Microsoft KB Archive/890676

= Live Communications Server 2005 does not start after you configure a certificate for TLS or for Mutual TLS =

PSS ID Number: 890676

Article Last Modified on 12/1/2004

-

The information in this article applies to:


 * Microsoft Office Live Communications Server 2005 Enterprise Edition
 * Microsoft Office Live Communications Server 2005 Standard Edition

-





SYMPTOMS
In Microsoft Office Live Communications Server 2005, after you configure a certificate for Transport Layer Security (TLS) protocol or for Mutual TLS (MTLS), you experience the following symptoms:
 * The Live Communications Server service unexpectedly quits.
 * The following events are logged in the Application log:

Event ID 30813Event Source: Live Communications Scr

Event Category: (1012)

Event ID: 30813

Date:

Time:

Type: Error

User: N/A

Computer:

Description: Live Communications Script-Only Applications Service aborting.

Cause: Live Communications Server service terminated unexpectedly.

Resolution:

Examine the event log entries prior to this one to determine the reason that the Live Communications Server service exited.

Event ID 12299Event Source: Live Communications Ser

Event Category: (1000)

Event ID: 12299

Date:

Time:

Type: Error

User: N/A

Computer:

Description: The service is shutting down due to an internal error.

Error Code: 0xC3E91010.

Resolution:

Check the previous event log entries and resolve them. Restart the server. If the problem persists, contact product support.

Event ID 16422Event Source: Live Communications Ser

Event Category: (1000)

Event ID: 16422

Date:

Time:

Type: Error

User: N/A

Computer:

Description: Failed starting the protocol stack. The service has to stop.

Error code is: 0xc3e91010 (No error message text found).

Cause: Check the previous entries in the event log for the failure reason.

Resolution:

Try restarting the server after resolving the failures listed in the previous event log entries.

Event ID 14352Event Source: Live Communications Ser

Event Category: (1001)

Event ID: 14352

Date:

Time:

Type: Error

User: N/A

Computer:

Description: Unable to start the stack.

Error: 0xC3E91010 (No Message Text Found).

Event ID 14336Event Source: Live Communications Ser

Event Category: (1001)

Event ID: 14336

Date:

Time:

Type: Error

User: N/A

Computer:

Description: A configured transport has failed to start.

Transport TLS has failed to start on local IP address 0.0.0.0 at port 5061.

Cause: This can occur due to a configuration error, low system resources or because another program is using the specified port. It can also happen if the IP address specified has become invalid.

Resolution:

Ensure that the IP address specified is valid and that no other program is listening on the specified port.

Event ID 14347Event Source: Live Communications Ser

Event Category: (1001)

Event ID: 14347

Date:

Time:

Type: Error

User: N/A

Computer:

Description: Unable to listen for on socket.

Transport: TLS, IP address:0.0.0.0, Port: 5061. Error:0x8009030D (The credentials supplied to the package were not recognized).

Cause: This could happen if another program is using the same port. Unrecognized credentials error for TLS transport could happen if your certificate has become invalid.

Resolution:

Ensure that no other program is listening on the same port. For unrecognized credentials error, ensure that the certificate is valid and also has a private key.



CAUSE
This issue may occur if the certificate that is used for TLS or MTLS has been copied or moved from the user certificate store to the computer certificate store on the Live Communications Server computer. For example, this issue may occur if the following conditions are true:
 * You obtain a valid certificate from a stand-alone certification authority (CA).
 * You install this certificate in the local user certificate store.
 * You copy this certificate to the local computer certificate store.
 * You select this certificate when you configure TLS or MTLS in Live Communications Server 2005.

Live Communications Server cannot use a certificate that has been manually moved or copied from the local user certificate store to the local computer certificate store. When you manually move or copy a certificate from the local user certificate store to the local computer certificate store, the certificate's private key is not moved or copied with the certificate. When the Live Communications Server service starts, it must validate the private key before the Live Communications Server service can establish a TLS or an MTLS connection over port 5061. If the private key is not available, the Live Communications Service cannot start.



