| Author |
Message |
Jason Joseph
Guest
|
 Posted:
Thu Dec 30, 2004 3:01 am Post subject:
Signing in to SIP Communications Service fails when connecti |
|
|
Hi Guys,
I've run into a strange problem and I was hoping that someone here might be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the LAN.
The problem that I have is when I'm connected via a VPN (for instance I take
my laptop home) and try to log onto LCS I get the following error: "Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like I
can connect.
I tried installing LCS 2003 on another computer in the same domain to see if
it was just something with the server and the problem still persists. Then,
just for the heck of it, I install an LCS in my test AD domain and that one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph |
|
| Back to top |
|
 |
Tom Laciano
Guest
|
| Posted:
Fri Dec 31, 2004 1:02 am Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Let's get a network capture and also the RTCDLL logging for the client.
[HKEY_CURRENT_USER\Software\Microsoft\Tracing\RTCDLL]
"EnableFileTracing"=dword:1
"FileDirectory"= C:
You have to EXIT the WM5 client, and when you restart a file with the name
RTCDLL*.log
At this point it will be speculation, the logs should show us what we need
to see.
TomL LCS Kid
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
| Quote: | Hi Guys,
I've run into a strange problem and I was hoping that someone here might
be able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN. The problem that I have is when I'm connected via a VPN (for instance
I take my laptop home) and try to log onto LCS I get the following error:
"Signing in to SIP Communications Service failed because service is
temporarily unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like
I can connect.
I tried installing LCS 2003 on another computer in the same domain to see
if it was just something with the server and the problem still persists.
Then, just for the heck of it, I install an LCS in my test AD domain and
that one works fine (I can access it from the LAN and from a VPN
connection).
That leads me to believe that whatever the problem is, it's somehow
related to either an AD issue or maybe an authentication issue? However,
as I mentioned earlier, it works fine on the LAN (and the LCS in the test
domain works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Bob Christian
Guest
|
| Posted:
Tue Jan 04, 2005 2:01 am Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Jason:
This sounds similar to several issues where the domain name in the SIP URI
differs from the supported domain name. Ex SIP URI is Bob@Company.com but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else. Please
see if it can help you. I should formulate it into a troubleshooting guide
when the time becomes available. Spare time is a rarity except when I am on
the plane...and that is usually spent catching up on sleep, if such a thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication (thanks for
the input sz.kluba)
As an aside: I have found that configuring certificates and running over
TLS seems to make things run a bit smoother. That, again, is after you get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if it is
not in there. You will probably see ADFQDN.local or whatever in there...but
the sip users are EmailAddress@company.com versus Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
| Quote: | Hi Guys,
I've run into a strange problem and I was hoping that someone here might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN.
The problem that I have is when I'm connected via a VPN (for instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain to see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jason Joseph
Guest
|
| Posted:
Tue Jan 04, 2005 8:36 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Hi Tom,
The funny thing is that I did precisely that (and I used the Sip Logger
utility on the server) and I compared the output to that of a WM5.1 Client
on the LAN (as opposed to one connection via the VPN) and I couldn't see
much difference (at least there weren't any obvious error messages... But
the log is kinda cryptic).
The funnier thing is that, just for the heck of it, I installed a
certificate on the LCS and tried using TLS and that works fine over the VPN
(which would have lead me to believe that the problem was caused by the
firewall... However, that test domain of mine with the test LCS 2003, works
just fine with TCP).
I'll re-enable the RTCDLL logging and I'll post the output here.
Thanks for your help.
Jason
"Tom Laciano <MSFT>" <toml@online.microsoft.com> wrote in message
news:upnCYHq7EHA.1264@TK2MSFTNGP12.phx.gbl...
| Quote: | Let's get a network capture and also the RTCDLL logging for the client.
[HKEY_CURRENT_USER\Software\Microsoft\Tracing\RTCDLL]
"EnableFileTracing"=dword:1
"FileDirectory"= C:
You have to EXIT the WM5 client, and when you restart a file with the name
RTCDLL*.log
At this point it will be speculation, the logs should show us what we need
to see.
TomL LCS Kid
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here might
be able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN. The problem that I have is when I'm connected via a VPN (for
instance I take my laptop home) and try to log onto LCS I get the
following error: "Signing in to SIP Communications Service failed because
service is temporarily unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like
I can connect.
I tried installing LCS 2003 on another computer in the same domain to see
if it was just something with the server and the problem still persists.
