Friday, January 16, 2009

Certificates and Group Chat Server in OCS2007 R2

A couple of days ago we started to deploy our new Group Chat Server. After the installation of the Group Chat Server we discovered that the Lookup Service and the Channel Service didn't start up. After some investigation we saw that the certificate needed to exchange keys with the OCS2007 R2 home server didn't have a private key.

The process to get in touch with this error message is:

FIRST: setting the logging level to ERROR on the Channel Server (Group Chat Server Configuration):

image

SECOND: setting the logging level to ERROR on the Lookup Server (Group Chat Server Configuration):

imageAfter configuring the settings above we need to turn back to the initial logging folder, by default the logs directory is created in <SYSTEM>:\Program Files\Microsoft Office Communications Server 2007 R2\Group Chat Server\Logs

After some additional investigation we saw a couple of ERROR breakpoints in the TXT file.

Example 1:

ERROR    |20090114-12:37:31.297|    6:|PeerTransport.Connect | unable to start WCF Service:
The certificate 'E=e-services@e-office.com, CN=ocs01.contoso.local, OU=IT, O=CONTOSO, L=Houten, S=Utrecht, C=NL' must have a private key that is capable of key exchange. The process must have access rights for the private key. at
    at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)

Example 2:

ERROR    |20090114-12:37:31.297|    6:         |       MAServiceBase.LogUnhandledException                         | <System.ArgumentException: The certificate 'E=e-services@e-office.com, CN=ocs01.contoso.local, OU=IT, O=CONTOSO, L=Houten, S=Utrecht, C=NL" must have a private key that is capable of key exchange. The process must have access rights for the private key.

Resolution:

while requesting your certificate please make sure you can export the private key and import the certificate including the PK in IIS7.0 to edit the Secure Bindings of the MGCWebService

image

After importing the right SSL certificate (including PK) check if you can reach the webservice on /MGCWebService/MGCWebService.asmx">https://<SERVERNAME>/MGCWebService/MGCWebService.asmx

Example:

image

2 comments:

Anonymous said...

Need Help in OCS 2007 Extended application.
Pls Check
http://social.microsoft.com/forums/en-US/communicationsserversetup/thread/7a151cde-2233-4474-8207-ecf7ff80f520/

What i am trying to do is send some IM message from server to the client on some particular condition

Anonymous said...

Need Help in OCS 2007 Extended application.
Pls Check
http://social.microsoft.com/forums/en-US/communicationsserversetup/thread/7a151cde-2233-4474-8207-ecf7ff80f520/

What i am trying to do is send some IM message from server to the client on some particular condition