Cannot Configure a TLS Connection and a TLS Mutual Connection on a Home Server on the Same Port (830540)
The information in this article applies to:
- Microsoft Office Live Communications Server 2003
SYMPTOMSWhen you try to configure a Transport Layer Security (TLS)
connection and a TLS Mutual connection, you may receive the following error
message: The port you selected is already in use. Enter
another port. This problem occurs when you try to configure a TLS
connection on one IP address and a TLS Mutual connection on a second IP
address. Because you receive the error message, you may not be able to use a
TLS connection on the home server. A TLS Mutual connection is required for
home-server-to home-server communication. CAUSEThis problem occurs if you configure both connections to
listen on the same port. For example, you configure both the TLS connection and
the TLS Mutual connection to listen on port 5061.
Note This problem does not occur if you configure both connections to
use either the TLS connection type or the TLS Mutual connection type. This
problem occurs only when you configure one connection type as TLS and the a
second connection type as TLS Mutual.WORKAROUND To work around this problem, use one of the following
methods. Method 1: Deploy a Front-End ServerDeploy a front-end server to accept client connections and
redirect those clients to the appropriate home server. Method 2: Configure a Group Policy ObjectCreate a Group Policy object to relax the restrictions that
Windows Messenger has on Domain Name Service (DNS) lookups. To do this, enable
the DisableStrictDNSNaming policy. This policy is included in
the Rtcclient.adm administrative template. The Rtcclient.adm administrative
template is located in the Setup\i386 folder on the Live Communications Server
2003 CD. When you install Microsoft Live Communications Server 2003, this
template is copied to the Windows\inf folder on the Live Communications Server
computer and on the domain controller. To enable this policy, follow these
steps:
- Start the Group Policy Object Editor utility. To do so, do
one of the following:
- If you want to create the policy on the Live
Communications Server computer, click Start, click
Run, type gpedit.msc in the
Open box, and then click OK.
- If you want to create this policy in a domain or
organizational unit, follow these steps:
- Start Active Directory Users and
Computers.
- Right-click the domain or the organizational unit
container where you want to create this policy, and then click
Properties.
- Click the Group Policy tab, and
then click New.
- Type a name for the new Group Policy object, press
ENTER, and then click Edit.
- Under Computer Configuration, right-click
Administrative Templates, and then click Add/Remove
Templates.
- Click Add, click
rtcclient.adm, click Open, and then click
Close.
- Expand Administrative Templates, expand
Windows Messenger Policy Settings, and then click SIP
Communications Service Policies.
- In the right pane, double-click Allow additional
server DNS names.
- Click Enabled, and then click
OK.
- Quit Group Policy Object Editor.
- If you created this as a domain or organizational unit
policy, click Close to close the
domain.com Properties dialog
box.
- Wait for sufficient time for Group Policy changes to
replicate throughout the domain.
Method 3: Use a TLS Mutual CertificateTo use a TLS Mutual certificate, follow these steps:
- When you request a certificate for the TLS connection,
obtain a certificate that has both client authentication attributes and server
authentication attributes. Additionally, obtain a certificate that has the
correct common name.
- Create a TLS Mutual connection instead of a TLS connection.
Windows Messenger can connect to Live Communications Server 2003
and use the TLS Mutual certificate if the certificate has the common name that
Windows Messenger expects and if the certificate has at least the server
authentication attribute. STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section of this article.MORE INFORMATIONThe certificate requirements in Live Communications Server
2003 are different for TLS connections than they are for TLS Mutual
connections. Specifically , the common name of the certificate and the
authentication attributes of the certificate are different for TLS connections
and for TLS Mutual connections. Additionally, when the Windows Messenger client
program is in auto configuration mode, it has (by default) a restriction on the
results of the DNS query that it uses to locate the Home Server. Windows
Messenger expects that the name of the host (A) record returned from DNS has
the name sip.domain. This means the common name of
the certificate used for client connections must have the name
sip.domain. TLS Mutual connections use the fully
qualified domain name (FQDN) of the home server. Therefore, the common name of
the TLS Mutual certificate is the FQDN of the home server.
When you
configure the workaround that is described in method 2 of the "Workaround"
section of this article, the Windows Messenger client and the other Live
Communications Server computers can connect to Live Communications Server 2003
on a single IP address.
Modification Type: | Minor | Last Reviewed: | 12/2/2003 |
---|
Keywords: | kbpending kbBug kberrmsg KB830540 kbAudITPRO |
---|
|