locked
Another Address Book Sync problem RRS feed

  • Question

  • Hi, i have crawled through forums and blogs trying to get this issue sorted out but have not been able to.

    I am able to succesfully sync the address book when i log on from a computer joined to the domain. When i log on from a computer not joined to the domain (but still on the private network), i see the "Cannot synchronize address book" problem.

    I am running OCS 2007 R2 on a W2K8 Enterprise OS.

    From the computer i can open up a browser and download the address book file. I have no certificate problems when pointing to :

    https://ocs.lab.net/Abs/Ext/Handler
    https://ocs.lab.net/Abs/Int/Handler

    Would appreciate any thoughts
    Thursday, August 20, 2009 8:06 AM

Answers

  • I had this issue from my Vista/Win 7 boxes that were non domain based or when those OS's were external to the network (domain membership didn't matter then).  Because we are using an internal SSL cert to secure the Address Book site, non domain Vista/Win 7 machines had an issue pulling the certificate revocation list.  From what I have read, when your MOC client tries to pull the address book, it has IE make a connection in the backround.  Since it's over SSL, IE in Vista/Win 7 tries to check the CRL before it makes the connection.  To fix the issue, I changed the permissions on my CA's website to allow anonymous users to pull the CRL.  That fixed the issue for the non domain, internal folks.  Until I switch the ABS site to a public cert, I told my external users to live with the error or go into IE  à Tools à Internet Options à Advanced tab à Security area and uncheck the box for “Check for server certificate revocation.”  From what we have seen, this setting is not selected/active by default in XP.  However, it is active in Vista/Win 7.  So XP machines don’t see this issue.

    Rich Getteau
    • Marked as answer by SM75 Monday, September 28, 2009 11:09 PM
    Monday, September 28, 2009 9:59 PM

All replies

  • SM75,

    You said:
    "From the computer i can open up a browser and download the address book file. I have no certificate problems when pointing to" 
    for the cmoputer you are speaking of, is it the non-domain machine?

    Thanks

    -kp
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Thursday, August 20, 2009 12:20 PM
  • Hi...thanks for the reply.

    yes, the computer where i fail to download the address book is the non-domain machine... From this computer i can log in OK to OCS, and can browse to the IIS internal and external ABS URLs.  I have also installed the root certificates as well.

    Thursday, August 20, 2009 1:14 PM
  • Can you grab the file name for one of the files in the address book (.dabs) and see if the client can reach the file via the browser?  You should also turn on logging/tracing in communicator and restart it.  That will allow you to see what steps it is going through to try to download and where it is failing.

    -kp
    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Thursday, August 20, 2009 1:38 PM
  • SM75,

    Do you have published Outlook anywhere also?
    Which Authentication Method have you implemented for Publishing the AddressBook URL?
    Do you have different Authentication methods for Publishing AddressBook URL and Outlook Anywhere URL?

    Cheers
    Werner
    Thursday, August 20, 2009 1:44 PM
  • Hi, yes i can download a dabs file from the browser...when i grab a communicator trace i can see the correct URLs sent to the client, but i don't see the request from the client to the web server... When i check IIS logs i don't see any entries either. I can only see entries in IIS logs when i download the dabs file through internet explorer.
    Thursday, August 20, 2009 1:53 PM
  • Hi, no i havn't set up Exchange yet..the authentication method is the default Windows Authentication for both URLs.
    Thursday, August 20, 2009 1:55 PM
  • SM75

    I do not mean the Default Authentication Method on the IIS, I mean Publishing, which is the Authentication Method on your ISA Server Listener and the Authentication delegation from there.

    Cheers
    Werner
    Friday, August 21, 2009 6:30 AM
  • Hi Werner, thanks for the reply.

    I'm not actually using ISA. Everything is still internal. One computer is joined to a domain and one is not, but apart from that all items are on the same subnet.

    Friday, August 21, 2009 8:31 AM
  • How have you put in your login credentials in communicator?

    First field SIP exactly as you defined in OCS maybe: Firstname.Lastname@domain.com
    Second Field: DOMAIN\ACCOUNTNAME

    Have you enabled Logging on communicator? Any hints in the Logfiles?

    ??

    Cheers
    Werner
    Friday, August 21, 2009 9:43 AM
  • Hi, yes that is exactly how i am signing in... unfortunately there is nothing in the log files to indicate what is happening.
    Friday, August 21, 2009 12:15 PM
  • hi
    Please ensure you have enabled the even logging for communicator. You'd better publish some more information regarding to your issue, and we can do further research for you.
    Per your description, below some suggestions for you.
    1. If there is really no error, it may be the client cannot Synchronize Address Book correctly. You can do:
        (a). log off the oc (b). delete the GalContacts.db, the directory is: %userprofile%\AppData\Local\Microsoft\Communicator  (c). log on the oc again
    2. There are many reasons can caused the issue, below is some general solutions related with the issue.
        http://support.microsoft.com/kb/938286/ 
        http://support.microsoft.com/kb/953113/en-us 

    Hope this helpful!
    Regards!
    Thursday, August 27, 2009 4:22 AM
    Moderator
  • hi
    Any update for your issue?


    Regards!
    Friday, September 4, 2009 8:27 AM
    Moderator
  • I had this issue from my Vista/Win 7 boxes that were non domain based or when those OS's were external to the network (domain membership didn't matter then).  Because we are using an internal SSL cert to secure the Address Book site, non domain Vista/Win 7 machines had an issue pulling the certificate revocation list.  From what I have read, when your MOC client tries to pull the address book, it has IE make a connection in the backround.  Since it's over SSL, IE in Vista/Win 7 tries to check the CRL before it makes the connection.  To fix the issue, I changed the permissions on my CA's website to allow anonymous users to pull the CRL.  That fixed the issue for the non domain, internal folks.  Until I switch the ABS site to a public cert, I told my external users to live with the error or go into IE  à Tools à Internet Options à Advanced tab à Security area and uncheck the box for “Check for server certificate revocation.”  From what we have seen, this setting is not selected/active by default in XP.  However, it is active in Vista/Win 7.  So XP machines don’t see this issue.

    Rich Getteau
    • Marked as answer by SM75 Monday, September 28, 2009 11:09 PM
    Monday, September 28, 2009 9:59 PM
  • thanks Rich...this is my issue exactly....
    Monday, September 28, 2009 11:10 PM
  • Hi Rich
    Thanks a lot!  Good job!

    Best regards!

    Wednesday, September 30, 2009 1:18 AM
    Moderator