manually entering the connection details since our DNS provider (ZoneEdit) don't support SRV records. I should have been entering the FQDN with :443 rather than just the FQDN. My edge access now works, I just need to move to start hosting the zone ourselfs so we can create SRV records. Thanks for your help guys.

    If anyone runs into the same problem, I've posted about it over on my blog .

    Thanks again,

    Dave
    • Marked as answer by David Hope Thursday, June 4, 2009 5:00 PM
    Thursday, June 4, 2009 1:13 PM

All replies

  • Hey David,

    First question for you, any reason you are having your internal folks hit the edge?  You can simply configure the SRV for your sip domain to point to your FE server on port 5061.  No need for them to go through the edge.

    As far as the edge goes, couple of questions:

    1.  Does the edge trust the CA the certificates were issued from
    2.  Can the edge resolve the FQDN of the SE Pool to the proper IP
    3.  Is the SE server in the list of authorized hosts on the edge
    4.  Is the Edge server listed on the SE pool as an available edge server


    For the Edge outside interfaces, make sure each service gets a cert with a subject that matches the FQDN, if you have the IP's I'd highly recommend using port 443 for all of the services.

    Let's start there with the basics and we can dive further once those are verified.

    Thanks!

    -KP

    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Tuesday, June 2, 2009 3:10 AM
  • How are you directing internal client's to attempt login against the Edge server?  If they are hitting the Edge internal interface that will defintely fail.  Also you mention not having a client certificates; if you are using TCP for internal (by adding 5060 to the FE listener configuration) that is fine for internal sign-in, but Edge only supports TLS so you must have a trusted certificate applied regardless of where the client is trying to sign in from.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 2, 2009 12:41 PM
    Moderator
  • Hey David,

    First question for you, any reason you are having your internal folks hit the edge?  You can simply configure the SRV for your sip domain to point to your FE server on port 5061.  No need for them to go through the edge.

    As far as the edge goes, couple of questions:

    1.  Does the edge trust the CA the certificates were issued from
    2.  Can the edge resolve the FQDN of the SE Pool to the proper IP
    3.  Is the SE server in the list of authorized hosts on the edge
    4.  Is the Edge server listed on the SE pool as an available edge server


    For the Edge outside interfaces, make sure each service gets a cert with a subject that matches the FQDN, if you have the IP's I'd highly recommend using port 443 for all of the services.

    Let's start there with the basics and we can dive further once those are verified.

    Thanks!

    -KP

    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com

    Hi Kevin,

    First of all, thanks for taking the time to reply.

    At the moment it's just me hitting the edge from within the firewall as a test to see if it works. The rest of the users use the FE server as you'd expect (and they work).

    In response to your questions:

    1: Yes. The Edge server has the CA certificate in the computer 'Trusted Root Certificate Authorities' store. The Edge certificates are signed by the same CA as the standard edition FE servers.
    2: Yes. The FQDN resolves correctly.
    3. Yes.
    4. Yes

    it took some tweaking to begin with but the certificates are all setup correctly. I don't get any certificate errors (other than the MTLS error when I try and connect to the Edge access interface (not the internal interface).



    Hi Jeff,

    First of all, thanks for taking the time to reply. The clients are using the edge access interface, not the internal one. The only reason I included the error from a non-MTLS client was to see if it gave me a different error (since both scenarios give a very similar error). My client machine has a client certificate signed by our enterprise CA (the same CA which signed the rest of our OCS certificates).

    • Edited by David Hope Tuesday, June 2, 2009 5:40 PM typo
    Tuesday, June 2, 2009 5:40 PM
  • I've managed to solve my problem. I've been manually entering the connection details since our DNS provider (ZoneEdit) don't support SRV records. I should have been entering the FQDN with :443 rather than just the FQDN. My edge access now works, I just need to move to start hosting the zone ourselfs so we can create SRV records. Thanks for your help guys.

    If anyone runs into the same problem, I've posted about it over on my blog .

    Thanks again,

    Dave
    • Marked as answer by David Hope Thursday, June 4, 2009 5:00 PM
    Thursday, June 4, 2009 1:13 PM