Then, just for the heck of it, I install an LCS in my test AD domain and
that one works fine (I can access it from the LAN and from a VPN
connection).
That leads me to believe that whatever the problem is, it's somehow
related to either an AD issue or maybe an authentication issue? However,
as I mentioned earlier, it works fine on the LAN (and the LCS in the test
domain works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jason Joseph
Guest
|
| Posted:
Tue Jan 04, 2005 8:45 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug the
RJ45 and make a modem connection to my home ISP and connect via our VPN (and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily unavailable.
Please try again later" error. Even though I can ping the LCS server and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to figure-out
what's going on with the TCP connection (as it works fine on my test LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
| Quote: | Jason:
This sounds similar to several issues where the domain name in the SIP URI
differs from the supported domain name. Ex SIP URI is Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when I am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication (thanks for
the input sz.kluba)
As an aside: I have found that configuring certificates and running over
TLS seems to make things run a bit smoother. That, again, is after you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if it is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN.
The problem that I have is when I'm connected via a VPN (for instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain to see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jeff Metcalf
Guest
|
| Posted:
Wed Jan 05, 2005 7:17 am Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Any word on this? I've got almost the same problem. Everything inside the
LAN is great, VPN (CISCO PIX) can't connect with the service temp unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
| Quote: | Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug the
RJ45 and make a modem connection to my home ISP and connect via our VPN (and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily unavailable.
Please try again later" error. Even though I can ping the LCS server and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to figure-out
what's going on with the TCP connection (as it works fine on my test LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the SIP URI
differs from the supported domain name. Ex SIP URI is Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when I am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication (thanks for
the input sz.kluba)
As an aside: I have found that configuring certificates and running over
TLS seems to make things run a bit smoother. That, again, is after you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if it is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN.
The problem that I have is when I'm connected via a VPN (for instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and I
verified with a packet sniffer that the address that's hitting the LCS is
the actual address of my notebook computer. I can ping the SIP Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain to see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
toml@online.microsoft.com
Guest
|
| Posted:
Wed Jan 05, 2005 10:21 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Connecting to LCS through a proxy, firewall or NAT device will always
require TLS.
Connecting with VPN should work with TCP but I would still recommend TLS,
however PIX most often when we get a call is operating in the
proxy/firewall/NAT config so double check this.
You could check the LCS site for documentation on Access Proxy, Remote User
connectivity
http://office.microsoft.com/livecomm
Hope this helps a little.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when connecting
thread-index: AcTyxENBn7T3A0yJQyyxlbVsz0G1Vg==
X-WBNR-Posting-Host: 65.4.190.251
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com>
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl>
<OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl>
<eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl>
Subject: Re: Signing in to SIP Communications Service fails when connecting
Date: Tue, 4 Jan 2005 17:17:02 -0800
Lines: 174
Message-ID: <9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5008
X-Tomcat-NG: microsoft.public.livecomm.general
Any word on this? I've got almost the same problem. Everything inside the
LAN is great, VPN (CISCO PIX) can't connect with the service temp
unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
| Quote: | Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office
LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug
the
RJ45 and make a modem connection to my home ISP and connect via our VPN
(and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily unavailable.
Please try again later" error. Even though I can ping the LCS server and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to
figure-out
what's going on with the TCP connection (as it works fine on my test LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the SIP
URI
differs from the supported domain name. Ex SIP URI is Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when I
am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary
things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool
name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication (thanks
for
the input sz.kluba)
As an aside: I have found that configuring certificates and running
over
TLS seems to make things run a bit smoother. That, again, is after you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and
that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if it
is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here
might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN.
The problem that I have is when I'm connected via a VPN (for instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and
I
verified with a packet sniffer that the address that's hitting the LCS
is
the actual address of my notebook computer. I can ping the SIP
Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks
like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain to
see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any
ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jeff Metcalf
Guest
|
| Posted:
Wed Jan 05, 2005 10:47 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Can't get that to work either. I either get
The certificate you have chosen was issued for a subject other than the
fully qualified....yada yada....
Or one about not being a client and server certificate....and none of the
clients can connect that way either.
""Tom Laciano <MSFT>"" wrote:
| Quote: | Connecting to LCS through a proxy, firewall or NAT device will always
require TLS.
Connecting with VPN should work with TCP but I would still recommend TLS,
however PIX most often when we get a call is operating in the
proxy/firewall/NAT config so double check this.
