Thursday, March 19, 2009

Case Sensitive Certificates in OCS?

I had a heck of a time getting OCS R2 and Exchange Unified Messaging playing nicely together.  I had set up both environments and I could dial extensions in the OCS environment, but I could not dial the subscriber access number for Exchange UM.

In the event logs on the OCS Front End server I was seeing the following events.

Source: OCS Exchange Unified Messaging Routing

Event ID: 1040

The attempt failed with response code 504: EXUM1.domain.com.
Failure occurrences: 3, since 18/03/2009 11:34:48 AM.
Cause: An attempt to route to an Exchange UM server failed because the UM server was unable to process the request or did not respond within the allotted time.
Resolution:
Check this server is correctly configured to point to the appropriate Exchange UM server. Also check whether the Exchange UM server is up and whether it in turn is also properly configured.

----

Source: OCS Protocol Stack

Event ID: 1001

TLS outgoing connection failures.
Over the past 28 minutes Office Communications Server has experienced TLS outgoing connection failures 3 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "EXUM1.domain.com".
Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
Resolution:
For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

----

Source: OCS Exchange Unified Messaging Routing

Event ID: 1040

An attempt to route to an Exchange UM server failed.
The attempt failed with response code 504: EXUM1.domain.com.
Failure occurrences: 4, since 18/03/2009 11:34:48 AM.
Cause: An attempt to route to an Exchange UM server failed because the UM server was unable to process the request or did not respond within the allotted time.
Resolution:
Check this server is correctly configured to point to the appropriate Exchange UM server. Also check whether the Exchange UM server is up and whether it in turn is also properly configured

----

On the Exchange UM server I was just seeing the following event:

Source: MSExchange Unified Messaging

Event ID: 1088

The IP gateway or IP-PBX "OCSSTD1.domain.com" did not respond to a SIP OPTIONS request from the Unified Messaging server. The error code that was returned is "0" and the error text is ":Unable to establish a connection.".

----

This all pointed a certificate problem.  But the certificates were all issued by an internal CA and both servers trusted the Root CA Certificate.  The names in the event log matched the subject names on the certificates, in that they both have the FQDNs of the servers.

I tried reissuing the certificates but the problem persisted. 

Then I noticed something – in a couple of events on the OCS Server it referred to the Exchange Server like this:

The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "EXUM1.domain.com".

But in my case the certificates had the FQDN all in lowercase like this:

exum1.domain.com

Now – it shouldn’t matter but by this stage I was clutching at straws.  So I changed my powershell command and requested a new cert with the servername in uppercase.  After I assigned this certificate to the UM server I restarted the Exchange Unified Messaging service and checked the event logs and low and behold – none of the events were logged.

I tried to make a call to Exchange UM and got a new error – which was progress and will be the subject of another post.  At any rate the certificate issue was resolved.

No comments: