Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Internal automatic sign in with multiple email domains ocs 2007 r2 there was a problem verifying the certificate from the server RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I've installed OCS 2007 R2 Standard Edition with Exchange UM server. Everything is working well. Clients can sign in from the outside without VPN, they can expand DL's, they can join conferences etc.. ALL is Great except for 1 thing and I'm not too sure how to go about it.
    We have multiple email domains and users sign in with their default SMTP domain. OCS is configured for automatic sign in with only 1 domain. It fails when someone signs in using another domain. I've created an internal certificate with multiple domain names; the SN Name to be the FQDN of the server and the SAN with all the other domain names. When I sign in using another email domain I get this error in communicator “there was a problem verifying the certificate from the server “. I go to https://servername/certsrv and get the error message about a certificate mismatched address. Basically the SAN certificate is not installed on the server. How do I install it and make the sign in successful?

    Tuesday, September 15, 2009 5:55 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    If you are simply trying to assign a new certificate to the OCS Front-End server, then there are two places you'll need to do this at, one for TLS/MTLS OCS communications and one for SSL HTTPS communications.

    1. From the OCS admin console select 'Certificates' from the right-click menu on the Server object (the one with the full FQDN, not the shorter pool name) and then choose "Assign an Existing certificate" and pick the new cert.

    2. You'll also need to update the Web Conponents certificate in IIS.  Follow these directions: http://technet.microsoft.com/en-us/library/dd441360(office.13).aspx
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 16, 2009 3:04 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    To support additional SIP domains for Automatic Sign-In you'll need to (1) create a pair of SRV and A records for each domain, all pointing to the IP address of the Access Edge external IP as well as (2) add the FQDN of each new A record to the SAN field of the server's certificate.

    Are you getting the login failure when attempting to sign-in on internal, external (or both) clients?  I't unclear if you are connecting to a Front-End server internally or an Edge server externally.  Also what are the assigned values SN/SAN on the ceritifcate in question?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 15, 2009 6:05 PM
    Moderator

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    To support additional SIP domains for Automatic Sign-In you'll need to (1) create a pair of SRV and A records for each domain, all pointing to the IP address of the Access Edge external IP as well as (2) add the FQDN of each new A record to the SAN field of the server's certificate.

    Are you getting the login failure when attempting to sign-in on internal, external (or both) clients?  I't unclear if you are connecting to a Front-End server internally or an Edge server externally.  Also what are the assigned values SN/SAN on the ceritifcate in question?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 15, 2009 6:05 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello,



     (1) create a pair of SRV and A records for each domain, all pointing to the IP address of the Access Edge external IP as well as (2) add the FQDN of each new A record to the SAN field of the server's certificate. This is Done.

    I'm getting the Communicator login failure Internally. The SN Values in the certificate represent 19 different smtp domains. I've created the certificate on the FE server and I imported it but I cannot see the certificate. Where do i check to see which certificate is on the FE server?

    Many thanks
    Tuesday, September 15, 2009 8:04 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    If you are simply trying to assign a new certificate to the OCS Front-End server, then there are two places you'll need to do this at, one for TLS/MTLS OCS communications and one for SSL HTTPS communications.

    1. From the OCS admin console select 'Certificates' from the right-click menu on the Server object (the one with the full FQDN, not the shorter pool name) and then choose "Assign an Existing certificate" and pick the new cert.

    2. You'll also need to update the Web Conponents certificate in IIS.  Follow these directions: http://technet.microsoft.com/en-us/library/dd441360(office.13).aspx
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 16, 2009 3:04 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi
    Any update for your issue?

    Thanks!
    Regards!
    Tuesday, September 22, 2009 2:55 AM
    Moderator