You could check the LCS site for documentation on Access Proxy, Remote User
connectivity
http://office.microsoft.com/livecomm
Hope this helps a little.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when connecting
thread-index: AcTyxENBn7T3A0yJQyyxlbVsz0G1Vg==
X-WBNR-Posting-Host: 65.4.190.251
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when connecting
Date: Tue, 4 Jan 2005 17:17:02 -0800
Lines: 174
Message-ID: <9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5008
X-Tomcat-NG: microsoft.public.livecomm.general
Any word on this? I've got almost the same problem. Everything inside the
LAN is great, VPN (CISCO PIX) can't connect with the service temp
unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office
LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug
the
RJ45 and make a modem connection to my home ISP and connect via our VPN
(and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily unavailable.
Please try again later" error. Even though I can ping the LCS server and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to
figure-out
what's going on with the TCP connection (as it works fine on my test LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the SIP
URI
differs from the supported domain name. Ex SIP URI is Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when I
am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary
things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool
name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication (thanks
for
the input sz.kluba)
As an aside: I have found that configuring certificates and running
over
TLS seems to make things run a bit smoother. That, again, is after you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and
that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if it
is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here
might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on the
LAN.
The problem that I have is when I'm connected via a VPN (for instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)... and
I
verified with a packet sniffer that the address that's hitting the LCS
is
the actual address of my notebook computer. I can ping the SIP
Server; I
set the authentication to NTLM; I also made sure that the transport is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks
like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain to
see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any
ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
toml@online.microsoft.com
Guest
|
| Posted:
Wed Jan 05, 2005 11:37 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Jeff,
The certificate documentation was really light for LCS 2003, there is a
document for LCS 2005 which should work just fine as the fundamentals of it
have not changed. I also put some info at http://blogs.msdn.com/toml
The certificate has to be for the name that will be referenced, most of the
time that is the FQDN. If you get an error about client/server cert, then
you likely chose the wrong certificate type or the template was created
incorrectly.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when connecting
thread-index: AcTzRi/pBFw5yRuzQiOhbKYyUcW06Q==
X-WBNR-Posting-Host: 64.90.24.46
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com>
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl>
<OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl>
<eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl>
<9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com>
<$FYNDJ08EHA.3512@cpmsftngxa10.phx.gbl>
Subject: Re: Signing in to SIP Communications Service fails when connecting
Date: Wed, 5 Jan 2005 08:47:05 -0800
Lines: 244
Message-ID: <1A765A6F-2E22-4AE3-989B-A4F0DB47B12A@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA0
3.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5033
X-Tomcat-NG: microsoft.public.livecomm.general
Can't get that to work either. I either get
The certificate you have chosen was issued for a subject other than the
fully qualified....yada yada....
Or one about not being a client and server certificate....and none of the
clients can connect that way either.
""Tom Laciano <MSFT>"" wrote:
| Quote: | Connecting to LCS through a proxy, firewall or NAT device will always
require TLS.
Connecting with VPN should work with TCP but I would still recommend TLS,
however PIX most often when we get a call is operating in the
proxy/firewall/NAT config so double check this.
You could check the LCS site for documentation on Access Proxy, Remote
User
connectivity
http://office.microsoft.com/livecomm
Hope this helps a little.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when
connecting
thread-index: AcTyxENBn7T3A0yJQyyxlbVsz0G1Vg==
X-WBNR-Posting-Host: 65.4.190.251
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when
connecting
Date: Tue, 4 Jan 2005 17:17:02 -0800
Lines: 174
Message-ID: <9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5008
X-Tomcat-NG: microsoft.public.livecomm.general
Any word on this? I've got almost the same problem. Everything inside
the
LAN is great, VPN (CISCO PIX) can't connect with the service temp
unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office
LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug
the
RJ45 and make a modem connection to my home ISP and connect via our VPN
(and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily
unavailable.
Please try again later" error. Even though I can ping the LCS server
and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to
figure-out
what's going on with the TCP connection (as it works fine on my test
LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the
SIP
URI
differs from the supported domain name. Ex SIP URI is
Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when
I
am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary
things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool
name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication
(thanks
for
the input sz.kluba)
As an aside: I have found that configuring certificates and running
over
TLS seems to make things run a bit smoother. That, again, is after
you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and
that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if
it
is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus
Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here
might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on
the
LAN.
