Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365

Federation with Microsoft - SendTrustedIssuerList

rated by 0 users
This post has 1 Reply | 0 Followers

Top 50 Contributor
Male
Posts 2
Points 90
Reply
Timmy Luts Posted: 08-26-2010 12:25


After setting up OCS 2007 R2 we wanted to federated with Microsoft.

To keep the story short, we were able to federate with other companies so this means all ports (firewall) for federation were open and the configuration was ok.
Microsoft has his own Federation Validation tool and we always did get the next error.

Company Name: CompanyName
SIP Domain: domain.com
SIP Access Edge: N/A - Validation Failure
SIP URI for contact in SIP domain: Timmy.Luts@domain.com

Validation Test Result: FAIL
Validation Test Details: Testing connectivity for console input server Check machine sip.domain.com on 222.222.222.222:5061 : tls : FAIL Requested range extends past the end of the array.

Federation Enablement: Federation with domain.com is not enabled

*Posted information is dedited before posting.

---

So finaly we openend a Premium Support Call with MS to get this problem solved.
These are the validation requirements:

VALIDATION REQUIREMENTS

  1. A publically available SRV record in DNS (e.g., _sipfederationtls._tcp.contoso.com for TCP port 5061
  2. The SRV record points to a valid A record in DNS that points to the Access Edge server's FQDN (e.g., sipfed.contoso.com)
  3. Acess Edge server must have support for federation enabled, and be listening on port 5061 and able to respond to sipfed.microsoft.com on 131.107.115.72
  4. The certificate used on the public interface of the Access Edge must be signed by a public Certificate Authority and have the SIP Domain in the FQDN of the Subject Name= entry of the certificate (e.g., Subject Name=sipfed.contoso.com), or in a Subjext Alternate Name= entry of the certificate (e.g., Subject Name=sipfed.fabrikam.com; Subject Alternate Name=contoso.com), and have the entire chain of authority for the certificate verifiable.
After verifying all the requirements (everything ok) we should be able to federate with Microsoft but still a failure when the validation test ran.

Some extra tools to check the cert:

http://www.digicert.com/help

https://www.digicert.com/util/

---

After 30 days the ticket escaleted and I got in contact with an "Escalation Support Engineer".
Again we ran through the certificates - all ok
Than we went to the certificate store and when we opened the "Trusted Root Certification Authorities" the Engineer saw the problem. We had "280" Root CA Certs in the store.

When you do request a for federation you send a Trusted Issuer List with the certificate you use and it seems that the validation tool blocks at the limit of 120 Root CA certs.

---

Solution:

To make sure that the requester doesn't send the Trusted Issuer List at the time of requesting we had to add a registery on the Access Edge server that would prevent us to send that list.

Here is the procedure:

 

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
  5. Right-click SendTrustedIssuerList, and then click Modify.
  6. In the Value data box, type 0 if that value is not already displayed, and then click OK.
  7. Exit Registry Editor.

    8. After adding this registry we passed the test succesfully.
    Not even a restart necessary.

    Case Solved. 

    Greeetzz,
    Timmy
  • | Post Points: 30
Top 10 Contributor
Posts 380
Points 7.540
Reply
Johan Delimon replied on 08-27-2010 12:21

Thanks Timmy for this valuable post :)
Can you make a blogpost about this?

  • | Post Points: 10
Page 1 of 1 (2 items) | RSS