Three items are key for automatic Office Communicator sign-in to work in an OCS 2007 environment:
- Specifying the correct FQDN in DNS for the SRV record used for automatic sign-in.
- Ensuring the correct Subject Name (and possibly Subject Alternative Names) are specified on the OCS certificate where the client connects (e.g. the certificate on the Front-End or Director role).
- Ensuring that the Certificate Authority that issued the certificate is trusted by the client.
In my experience, Office Communicator sign-in issues are usually caused by one of these settings not being correct.
I’ll explore each of these requirements in seperate blog posts. I’ll start now with the first: specifying the correct FQDN in DNS for the SRV record.
At a high-level, when an Office Communicator client is configured for automatic sign-in, it goes through the following steps to obtain an IP address to connect to:
- A query is made to DNS (aginst the DNS server configured in the Windows client) for an SRV record associated with the SIP domain of the user attempting to sign-in. The SRV record must be of a particular format. See my previous blog post on what the format of the DNS record should be. The SIP domain is the right-hand-side of the user’s SIP address (e.g. example.com for the SIP address user@example.com).
- The successful DNS query returns two key pieces of information: a fully-qualified domain name (FQDN) and a Port.
- The client does a DNS A record lookup on the FQDN to get an IP address associated with the FQDN.
- The client connects to the IP address and Port.
Note: if a client is not configured for automatic sign-in, it just uses the DNS A record for the FQDN (or hostname) configured directly in the client. Also, if no SRV records are found, Communicator tries several DNS host (A record) lookups (see my previous blog post for the specific formats).
What FQDN should be listed for the DNS SRV record? This could be the FQDN of an OCS Front-End, a Director, or the Virtual IP (VIP) of a load balancer. The answers depends on your environment. Below I attempt to capture the most common scenarios.
|
Situation |
With Director |
With HLB |
DNS SRV FQDN |
FQDN DNS (A) Record |
|
Standard Edition Server |
|
|
Front-End Server |
IP of Front-End |
|
* |
|
Director |
IP of Director |
|
|
Consolidated Enterprise Pool |
|
|
Pool |
IP of Front-End in Pool |
|
* |
|
Director (1) |
IP of Director |
|
|
|
* |
Pool |
Internal VIP of HLB |
|
|
Expanded Enterprise Pool |
|
* |
Pool |
Internal VIP of HLB |
|
* |
|
Director (1) |
IP of Director |
|
|
* |
* |
Director (1) |
IP of Director |
Notes:
(1) HLB = Hardware Load Balancer
(2) If the Director is a Standard Enterprise, the FQDN is the FQDN of Standard Edition Server. If the Director is an Enterprise Edition, the FQDN will be the FQDN of the Pool associated with the Director.
(3) If you have multipe SIP domains in your environment, you require a DNS SRV record for each one.
InsideOCS has a free download tool (the Automatic Sign-In Troubleshooting Tool) that will query for all of the automatic sign-in DNS records and show which ones exist, and which one will be used.
For more details all the automatic sign-in process and it’s requirements, see:
- DNS Records and Office Communicator Automatic Client Sign-In
- Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate)
- Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)
Twitter
LinkedIn
[...] DNS Records and Office Communicator Automatic Client Sign-In [...]