Microsoft KB Archive/911789

= When an internal user views an instant message that was sent from an external user, the message does not contain any text in Live Communications Server 2005 =

Article ID: 911789

Article Last Modified on 5/21/2007

-

APPLIES TO


 * Microsoft Office Live Communications Server 2005 Standard Edition
 * Microsoft Office Live Communications Server 2005 Enterprise Edition

-





SYMPTOMS
In Microsoft Office Live Communications Server 2005, when an internal user views an instant message that was sent from an external user, the message does not contain any text. Additionally, the Status bar indicates that the external user is offline. Therefore, the internal user may not reply to the external user.



CAUSE
This problem occurs if the name on the certificate does not match the fully qualified domain name (FQDN) of the server that is running Live Communications Server 2005. These names must match to guarantee internal client connectivity by using the Transport Layer Security (TLS) protocol. The problem only occurs if the following conditions are true:
 * The Live Communications Server 2005 server is a member server of a domain.
 * The Live Communications Server 2005 server tries to communicate with another Live Communications Server 2005 server.



RESOLUTION
To resolve this problem, use one of the methods that are described in one of the following sections. Each section describes a different scenario in which this problem occurs.

Scenario 1: You are using multiple Live Communications Server 2005 servers or enterprise pools
To resolve this problem if there are multiple Live Communications Server 2005 Standard Edition servers in your domain, you must configure Mutual Transport Layer Security (MTLS) protocol certificates. If you do not configure MTLS protocol certificates, users who connect to different Live Communications Server 2005 Standard Edition servers cannot communicate with one another.

To resolve this problem if you have multiple Live Communications Server pools or multiple front-end servers in an enterprise pool, you must use MTLS certificates. If you do not use MTLS certificates, users from different enterprise pools cannot communicate with one another. Typically, the certificate name uses the FQDN of the pool in Microsoft Live Communications Server 2005 Enterprise Edition.

To configure the MTLS certificate, follow these steps:
 * 1) Start the Live Communications Server 2005 tool.
 * 2) If you are using Live Communications Server 2005 Enterprise Edition, expand  , expand Domains, expand  , expand Live Communications servers and pools, and then expand your pool. Right-click the Live Communications Server 2005 Enterprise Edition server, and then click Properties

Alternatively, if you are using Live Communications Server 2005 Standard Edition, expand  , expand Domains, and then expand  . Right-click the Live Communications Server 2005 Standard Edition server, and then click Properties.
 * 1) Click the General tab, and then click Add.
 * 2) In the Transport type box, click TLS, and then click Select Certificate.
 * 3) Click the computer certificate that matches the FQDN of the server.

Scenario 2: You are using an access proxy server
To resolve this problem if you are using an access proxy server to let users remotely connect to your internal Live Communications Server 2005 environment, make sure that you configure two certificates on the access proxy server. You must configure one certificate to communicate with the LAN connection and another certificate to communicate with external or federated resources. To review the certificates on the access proxy server, follow these steps:
 * 1) Start the Computer Management tool, and then expand Services and Applications.
 * 2) Right-click the server name, and then click Properties.
 * 3) Click the Private tab, and then review the certificate.

The Private tab corresponds to the interface that the internal LAN connection uses to communicate with the access proxy server.
 * 1) Click the Public tab, and then review the certificate.

The Public tab corresponds to the interface that the access proxy server uses to communicate with external or federated resources.

An access proxy server requires a digital certificate for each Domain Name System (DNS) name that is assigned to the proxy server. If the domain environment has separate DNS names that correspond to the domain's internal and external edges, the access proxy server requires a separate certificate for each edge. If the domain environment has a single DNS name, the access proxy server requires only one certificate.