The problem that I have is when I'm connected via a VPN (for
instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is
temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)...
and
I
verified with a packet sniffer that the address that's hitting the
LCS
is
the actual address of my notebook computer. I can ping the SIP
Server; I
set the authentication to NTLM; I also made sure that the transport
is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks
like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain
to
see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and
that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as
I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any
ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jeff Metcalf
Guest
|
| Posted:
Wed Jan 05, 2005 11:59 pm Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Yes, I've read through most of your posts here concerning certs and LSC, and
went thru the cert doc for LCS 2005 also. Still unable to connect. The
certs are kind of confusing. I'll take a look at your blog and see what I
can come up with.
Thanks
""Tom Laciano <MSFT>"" wrote:
| Quote: | Jeff,
The certificate documentation was really light for LCS 2003, there is a
document for LCS 2005 which should work just fine as the fundamentals of it
have not changed. I also put some info at http://blogs.msdn.com/toml
The certificate has to be for the name that will be referenced, most of the
time that is the FQDN. If you get an error about client/server cert, then
you likely chose the wrong certificate type or the template was created
incorrectly.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when connecting
thread-index: AcTzRi/pBFw5yRuzQiOhbKYyUcW06Q==
X-WBNR-Posting-Host: 64.90.24.46
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
$FYNDJ08EHA.3512@cpmsftngxa10.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when connecting
Date: Wed, 5 Jan 2005 08:47:05 -0800
Lines: 244
Message-ID: <1A765A6F-2E22-4AE3-989B-A4F0DB47B12A@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA0
3.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5033
X-Tomcat-NG: microsoft.public.livecomm.general
Can't get that to work either. I either get
The certificate you have chosen was issued for a subject other than the
fully qualified....yada yada....
Or one about not being a client and server certificate....and none of the
clients can connect that way either.
""Tom Laciano <MSFT>"" wrote:
Connecting to LCS through a proxy, firewall or NAT device will always
require TLS.
Connecting with VPN should work with TCP but I would still recommend TLS,
however PIX most often when we get a call is operating in the
proxy/firewall/NAT config so double check this.
You could check the LCS site for documentation on Access Proxy, Remote
User
connectivity
http://office.microsoft.com/livecomm
Hope this helps a little.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when
connecting
thread-index: AcTyxENBn7T3A0yJQyyxlbVsz0G1Vg==
X-WBNR-Posting-Host: 65.4.190.251
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?= <JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when
connecting
Date: Tue, 4 Jan 2005 17:17:02 -0800
Lines: 174
Message-ID: <9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5008
X-Tomcat-NG: microsoft.public.livecomm.general
Any word on this? I've got almost the same problem. Everything inside
the
LAN is great, VPN (CISCO PIX) can't connect with the service temp
unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
Hi Bob,
Sadly that's not the case. If take my laptop and connect to the office
LAN
(like physically plugging-in an RJ45) it works fine. If I then unplug
the
RJ45 and make a modem connection to my home ISP and connect via our VPN
(and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily
unavailable.
Please try again later" error. Even though I can ping the LCS server
and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to
figure-out
what's going on with the TCP connection (as it works fine on my test
LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the
SIP
URI
differs from the supported domain name. Ex SIP URI is
Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a troubleshooting
guide
when the time becomes available. Spare time is a rarity except when
I
am
on
the plane...and that is usually spent catching up on sleep, if such a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary
things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex. AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the pool
name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication
(thanks
for
the input sz.kluba)
As an aside: I have found that configuring certificates and running
over
TLS seems to make things run a bit smoother. That, again, is after
you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this first.
If you are outside, then you need to setup certificates and TLS...and
that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if
it
is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus
Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here
might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone on
the
LAN.
The problem that I have is when I'm connected via a VPN (for
instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is
temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)...
and
I
verified with a packet sniffer that the address that's hitting the
LCS
is
the actual address of my notebook computer. I can ping the SIP
Server; I
set the authentication to NTLM; I also made sure that the transport
is
TCP/IP; and I can telnet to the SIP server on port 5060 and it looks
like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain
to
see
if
it was just something with the server and the problem still persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and
that
one
works fine (I can access it from the LAN and from a VPN connection).
That leads me to believe that whatever the problem is, it's somehow
related
to either an AD issue or maybe an authentication issue? However, as
I
mentioned earlier, it works fine on the LAN (and the LCS in the test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any
ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jason Joseph
Guest
|
| Posted:
Thu Jan 06, 2005 4:01 am Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
Hi Jeff,
If you're getting that "The certificate you have chosen was issued for a
subject other than the fully qualified..." error message, it means that the
common name on the certificate differs from the entry that you put into
Windows Messenger for the SIP server.
