Microsoft KB Archive/830540

= Cannot Configure a TLS Connection and a TLS Mutual Connection on a Home Server on the Same Port =

Article ID: 830540

Article Last Modified on 12/2/2003

-

APPLIES TO


 * Microsoft Office Live Communications Server 2003

-





SYMPTOMS
When you try to configure a Transport Layer Security (TLS) connection and a TLS Mutual connection, you may receive the following error message:

The port you selected is already in use. Enter another port.

This problem occurs when you try to configure a TLS connection on one IP address and a TLS Mutual connection on a second IP address. Because you receive the error message, you may not be able to use a TLS connection on the home server. A TLS Mutual connection is required for home-server-to home-server communication.



CAUSE
This problem occurs if you configure both connections to listen on the same port. For example, you configure both the TLS connection and the TLS Mutual connection to listen on port 5061.

Note This problem does not occur if you configure both connections to use either the TLS connection type or the TLS Mutual connection type. This problem occurs only when you configure one connection type as TLS and the a second connection type as TLS Mutual.



WORKAROUND
To work around this problem, use one of the following methods.

Method 1: Deploy a Front-End Server
Deploy a front-end server to accept client connections and redirect those clients to the appropriate home server.

Method 2: Configure a Group Policy Object
Create a Group Policy object to relax the restrictions that Windows Messenger has on Domain Name Service (DNS) lookups. To do this, enable the DisableStrictDNSNaming policy. This policy is included in the Rtcclient.adm administrative template. The Rtcclient.adm administrative template is located in the Setup\i386 folder on the Live Communications Server 2003 CD. When you install Microsoft Live Communications Server 2003, this template is copied to the Windows\inf folder on the Live Communications Server computer and on the domain controller. To enable this policy, follow these steps:  Start the Group Policy Object Editor utility. To do so, do one of the following:  If you want to create the policy on the Live Communications Server computer, click Start, click Run, type gpedit.msc in the Open box, and then click OK. If you want to create this policy in a domain or organizational unit, follow these steps:  Start Active Directory Users and Computers. Right-click the domain or the organizational unit container where you want to create this policy, and then click Properties. Click the Group Policy tab, and then click New.</li> Type a name for the new Group Policy object, press ENTER, and then click Edit.</li></ol> </li></ul> </li> Under Computer Configuration, right-click Administrative Templates, and then click Add/Remove Templates.</li> Click Add, click rtcclient.adm, click Open, and then click Close.</li> Expand Administrative Templates, expand Windows Messenger Policy Settings, and then click SIP Communications Service Policies.</li> In the right pane, double-click Allow additional server DNS names.</li> Click Enabled, and then click OK.</li> Quit Group Policy Object Editor.</li> If you created this as a domain or organizational unit policy, click Close to close the  Properties dialog box.</li> Wait for sufficient time for Group Policy changes to replicate throughout the domain.</li></ol>

Method 3: Use a TLS Mutual Certificate
To use a TLS Mutual certificate, follow these steps:
 * 1) When you request a certificate for the TLS connection, obtain a certificate that has both client authentication attributes and server authentication attributes. Additionally, obtain a certificate that has the correct common name.
 * 2) Create a TLS Mutual connection instead of a TLS connection.

Windows Messenger can connect to Live Communications Server 2003 and use the TLS Mutual certificate if the certificate has the common name that Windows Messenger expects and if the certificate has at least the server authentication attribute.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section of this article.

<div class="moreinformation_section">

MORE INFORMATION
The certificate requirements in Live Communications Server 2003 are different for TLS connections than they are for TLS Mutual connections. Specifically, the common name of the certificate and the authentication attributes of the certificate are different for TLS connections and for TLS Mutual connections. Additionally, when the Windows Messenger client program is in auto configuration mode, it has (by default) a restriction on the results of the DNS query that it uses to locate the Home Server. Windows Messenger expects that the name of the host (A) record returned from DNS has the name sip. . This means the common name of the certificate used for client connections must have the name sip. . TLS Mutual connections use the fully qualified domain name (FQDN) of the home server. Therefore, the common name of the TLS Mutual certificate is the FQDN of the home server.

When you configure the workaround that is described in method 2 of the &quot;Workaround&quot; section of this article, the Windows Messenger client and the other Live Communications Server computers can connect to Live Communications Server 2003 on a single IP address.

Keywords: kberrmsg kbbug kbpending KB830540

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.