Scenario 3: You configured public instant messaging connectivity (PIC)
To resolve this issue if you configured PIC, make sure that you configure an MTLS certificate for the server. Microsoft Office Live Communications Server 2005 Service Pack 1 (SP1) extends the federation capability of Live Communications Server 2005 by providing the means to communicate with users of instant messaging services that are provided by MSN, by AOL, and by Yahoo. PIC requires an MTLS certificate that is obtained from a public certification authority (CA) that is in the list of trusted CAs in Microsoft Windows Server 2003. When you configure PIC on your access proxy server, the access proxy server uses a certificate that is obtained from the public CA that is listed on the Public tab of the server properties. The public certificate exists in the Trusted Root Certification Authorities container of the access proxy server in the Certificates tool (Certmgr.msc).

Scenario 4: You are using an array of access proxy servers that exist behind a load balancer server
To resolve this problem if you are using an array of access proxy servers that exist behind a load balancer server, make sure that you use certificates that have subject alternative names. The certificate that is used by the array includes the name of the array and the FQDN of the server. The user session may be moved from one access proxy server to another access proxy server during a load balance. Therefore, make sure that each access proxy server in the array uses the same certificate.

Scenario 5: You are using multiple servers behind a director pool
To resolve this problem if you are using multiple servers behind a director pool, make sure that you install the MTLS certificates on each server that is controlled by a director server. Make sure that the certificate includes the following information:
 * The name of the server in Active Directory as the common name
 * The name of the director server as the subject alternative name

The main common name for a director pool is the FQDN of the pool. A director array uses a main common name that is the same as the FQDN of the server. The subject alternative name is the FQDN for the director pool or for the director array. This FQDN should resolve to the IP address of the load balancer.

Scenario 6: The client computers in your organization access a pool
To resolve this problem if the client computers in your organization access a pool by using a simplified name that differs from the pool named that is recognized by Active Directory, make sure that you use certificates that have subject alternative names. Consider the following example. The Live Communications Server 2005 server is deployed to a child domain that has the following name:

.

This child domain is in a pool that has the following name:

..

You want users to be able to access internal Live Communications Server users from the Internet through .com. In this example, you should install a certificate that has the following information:
 * A main common name of the name of the pool
 * A subject alternative name for each front-end server in Active Directory
 * A simplified name that users connect to from the Internet

Each front-end server has a different certificate. Make sure that these certificates include the pool name, the FQDN of the front-end server, and the simplified name.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
When you configure certificates for Live Communications Server 2005 servers, make sure that the following conditions are true:  The certificate chain is valid. The certificate should trust the CA that issued the certificate or the root CA in the certificate chain from which the certificate was issued. Server authentication and client authentication are present in the Enhanced Key Usage (EKU) section of the certificate to authorize users. For example, Entrust Web certificates provide the server EKU attribute only. Therefore, communication with AOL fails when you use this certificate because the AOL session initiation protocol (SIP) gateway uses both server and client authentication EKU. However, Yahoo and MSN use only server authentication. The certificate has a private key and a public key. Microsoft Windows Messenger or Microsoft Office Communicator clients connect to the Live Communications Server 2005 server by using the same name as the common name that is used by the certificate. The following permissions are set on the certificate stores system file:

Note The certificate stores are located at the following path:

\Documents and settings\All users\Application data\Microsoft\Crypto\RSA\MachineKeys

</li></ul>

Additionally, certificates may have been replaced on the Live Communications Server 2005 server. In this case, make sure that the new certificate is listed on the General tab of the Live Communications Server 2005 server properties that appear in the Live Communications Server 2005 tool. Also verify that the new certificates are listed on the Security tab of the server properties.

For more information about how to configure certificates in Live Communications Server 2005, see the following resources:
 * The Live Communications Server Enterprise Edition Deployment guide
 * The Live Communications Server 2005 Enterprise Edition Lab Quick Start guide
 * The Live Communications Server 2005 Configuring Certificates guide

To obtain these guides, visit the following Microsoft Web site:

http://office.microsoft.com/en-us/products/FX011526591033.aspx

Additional query words: ca, AOL, MSN, Yahoo

Keywords: kbprb kbtshoot KB911789

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.