If you created the certificate using the MS Certificate Server you need to
import your Root CA into the computer (otherwise in the Event Log you'll get
an error that the certificate isn't trusted).
I had to go through all of that jazz to get LCS to work via a VPN
connection.
Jason
"Jeff Metcalf" <JeffMetcalf@discussions.microsoft.com> wrote in message
news:4C9704EE-2663-43A1-9A68-3CE61B10A731@microsoft.com...
| Quote: | Yes, I've read through most of your posts here concerning certs and LSC,
and
went thru the cert doc for LCS 2005 also. Still unable to connect. The
certs are kind of confusing. I'll take a look at your blog and see what I
can come up with.
Thanks
""Tom Laciano <MSFT>"" wrote:
Jeff,
The certificate documentation was really light for LCS 2003, there is a
document for LCS 2005 which should work just fine as the fundamentals of
it
have not changed. I also put some info at http://blogs.msdn.com/toml
The certificate has to be for the name that will be referenced, most of
the
time that is the FQDN. If you get an error about client/server cert, then
you likely chose the wrong certificate type or the template was created
incorrectly.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when
connecting
thread-index: AcTzRi/pBFw5yRuzQiOhbKYyUcW06Q==
X-WBNR-Posting-Host: 64.90.24.46
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?=
JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
$FYNDJ08EHA.3512@cpmsftngxa10.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when
connecting
Date: Wed, 5 Jan 2005 08:47:05 -0800
Lines: 244
Message-ID: <1A765A6F-2E22-4AE3-989B-A4F0DB47B12A@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA0
3.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5033
X-Tomcat-NG: microsoft.public.livecomm.general
Can't get that to work either. I either get
The certificate you have chosen was issued for a subject other than the
fully qualified....yada yada....
Or one about not being a client and server certificate....and none of the
clients can connect that way either.
""Tom Laciano <MSFT>"" wrote:
Connecting to LCS through a proxy, firewall or NAT device will always
require TLS.
Connecting with VPN should work with TCP but I would still recommend
TLS,
however PIX most often when we get a call is operating in the
proxy/firewall/NAT config so double check this.
You could check the LCS site for documentation on Access Proxy, Remote
User
connectivity
http://office.microsoft.com/livecomm
Hope this helps a little.
TomL LCS Kid
--------------------
Thread-Topic: Signing in to SIP Communications Service fails when
connecting
thread-index: AcTyxENBn7T3A0yJQyyxlbVsz0G1Vg==
X-WBNR-Posting-Host: 65.4.190.251
From: =?Utf-8?B?SmVmZiBNZXRjYWxm?=
JeffMetcalf@discussions.microsoft.com
References: <#Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl
OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl
eR2bTym8EHA.2124@TK2MSFTNGP14.phx.gbl
Subject: Re: Signing in to SIP Communications Service fails when
connecting
Date: Tue, 4 Jan 2005 17:17:02 -0800
Lines: 174
Message-ID: <9FB65F46-CD04-4D6B-A4F0-32CCD2322633@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.livecomm.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.livecomm.general:5008
X-Tomcat-NG: microsoft.public.livecomm.general
Any word on this? I've got almost the same problem. Everything inside
the
LAN is great, VPN (CISCO PIX) can't connect with the service temp
unavailable
message.
I can ping and telnet to the server via the VPN fine.
"Jason Joseph" wrote:
Hi Bob,
Sadly that's not the case. If take my laptop and connect to the
office
LAN
(like physically plugging-in an RJ45) it works fine. If I then
unplug
the
RJ45 and make a modem connection to my home ISP and connect via our
VPN
(and
I've tried using a PPTP and IPSec VPN) I get that "Signing in to SIP
Communications Service failed because service is temporarily
unavailable.
Please try again later" error. Even though I can ping the LCS server
and
even telnet on port 5060 and connect.
And if I plug back into the LAN I can connect with no problem.
I even tried just enabling NTLM to see if that'd help any.
I did manage to get it working using TLS but I'm still trying to
figure-out
what's going on with the TCP connection (as it works fine on my test
LCS
2003 in my test domain).
At tom TomL's suggestion I'll post my RTCDLL trace logs and hopefully
someone might see something that I missed.
Thanks for your help.
Jason
"Bob Christian" <BobChristian@removethis.gmail.com> wrote in message
news:OwQiq9c8EHA.3828@TK2MSFTNGP09.phx.gbl...