RESOLUTION
To resolve this issue, the certificate that was moved or copied to the local computer certificate store must be replaced. Remove the existing certificate, and then request a new certificate.

Note In Live Communications Server 2005, there is currently no available method that will let a certificate work after that certificate has been moved or copied from the user certificate store to the local computer certificate store.

To remove the existing certificate, and then request a new certificate, follow these steps:

Step 1: Remove the existing certificate

 * 1) On the Live Communications Server 2005 computer, click Start, click Run, type mmc, and then click OK.
 * 2) On the File menu, click Add/Remove Snap-in.
 * 3) Click Add, click Certificates, click Add, click Computer account, click Next, and then click Finish.
 * 4) Click Close, and then click OK.
 * 5) Expand Certificates (Local Computer), expand Personal, and then click Certificates.
 * 6) In the details pane, right-click the certificate that you used for the TLS or the MTLS connection, and then click Delete.
 * 7) On the following message that appears, click Yes:You will not be able to decrypt data encrypted using this certificate. Do you wish to delete this certificate?

Step 2: Request a new certificate
Note These steps describe how to obtain a new certificate from a Microsoft Windows Server 2003 stand-alone CA. For information about how to obtain a certificate from a third-party CA, see the documentation from that third-party CA.  On the Live Communications Server 2005 computer, click Start, click Run, type http:// /certsrv where  is the name of your stand-alone CA, and then click OK. Click Request a certificate, and then click advanced certificate request. Click Create and submit a request to this CA. In the Name box, type the fully qualified domain name (FQDN) of your Live Communications Server pool, and then type the rest of your certificate identification information in the other boxes. In the Type of Certificate Needed list, click Other. In the OID box, type the following:

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Note A comma appears after 1.3.6.1.5.5.7.3.1 in this object identifier.</li> Select the Store certificate in the local computer certificate store check box.

Note If you do not select this check box, the certificate is installed in the user certificate store.</li> Click Submit, and then click Yes on the following message that appears:This Web site is requesting a new certificate on your behalf. You should only allow trusted Web sites to request a certificate for you. Do you want to request a certificate now?</li> Allow for sufficient time for the certificate request to be approved and for the certificate to be issued.</li> Click Start, click Run, type http:// /certsrv, and then click OK.</li> Click View the status of a pending certificate request, click User-EKU (1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2) Certificate , and then click Install this certificate.</li> On the following message that appears, click Yes:This Website is adding one or more certificates to this computer. Allowing an untrusted Web site to update your certificates is a security risk. The Web site could install certificates you do not trust, which could allow programs that you do not trust to run on this computer and gain access to your data.

Do you want this program to add the certificates now? Click Yes if you trust this Web site. Otherwise, click No.</li></ol>

Step 3: Modify TLS or MTLS to use the new certificate
Configure Live Communications Server 2005 to use the new certificate that you installed. To do this, follow these steps: <ol> Start the Live Communications Server 2005 Microsoft Management Console (MMC) snap-in.</li> Expand your forest, expand Domains, expand your domain, expand Live Communications servers and pools, expand your pool, right-click your Live Communications Server computer, and then click Properties.</li> Click the General tab, click your TLS or MTLS connection in the Connections list, and then click Edit.</li> If you receive the following error message, click OK:

Live Communications Server Snap-in cannot read the certificate information, or the certificate is no longer available.

</li> Click Select Certificate, click the certificate that you obtained in &quot;Step 2: Request a new certificate,&quot; and then click OK.</li> Click OK two times.</li> Right-click your Live Communications Server computer, and then click Start.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For additional information about how to configure certificates in Live Communications Server 2005, see the Live Communications Server Enterprise Edition Deployment Guide, the Live Communications Server 2005 Enterprise Edition Lab Quick Start guide, or the Live Communications Server 2005 Configuring Certificates guide. To obtain these guides, visit the following Microsoft Web site:

http://office.microsoft.com/en-us/FX011526591033.aspx

Additional query words: LCS 2005

Keywords: kbprb kbtshoot KB890676

Technology: kbOfficeLCS2005Ent kbOfficeLCS2005Standard

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.