locked
I can't get ocs to run!! Can't validate Pool or server Functionality. RRS feed

  • Question

  •  

    Hi all,

     

    I went through a brand new install of OCS 2007 Standard.

    All the services are running and I got an ssl certificate though one of those free trials online.

    I'll be happy to purchase whatever I need once I get this running, but for the purposes of testing, I decided to use a 90 day trial.

     

    The relevant services are all running, however I'm at the step of the configuration to Validate Pool or Server Functionality. They all fail.

     

    Step 1: Validate Front End Server Configuration:

    I need to enter an Account, User Name, Password, and Server/Pool.

     

    The server/pool is populated by the current server name.

    The user name and account name, I'm using domain\rtcservice and the local machine as the server.

    When the test runs, I get the error:

     

    Failure
    [0xC3FC200D] One or more errors were detected

     

     

    Maximum hops: 2
    Successfully established security association with the server: User RTCService Domain ccl.local Protocol Kerberos Target sip/mocs.ccl.local
    Failed to register user: User sip:rtcservice@ccl.local @ Server mocs.ccl.local
    Failed registration response: [
    SIP/2.0 404 Not Found
    FROM: <sip:rtcservice@ccl.local>;epid=epid10;tag=e379d32496
    TO: <sip:rtcservice@ccl.local>;tag=F30BD02E5FD59EE740ED527EF8148549
    CSEQ: 7 REGISTER
    CALL-ID: fa6d7dc432314fd7b9dbe6288425f270
    VIA: SIP/2.0/TLS 172.28.91.22:3910;branch=z9hG4bKb32272a;ms-received-port=3910;ms-received-cid=A00
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFF75977859E954BA9FD5752135DE95E280", srand="885D9D19", snum="1", opaque="95388C85", qop="auth", targetname="sip/mocs.ccl.local", realm="SIP Communications Service"
    ms-diagnostics: 4005;reason="Destination URI either not enabled for SIP or does not exist";source="mocs.ccl.local"

    ]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
    Suggested Resolution: If authentication failed, then make sure the user is SIP-enabled and is homed properly.

     

    The suggested resolution states that I have to make sure the user is SIP-enabled and homed properly -- Any ideas what this means?

     

    I really need to get this working, so if anyone has any suggestions I'd love to try it out.

    Tuesday, September 16, 2008 4:47 AM

All replies

  • Where are you running the validation wizard from: the Front-End server itself, or from a remote management console or other server?

     

    Tuesday, September 16, 2008 1:09 PM
    Moderator
  •  

    Hi,

     

    I am running the validation wizard from the server where I installed ocs in.

    Is this not what I should be doing?

    Tuesday, September 16, 2008 9:11 PM
  • That's fine, I was just trying to figure out if it might be some name resolution or network connectivity issue. 

     

    Try using the dbanalyze command to verify if the user is misconfigured.

    Tuesday, September 16, 2008 10:38 PM
    Moderator
  • Hi,

     

    How do I run dbanalyze?

    Also, how do I configure users?

    Does this integrate with active directory, so all users in my active directory are potentially users I can use to connect to ocs?

    Are they meant to be part of a particular group?

     

    It seems as if though all services are running correctly, as is IIS.

    However, when I try to connect to the server via a web browser (whether it be through https or http), I get the error:

    Page Under Construction

     

     

     

    Tuesday, September 16, 2008 10:50 PM
  •  zayindaleth wrote:

    Hi,

     

    How do I run dbanalyze?

    Also, how do I configure users?

    Does this integrate with active directory, so all users in my active directory are potentially users I can use to connect to ocs?

    Are they meant to be part of a particular group?

     

    It seems as if though all services are running correctly, as is IIS.

    However, when I try to connect to the server via a web browser (whether it be through https or http), I get the error:

    Page Under Construction

     

     

     


    That's ok that it's saying Under Construction, the index page of the root directory is meant to display that. There are virtual directories below that that are configured and serve up things like group expansion for contact lists, meeting content and address book download. Generally these work fine out of the box and don't require any additional configuration.

    OCS does integrate with Active Directory. If you open ADUC (Active Directory Users and Computers) on your OCS server, you can right click a user you'd like to enable for OCS and select "Enable users for Communications Server". Then follow the wizard to give them a SIP address (so they can login using Office Communicator) and choose the features you'd like to enable them for.
    Wednesday, September 17, 2008 12:54 AM
  •  

    Hi,

    And thank you kindly for your reply.

     

    I have started again, and have been following these instructions:

    http://technet.microsoft.com/en-us/library/bb880155.aspx

     

    Now I get the following error when I try to validate:

     

    Attempting to login user using Kerberos   Maximum hops: 2
    Failed to establish security association with the server: User ocs Domain championcompressors.com.au Protocol Kerberos Server sip/mocs.ccl.local Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
    Failed to register user: User sipSurprisecs@championcompressors.com.au @ Server mocs.ccl.local
    Failed to send SIP request: NegotiateSecurityAssociation failed, error: -2146893039
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected

    Attempting to login user using NTLM   Maximum hops: 2
    Failed to establish security association with the server: User ocs Domain championcompressors.com.au Protocol NTLM Server mocs.ccl.local Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using Kerberos   Maximum hops: 2
    Failed to establish security association with the server: User ocs2 Domain championcompressors.com.au Protocol Kerberos Server sip/mocs.ccl.local Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
    Failed to register user: User sipSurprisecs2@championcompressors.com.au @ Server mocs.ccl.local
    Failed to send SIP request: NegotiateSecurityAssociation failed, error: -2146893039
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using NTLM   Maximum hops: 2
    Failed to establish security association with the server: User ocs2 Domain championcompressors.com.au Protocol NTLM Server mocs.ccl.local Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
      Failure
    [0xC3FC200D] One or more errors were detected

     

     

    To address some of the suggestions:

    The password and sign-in names are correct. The user is present in AD and has been enabled for SIP (as far as I am aware. How do I check this?).

    The target server is part of the AD domain and user account present.

    I'm not sure if it is a Kerberos failure though. How do I find out if machine has access to KDC?

    I feel I'm getting closer to getting it working ..... (At least I'm getting different errors, anyway).

     

    Wednesday, September 17, 2008 2:04 AM
  •  zayindaleth wrote:

     

    To address some of the suggestions:

    The password and sign-in names are correct. The user is present in AD and has been enabled for SIP (as far as I am aware. How do I check this?).

    The target server is part of the AD domain and user account present.

    I'm not sure if it is a Kerberos failure though. How do I find out if machine has access to KDC?

    I feel I'm getting closer to getting it working ..... (At least I'm getting different errors, anyway).

     


    In the OCS 2007 snap-in console, you can view the enabled users by expanding the pool and clicking the Users container. There you should see the users you have enabled for OCS. If they're listed there, then you'll be able to use them to verify two-party IM in the Validation Wizard.

    Have you attempted signing in with the Office Communicator client?
    Wednesday, September 17, 2008 7:35 AM
  • Hi,
    I looked at the list of enabled users as you suggested and the two I'm using are there.
    Though when I'm trying to use them to verify two-party im in the wizard, I get the error avove. (Failed to establish security association with the server).

    I've also tried signing in with the office communicator client, and get the following error:
    Cannot sign in to Communicator. You have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program.


    Wednesday, September 17, 2008 9:51 PM
  • hi zayindaleth,

    have you ever found out how to solve your problem ?
    i'm having exactly the same error here in my enviroment.
    Monday, July 13, 2009 9:26 AM