Tuesday, April 1, 2008

OCS 2007 - Authentication Issues [0xC2FC200D]

Office Communication Server 2007: Authentication/Logon Issue
Failure [0xc3fc200D]

It is common to run across communication and authentication issues when deploying OCS. One of the tricks is trying to determine the root of problem. Failure codes and results are not always self explanatory and let’s just face it OCS 2007 being a new product does not have a whole lot of available support resources yet. This article addresses an authentication problem that generally stumps many implementers. The validation wizard usually picks up on this issue; however it does not scream out “here is the problem” fix me. Generally the results make no mention of a little thing called Server Principal Name (SPN), which is truly the underlying problem. The image below displays a typical authentication error during validation, that is a direct result of an incorrectly registered SPN for the Office Communication Server (Standard or Enterprise). The sections below will provide a brief explanation of the issue as well as troubleshooting and remediation of the problem.

Failure [0xC3FC200D] One or more errors detected

Explanation:Registration failure upon authentication is attributed to the Server Principal Name (SPN). The Kerberos protocol authentication that is used by the Office Communications Server service for client authentication requires the proper configuration of service principal names (SPNs) within the Active Directory® Domain Services. The SPN is a string that identifies the service (Office Communications Server) that a client wants to access.
For proper operation of the Kerberos authentication, the SPN of the Office Communications Server must be registered in Active Directory under the name of the user account where the service runs, typically RTCService. If the SPN of the server is registered in multiple accounts, Kerberos authentication does not operate properly.

To verify SPN is set correctly:
1. Install the OCSResourceKit for Office Communication Server 2007
OCS Resource Kit.
2. Open a command prompt and change directories to the OCS Resource kit directory.
3. The reskit contains the “CheckSPN” script that can be used to validate the SPN for the OCS Enterprise or Standard edition server.
4. First run the tool to find all SPNs registered under a specific user account. The default user account, where the Office Communications Server service runs, is RTCService.

>Cscript Checkspn.vbs /List /u:RTCService

Sample Error: ERROR: The SPN for is registered incorrectly

5. Next run a check to see whether the SPN for a specific Office Communications Server Standard Edition or Enterprise Edition server is registered under one account. The server is identified by its FQDN (fully qualified domain name). If there is more than one registration, the script prints the user accounts that have this SPN registered. This mode is useful for detecting that the servers SPN has been registered under multiple accounts. If this is the case, the duplicate SPNs must be deleted until there is exactly one account under which the SPN is registered. Having the same SPN registered under multiple accounts causes Kerberos protocol authentication to fail on the client.

>Cscript checkspn.vbs /check /s:ocsserver.contoso.com

If multiple entries are returned, an ERROR will be returned and that the SPN is registered incorrectly. To correct the duplicate account must be deleted.
6. Deletes the SPN for a specified Standard Edition server or Enterprise Edition server from a specified user account. This mode is useful for cleaning up duplicate SPNs
>checkspn.vbs /del /s: /u:

7. Once you think you have the SPN set correctly, rerun the scripts in step 4 and 5 to verify SPN.
8. Next rerun the Validation tool and verify authentication is working properly for Kerberos and NTLM.
9. Now you can test connectivity and functionality using Communicator client.

No comments:

Post a Comment