Friday, January 14, 2011

Presence issues for Microsoft Lync Server 2010 users viewing OCS 2007 R2 users? Check for Event ID: 14501 and your Lync certificates.

Most of us probably know that presence issues can be caused by a vast amount of reasons and through my testing between the times I intentionally tried to break it, I found 2 reasons and one of it is certificates. Please note that this blog post only points out one of the many reasons so if it doesn’t apply to your situation, move on and continue searching because you’ll find many more reasons as you plow through your Google/BING results.

Problem

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Update: I realized that the title and explanation at the beginning was a bit ambiguous when I initially wrote this post so I have since changed the title and added the following to clarify which way presence was broken:

Lync Server 2010 User –> viewing –> OCS 2007 User = Presence Unknown

OCS 2007 User –> viewing –> Lync Server 2010 User = Presence is working

I hope this clarifies what the problem is so people coming across this blog post doesn’t end up wasting time if they aren’t experiencing the same issue.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

While managing to break the integration between Lync Server 2010 and OCS 2007 R2, there was one instance where I had to uninstall Lync Server 2010. The uninstall wasn’t without challenge (see my uninstall post here: http://terenceluk.blogspot.com/2011/01/step-by-step-instructions-for.html) but once I got everything removed and proceeded with the reinstall, things went without any major issues. As I got to the step after:

Setup or Remove Lync Server Components

and before:

Request, Install or Assign Certificates

image

I noticed that the certificate step was labeled as: Complete which I then proceeded to skip and continue to run the: Start Services step. Everything went smoothly and I was able to merge the two topologies without any errors or warnings.

What I noticed after completing the steps and firing up the Lync client was that my Lync user cannot see presence information of the OCS 2007 R2 user.

image

Note: Ignore the address book problem because that’s not the issue.

From here on, I logged onto the legacy OCS 2007 R2 front-end server to review the Office Communications Server event logs and I found 2 errors as shown in the following:

Event ID: 14501

A significant number of invalid certificates have been provided by remote IP address 172.16.1.40 when attempting to establish an MTLS peer. There have been 10 such failures in the last 10 minutes.

Certificate Names associated with this peer were

ocspool3

The serial number of this certificate is

3E783B4E000400000427.

The issuer of this certificate is YourCA

The specific failure types and their counts are identified below.

Instance count - Failure Type

10 C3E93D6A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

image

Followed by another Event ID: 14501 error:

A significant number of invalid certificates have been provided by remote IP address 172.16.1.40 when attempting to establish an MTLS peer. There have been 10 such failures in the last 10 minutes.

Certificate Names associated with this peer were

ocspool3

The serial number of this certificate is

3E783B4E000400000427.

The issuer of this certificate is YourCA

The specific failure types and their counts are identified below.

Instance count - Failure Type

10 C3E93D6A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

image

Solution

The solution’s actually quite simple. Since the reused certificates Lync Server 2010 was using was rejected by the OCS 2007 R2 front-end server, simply rerun the certificates wizard and assign new certificates to your Lync server:

image

Once you’ve completed the reissuing and reassigning certificates, you should see the errors cleared on the OCS 2007 R2 front-end server and presence information available to Lync users.

image

2 comments:

Ian Salgado said...

Hi,

I am having this issue with Lync 2010 Server & Lync 2010 clients (no OCS 2007 at all).

Any ideas ?

CFM said...

I know this is rather old, but it came up as one of the top google searches when I was looking for the C3E93D6A failure type.

My setup is an OCS 2007R2 environment, along side a Lync 2013 that houses several test users before we migrate to it.

While trying to get mobility to work, I noticed a great deal of certificate errors in my Lync 2013 environment in relation to my OCS front end servers. A blog post lead me to add the Lync 2013 edge servers to the "Host Authorization" list on the OCS Front End properties. Once I did this, I started getting this error and my Lync 2013 users could no longer see presence of my OCS users. Removal of the Lync 2013 edge servers from the Host Authorization list cleared up the problem -- the C3E9D6A / OCS Protocol Stack EventID 14501 errors disappeared and presence became functional almost immediately.

I did not have to restart any services, however the Lync clients needed to sign off / sign in.

Hope this helps somebody.