A certificate gotcha that got me, again…

As everyone who’s ever looked at OCS knows, you need certificates to make it work.  Although certificates aren’t really too difficult once you have the hang of it, they seem to be a tough hurdle for a lot of IT folks to get over.  I’m not going to attempt to explain PKI today, but I thought I might share a story about a gotcha that got me, twice.  Hopefully my pain (although it was only a few minutes of troubleshooting this time) will help someone else. 

So today, on a brand new install of OCS 2007 R2 with a consolidated EE pool and a consolidated edge I was unable to get into Live Meeting externally.  I was being prompted for credentials when I clicked on the join meeting link.  I also noticed an error and a warning in the OCS Log (in eventviewer).   The warning was:

Log Name:      Office Communications Server
Source:        OCS User Services
Date:          1/13/2010 3:36:50 PM
Event ID:      32052
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:  pool1.us.domain.net

Description:
An HTTP application request sent to an Mcu or Service timed-out. Requests will be retried but if this error continues to occur functionality will be affected.

Url: https://ocsfe.us.domain.net:444/LiveServer/MCUFactory/
Cause: Network issues, non-provisioned MCU or non-functional MCU.
Resolution:
Ensure that the Service is provisioned and functioning correctly. If any network related errors are reported by the Service ensure that they are resolved.
Event Xml:
xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”OCS User Services” />
    <EventID Qualifiers=”33774″>32052
    <Level>3</Level>
    <Task>1006</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime=”2010-01-13T20:36:50.000Z” />
    <EventRecordID>2414</EventRecordID>
    <Channel>Office Communications Server</Channel>
    <Computer>pool1.us.domain.net</Computer>
    <Security />
  </System>
  <EventData>
    https://ocsfe.us.domain.net:444/LiveServer/MCUFactory/
  </EventData>
</Event>

the error was:

 Log Name:      Office Communications Server
Source:        OCS MCU Infrastructure
Date:          1/13/2010 3:35:29 PM
Event ID:      61013
Task Category: (1022)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      pool1.us.domain.net
Description:
The process ASMCUSvc(7596) failed to send health notifications to the MCU factory at https://ocsfe.us.domain.net:444/LiveServer/MCUFactory/.
Failure occurrences: 1021, since 1/13/2010 11:20:11 AM.
Event Xml:
xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”OCS MCU Infrastructure” />
    <EventID Qualifiers=”50174″>61013</EventID>
    <Level>2</Level>
    <Task>1022</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime=”2010-01-13T20:35:29.000Z” />
    <EventRecordID>2413</EventRecordID>
    <Channel>Office Communications Server</Channel>
    <Computer>pool1.us.domain.net</Computer>
    <Security />
  </System>
  <EventData>
    ASMCUSvc(7596)
    https://ocsfe.us.domain.net:444/LiveServer/MCUFactory/
    <Data>1021</Data>
    <Data>1/13/2010 11:20:11 AM</Data>
  </EventData>
</Event>

Important to mention at this point is the certificate I was using for my pool was provided by a third party  (Godaddy in this case).

At this point I opened up MMC and added the certificates snap-in for the computer account.  I checked my certificate and it looked just fine, as did the intermediate certificate.  However the trusted root cert for “Valicert” only had 2 purposes enabled (right click the certificate and choose “Properties” to see this).

At this point I selected “Enable All Purposes for this Certificate” and clicked “OK”

After clicking “OK” the issue was magically resolved.  I saw some information related to this error on the MS forums here:

http://social.microsoft.com/Forums/en-US/commmunicatorim/thread/512bccc3-d624-4b11-91c1-5d52aca3c195

But it wasn’t very obvious to find so I figured I’d post here just in case someone else runs into the same issue.  Hope this helps someone out there!

-kp

Advertisements

About Kevin Peters

My name is Kevin Peters.
This entry was posted in Uncategorized and tagged , , , , , , , , , , . Bookmark the permalink.

6 Responses to A certificate gotcha that got me, again…

  1. Arturas Rimonis says:

    Thats great! It’s working. Thank you. Lync 2010

    • fjorjak says:

      yes, this works for me too, but the certs always revert back to “Enable only the following purposes” within a couple of days. Is there a way to make this stick permenantly?

  2. FDAS says:

    Unbelivable: Thats it!!! Thanks for this Post!

  3. David Vajnhandl says:

    This worked for me too. Have all certs issued by GoDaddy and had problems with store replica to Edge (since have Godaddy cert too) and Front End server had lots of error events regarding LS MCU infrastructure failed sending healt notifications. (EVENT ID 61055)

    All gone. This is Lync Enterprise pool topology. Sooo usefull. Thank you Kevin for sharing 🙂

  4. rogier boeken says:

    just wanted to say it work for me too but for about 1 year the valicert.com ssl certificate keeps reverting back its purposes and i have to re-apply. usually after a reboot but sometimes just because (well it is never just because) but i cannot figure out why

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s