Forefront for OCS R2 Edge server error
- Hi,
After install the forefront on my edge server, have the below error and i have no idea what going on. The notification account I have double checked is correct. Any idea?
Event: 10162
Source: ForefrontNotificationAgent
Wed Sep 02 15:20:31 2009 ( 5564- 8), "ERROR: Microsoft.FSO.IMClient.dll.IMClient.RaiseLoginDone("<System.Boolean success><System.String message>") - Error occured logging in to server: 80EE00A6:
Event: 10161
Source:ForefrontNotificationAgent
Wed Sep 02 15:20:31 2009 ( 5564- 8), "ERROR: ForefrontNotificationAgent.exe.NotificationAgent.imClient_LoginDone("<System.Object sender><FSOIMClient.ReportSuccessEventArgs e>") - Failed to login."
Event 9
Source: ForefrontUC
The description for Event ID ( 9 ) in Source ( ForefrontUC ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ForefrontUC.
Andy
Answers
- Andy,
You are correct in that the IM Notification Agent account needs to be domain account since it needs to be SIP enabled. Please try entering your configuration as follows:
Use RTC Proxy Credentials: false
Transport: TLS
Username: domain\e2k7test03
SIP URI: e2k7test03@domain.com (i.e. without the sip: prefix)
Home or Pool server: poolfqdn.com
If this doesn't resolve the error you are seeing, I'd recommend opening a case with Microsoft CSS so that we can help you troubleshoot this issue further.
Regards,
ShreyS [MSFT]
Forefront Server Security- Marked As Answer byJim MoliniMSFT, OwnerMonday, October 05, 2009 5:28 PM
- Proposed As Answer byShreyS [MSFT] Monday, September 21, 2009 12:35 PM
All Replies
Andy,
The error code (80EE00A6) indicates an issue with authentication. Some things to check:- Are the clocks on your Edge server and Domain Controller greater than 5 minutes apart? This could affect kerberos authentication.
- Are you able to login via communicator from the Edge machine using the same credentials you've specified in the FSOCS configuration (this is located in the General Options pane in the administration client)?
- Are you specifying the username as it appears in active directory? i.e. sip uri might be user@contoso.com and user name is just 'user'.
Let me know what you find.
ShreyS [MSFT]
Forefront ProtectionHi ShreyS,
- The clock is the same
- I can use OC client to login notification account
- The setting should be correct and I can show you my configuration on IM Notification Agent:
- Transport: TLS
- Username: domain\e2k7test03
- SIP URI: sip:e2k7test03@domain.com
- Home or Pool server: poolfqdn.comAnd idea?
Andy
- Andy,
Is FSOCS configured to use the RTC Proxy credentials for IM Notifications? If so, is your service account enabled for IM Communications (is it is the same as the rest of the settings listed in your configuration?
If FSOCS is using the credentials of the RTC Proxy service account, then all the settings in the IM Notifications configuration should match that of the service account. If not, then ensure that the setting is disabled as appropriate.
Let me know what you find.
ShreyS [MSFT]
Forefront Protection - Hi ShreyS,
No, i have not check "Use ForefrontRTCProxy Service Credentials", my services account is local account and my IM notification is domain account. My edge server is under DMZ network and have not join domain, therefore I don't know how can using my IM notification account but during the installation, it must need me type an IM account.
Andy - Hi ShreyS,
If my edge server using domain account for the IM notification agent account, any protocol is need to grant allow from edge server to front end server or domain controller?
Can I have other choice for the IM notification agent account? such as local account? but if we using local account, how can I enable sip for this?
Thanks for your kindly support
Andy - Andy,
You are correct in that the IM Notification Agent account needs to be domain account since it needs to be SIP enabled. Please try entering your configuration as follows:
Use RTC Proxy Credentials: false
Transport: TLS
Username: domain\e2k7test03
SIP URI: e2k7test03@domain.com (i.e. without the sip: prefix)
Home or Pool server: poolfqdn.com
If this doesn't resolve the error you are seeing, I'd recommend opening a case with Microsoft CSS so that we can help you troubleshoot this issue further.
Regards,
ShreyS [MSFT]
Forefront Server Security- Marked As Answer byJim MoliniMSFT, OwnerMonday, October 05, 2009 5:28 PM
- Proposed As Answer byShreyS [MSFT] Monday, September 21, 2009 12:35 PM
- Andy,
Try reviewing the blog post: http://aspoc.net/archives/2009/09/25/forefront-for-ocs-error-on-the-access-edge-event-id-10161-10162/
I recently had the same error on an Access Edge server I was deploying and traced the problem back to the way the notificaiton agent attemtps to login. Let me know if this works for you as it did the trick for my problem.
Matt Wade - Hi Matt,
Thanks for your suggestion. But the problem is the same.....
Andy Andy,
Take a look at one of the following two items:- Do you have the Pool setup to using NTLM or NTLM/Kerberos? The Access Edge cannot perform Kerberos auth and must use NTLM. I did have an issue where the notification agent would not complete the authenticaiton request due even though I had the option set for NTLM/Kerberos. Try forcing the pool (or Director) to use NTLM authenticaion only. This is set in the Pool Front-End properties.
- If this does help (or if this is not an option as you have no director), the next item would be to set the "Trust computer for delegation" general option on the Front-end(s) computer account in AD.
Matt
- Hi Matt,
Thanks for your kindly helpful, since I had logged a case to MSFT finally, so I don't want to take any changes from now, but I will post the solution here later to share with you and other guys after MSFT found a root cause.
Andy - Hi guys,
I installed FSOCS for the first time today in my lab environment ahead of a client installation. I too had 10161 and 10162 appearing every 10 secs in the app event log but it was on my OCS 2007 R2 Ent Edition front end server not an Edge. The errors were that the ForeFront notification agent was failing to log on. In my case I found that the service account I specified during installation had not been enabled for UC! I thought that the installation wizard did this for you during installation but it did not in my case. I manually enabled it for UC and logged on manually from a client just to check all was good. After this, the FSCOS agent login errors stopped.
Cheers,
Garry
