Article ID: 915114
Article Last Modified on 8/15/2007
APPLIES TO
- Microsoft Office Communicator Web Access
- Microsoft Office Live Communications Server 2005 Service Pack 1
- Microsoft Office Communicator 2007
SYMPTOMS
When you use Microsoft Office Communicator Web Access to try to log on to Microsoft Office Live Communications Server 2005 Service Pack 1 (SP1) or to Microsoft Office Communicator 2007, the logon operation fails. Additionally, you may receive the following error message:
Then, a second browser window that is intended for the client interface may open and display the icons for activity. However, you receive the following error message in the browser window:
Additionally, the following event is logged in the Application log on the server that is running Live Communications Server 2005:
Event Type: Error
Event Source: Communicator Web Access Session Service
Event Category: (2101)
Event ID: 50103
Description: The Communicator Web Access session service can not establish or maintain MTLS connection to the Live Communications Server.
Virtual server name: servername.com
Live Communications Server: N/A
Error code: 0xc835c3f3
Cause: This problem is usually caused by an invalid MTLS certificate configured on the Communicator Web Access Server or Live Communications Server.
Resolution: Review certificate related sections in Microsoft Office Communicator Web Access Planning and Deployment Guide. Ensure the MTLS certificates configured on the Communicator Web Access Server and Live Communications Server are valid. If the problem persists, run Communicator Web Access activation again to repair the server. For more information, see Help and Support Center at http://support.microsoft.com.
RESOLUTION
If you experience the symptoms that are mentioned in the "Symptoms" section, a certificate configuration issue exists. The certificate configuration for Communicator Web Access depends on whether you are running Live Communications Server Standard Edition or Live Communications Server Enterprise Edition.
Make sure that Live Communications Server Standard Edition and Live Communications Server Enterprise Edition are configured in a supported network configuration.
For Live Communications Server Standard Edition
Whether you are running Communicator Web Access on a separate server from Live Communications Server Standard Edition or collocated on the same server as Live Communications Server Standard Edition, certificates must be configured as follows:
- MTLS certificate: The subject name must be the FQDN of the Communicator Web Access server.
- HTTPS (SSL) certificate: The subject name must be the host name that is used by clients to access the Communicator Web Access server. The subject name may not be the server FQDN. The SSL certificate should match the Web site name that the user enters in the browser to access the Communicator Web Access site.
Note If the URL host name does not match the subject name of the certificate, the user will still be able to access the Web site with security. However, the user will be prompted with a warning that the host name and the certificate do not match. For example, if the Communicator Web Access server FQDN is LCS-01.contoso.com, and clients use http://cwa.contoso.com to connect to Communicator Web Access, the MTLS certificate subject name would be LCS-01.contoso.com. Additionally, the HTTPS (SSL) subject name would be cwa.contoso.com.
For Live Communications Server Enterprise Edition
If you are running Communicator Web Access on one of the servers in a Live Communications Server Enterprise Edition pool, you must use the FQDN of the server pool in the MTLS certificate. Certificates must be configured as follows:
- MTLS certificate: The subject name must be the FQDN of the Live Communications Server pool.
- HTTPS (SSL) certificate: The subject name must be the host name that is used by clients to access the Communicator Web Access server. The subject name may not be the server FQDN. The SSL certificate should match the Web site name that the user enters in the browser to access the Communicator Web Access site.
Note If the URL host name does not match the subject name of the certificate, the user will still be able to access the Web site with security. However, the user will be prompted with a warning that the host name and the certificate do not match. For example, if the Live Communications Server pool FQDN is "LCSPool.contoso.com," and if clients use http://cwa.contoso.com to connect to Communicator Web Access, the MTLS certificate subject name would be "LCSPool.contoso.com." The HTTPS (SSL) subject name would be "cwa.contoso.com."
Troubleshooting
- Open Microsoft Office Communicator Web Access Manager, right-click the server object, and then click Properties. Verify that the MTLS certificate has a subject name that matches the computer FQDN for a Standard Edition deployment or that matches the pool name for an Enterprise Edition pool.
- In Communicator Web Access Manager, right-click the Communicator Web Access Virtual Server object, and then click Properties.
On the Connectivity tab, verify that the HTTPS certificate that is selected matches the URL name that clients will use to access Communicator Web Access.
- Verify that the Communicator desktop client can sign in to Live Communications Server by using TLS as the transport.
If connections are successful by using TCP but not TLS, the Live Communications Server server may not be configured to accept TLS connections. Alternatively, there may be a problem with the certificate that is used for TLS connections.
- Make sure that the Live Communications Server server is configured for MTLS connections.
This step is frequently missed in deployments that use a single Live Communications Server Standard Edition server that is accessed by using TCP or when Communicator Web Access is deployed on the same server as Live Communications Server. An MTLS connection is made from Communicator Web Access to Live Communications Server regardless of whether the applications are on the same server.
- Verify that the certificate that is supplied meets the MTLS requirements for Live Communications Server. Specifically, verify that the certificate uses a Web Server template with Enhanced Key Usage for Server Authentication.
- Restart the Live Communications Server services to populate the trusted server list. The trusted server list is built into the memory of the Live Communications Server 2005 server when the server is restarted.
MORE INFORMATION
For more information about Live Communications Server 2005 SP1 supported configurations, see the "Live Communications Server 2005 Document: Supportability Guide." To do this, visit the following Microsoft Web site:
For more information about the "Microsoft Office Communicator Web Access Planning and Deployment Guide," visit the following Microsoft Web site:
For more information about Communicator Web Access deployment resources deployment resources, visit the following Microsoft Web site:
For more information about how to configure certificates in Live Communications Server 2005, visit the following Microsoft Web site:
For more information about how to plan for and deploy certificates in Live Communications Server 2005 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
925338 Support WebCast: How to plan for and deploy certificates in Live Communications Server 2005 Service Pack 1
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Additional query words: cwa
Keywords: kbtshoot kbprb KB915114