Jason:
This sounds similar to several issues where the domain name in the
SIP
URI
differs from the supported domain name. Ex SIP URI is
Bob@Company.com
but
my AD domain (and first supported SIP domain) is Company.local.
Below is some troubleshooting information I have provided on a few
occasions. I need to clean it up a bit, but it may help you in the
interim.
Either way, please touch base to let us know what helped.
Info:
I have cut out parts of threads that I had posted for someone else.
Please
see if it can help you. I should formulate it into a
troubleshooting
guide
when the time becomes available. Spare time is a rarity except
when
I
am
on
the plane...and that is usually spent catching up on sleep, if such
a
thing
is truly possible... =^)
Provided everything is working (you already noted this) the primary
things
to ensure are:
1) Your forest supports the SIP domain that you are using
If your SMTP namespace and your domain namespace differ (ex.
AD=
CompanyDomain.Forest.local SMTP=CompanyDomain.com)
2) The user is SIP-enabled in Active Directory Users & Computers
3) DNS is configured (at a minumum the server name and IP, the
pool
name
and IP)
4) The IM client is configured properly
5) You have enabled both Kerberos and NTLM for authentication
(thanks
for
the input sz.kluba)
As an aside: I have found that configuring certificates and
running
over
TLS seems to make things run a bit smoother. That, again, is after
you
get
things working first.
Thread below:
==============================================
CLIENT CONFIG:
I am assuming that you are inside your network and testing this
first.
If you are outside, then you need to setup certificates and
TLS...and
that
is a whole other ballgame.
When you open Windows Messenger:
Select Tools...Options
Accounts Tab
Check My contacts include users of a SIP....
Sign-in name (SIP address)
Ex. Bob.Christian@company.com
Advanced...
Configure Settings
(even if you have your _SIP._TLS record set for your
domain,
let's test this first)
(Server or IP address)
Ex LCSPool1.company.com or
LCSServer.company.com or
10.10.10.10 (Server IP)
Connect using:
TCP
When you try to sign in it should prompt you for your SIP Address
(sign-in name), Username and Password.
Your username is domain\username or usernam@domainname
(ex. Domain\Bob or bob@domain.local)
The domain should be your NetBIOS domain name or your
fully-qualified Active Directory Domain name. It may not
necessarily
match your SMTP or SIP namespace.
==============================================
SIP DOMAIN FOREST CONFIG:
In LCS 2005, right-click on the forest name and select Properties.
Click on Add and add the emaildomain.com for your SMTP namespace if
it
is
not in there. You will probably see ADFQDN.local or whatever in
there...but
the sip users are EmailAddress@company.com versus
Username@company.local
Bob
"Jason Joseph" <funkmatic@hotmail.com> wrote in message
news:%23Ho2Zoe7EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi Guys,
I've run into a strange problem and I was hoping that someone here
might
be
able to shed a bit of light onto it.
I setup MS LCS 2003 on my network and it works fine for everyone
on
the
LAN.
The problem that I have is when I'm connected via a VPN (for
instance I
take
my laptop home) and try to log onto LCS I get the following error:
"Signing
in to SIP Communications Service failed because service is
temporarily
unavailable. Please try again later".
I'm not a NAT between the VPN address of the client machine (in
the
10.0.254.x range) and the SIP Server (in the 192.168.1.x range)...
and
I
verified with a packet sniffer that the address that's hitting the
LCS
is
the actual address of my notebook computer. I can ping the SIP
Server; I
set the authentication to NTLM; I also made sure that the
transport
is
TCP/IP; and I can telnet to the SIP server on port 5060 and it
looks
like
I
can connect.
I tried installing LCS 2003 on another computer in the same domain
to
see
if
it was just something with the server and the problem still
persists.
Then,
just for the heck of it, I install an LCS in my test AD domain and
that
one
works fine (I can access it from the LAN and from a VPN
connection).
That leads me to believe that whatever the problem is, it's
somehow
related
to either an AD issue or maybe an authentication issue? However,
as
I
mentioned earlier, it works fine on the LAN (and the LCS in the
test
domain
works fine everywhere).
Has anyone seen anything like this before or would anyone have any
ideas?
Thanks,
Jason Joseph
|
|
|
| Back to top |
|
|
Jeff Metcalf
Guest
|
| Posted:
Thu Jan 06, 2005 4:39 am Post subject:
Re: Signing in to SIP Communications Service fails when conn |
|
|
| |
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in