none
Exchange Voicemail Integration

    Pregunta

  • Hi,

    Today suddenly my UM integration with OCS 2007 r2 stopped working. I was suspecting a certificate issue.

    Now when i did get-exchangecertificate |Fl i got the 2 certificates in it.

    The first one was issues bij my internal CA

    Second one was the internal transport server.

    When i checked the expire data on the first certificate i saw

    Notbefore 13-4-2010

    Not after  13-4-2015

    Now how was that possible? Not before 13-4-2010 was yesterday's date. So i was assuming, ok certificate expired and when i reviewed the logs it on the UM server i saw:

    UM Server:

    The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the remote end disconnected while TLS negotiation was in progress. The error Code was -2146233088 and the message was Unknown error (0x80131500). .

    he IP gateway or IP-PBX "blabla.blalba.com" did not respond to a SIP OPTIONS request from the Unified Messaging server. The error code that was returned is "0" and the error text is ":This operation has timed out.".

    When i verify on my MOC:

    504 Server time-out

    ms-diagnostics: 1010;reason="Certificate trust with next-hop server could not be established";source="OCSROLES01.hosted.local";ErrorType="The peer certificate does not contain a matching FQDN";HRESULT="0x80090322"

    Now it's stating a mismatch in my FQDN. How is it possible that it worked for like 6 months without any problems??

    So i created a new certificated and enrolled in my PKI infrastructure and imported the certificate. restarted the UM server and restarted front end services on my pool.

    Same issue. Now when i check the pool i see alot of the same errors as before but i renewed the certificate:

    TLS outgoing connection failures.

    Over the past 1 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "HostnameUMserver.blabla.blabla".

    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

    But when i check the certificate the subjectname is correct. What does it mean the "peer name"

    Resolution:

    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Now i found this article about case sensitive Certificates and i renew the certificate.

    http://unifyandconquer.blogspot.com/2009/03/case-sensitive-certificates-in-ocs.html

    Anyone got any clues?

     


    Ivan
    miércoles, 14 de abril de 2010 11:24

Respuestas

  • Hi,

    Totally strange, i think i did a ctrl-z and my whole post was gone...darn anyways this is what i did:

     

    1. First i remove ALL certificates from the personal folder in my certifactes manager on my UM server

    Do a get-exchangecertificate to be sure there aren't any there.

    2. Be sure you have the CA certificate in your trusted folder. In my case it was there as this wasn't the certificate i had troubles with. But check it. If it isn't there download it trough your internal CA.

    3. Now request a new certificate on your internal CA. Choose advanced, select webserver and be sure toIdentifying Information for Offline Template put there the FQDN of your UM server and select certificate in locale....blabla..!

    4. Install the certificate!

    5. Do a get-exchangecertificate and verifiy if UM is selected.

    6. Reboot!

    This solved me issue.

    Ivan

    Ivan
    • Marcado como respuesta Ben-Shun Zhu viernes, 16 de abril de 2010 1:33
    jueves, 15 de abril de 2010 11:38

Todas las respuestas

  • Ok. Got i solved. it cracked my head but UC is working again :)
    Ivan
    jueves, 15 de abril de 2010 6:30
  • Share with us how did you fix it?


    Best Regards!
    jueves, 15 de abril de 2010 7:50
  • Hi,

    Totally strange, i think i did a ctrl-z and my whole post was gone...darn anyways this is what i did:

     

    1. First i remove ALL certificates from the personal folder in my certifactes manager on my UM server

    Do a get-exchangecertificate to be sure there aren't any there.

    2. Be sure you have the CA certificate in your trusted folder. In my case it was there as this wasn't the certificate i had troubles with. But check it. If it isn't there download it trough your internal CA.

    3. Now request a new certificate on your internal CA. Choose advanced, select webserver and be sure toIdentifying Information for Offline Template put there the FQDN of your UM server and select certificate in locale....blabla..!

    4. Install the certificate!

    5. Do a get-exchangecertificate and verifiy if UM is selected.

    6. Reboot!

    This solved me issue.

    Ivan

    Ivan
    • Marcado como respuesta Ben-Shun Zhu viernes, 16 de abril de 2010 1:33
    jueves, 15 de abril de 2010 11:38
  • Ivan, Thanks for sharing!
    Best Regards!
    viernes, 16 de abril de 2010 1:33