Automatic Office Communicator Sign-In (Part 1 - The Correct DNS Service Location (SRV) Record)

Three items are key for automatic Office Communicator sign-in to work in an OCS 2007 environment:

1. Specifying the correct FQDN in DNS for the SRV record used for automatic sign-in.
2. Ensuring the correct Subject Name (and possibly Subject Alternative Names) are specified on the OCS certificate where the client connects (e.g. the certificate on the Front-End or Director role).
3. Ensuring that the Certificate Authority that issued the certificate is trusted by the client.

In my experience, Office Communicator sign-in issues are usually caused by one of these settings not being correct.

I’ll explore each of these requirements in seperate blog posts.  I’ll start now with the first: specifying the correct FQDN in DNS for the SRV record.

At a high-level, when an Office Communicator client is configured for automatic sign-in, it goes through the following steps to obtain an IP address to connect to:

1. A query is made to DNS (against the DNS server configured on the Windows client) for an SRV record associated with the SIP domain of the SIP address for the user attempting to sign-in. The SRV record must be of a particular format. See my previous blog post on what the format of the DNS record should be. The SIP domain is the right-hand-side of the user’s SIP address (e.g. example.com for the SIP address user@example.com).
2. The successful DNS query returns two key pieces of information: a fully-qualified domain name (FQDN) and a Port.
3. The client then does a DNS A record lookup on the FQDN to get an IP address associated with the FQDN.
4. The Communicator client attempts a connection to the IP address and Port.

Note: if the Communicator client is not configured for automatic sign-in, it just uses the DNS A record for the FQDN (or hostname) configured directly in the client. Also, if no SRV records are found, Communicator tries several DNS host (A record) lookups (see my previous blog post for the specific formats).

What FQDN should be listed for the DNS SRV record? Depending on your environment, this could be the FQDN of an OCS Front-End, a Director, or the Virtual IP (VIP) of a load balancer. The table below answers the most common scenarios.

TABLE 1: WHAT SHOULD THE AUTOMATIC SIGN-IN DNS SRV RECORD POINT TO?

(1) HLB = Hardware Load Balancer

(2) If the Director is a Standard Edition, the FQDN is the FQDN of Standard Edition Server.   If the Director is an Enterprise Edition, the FQDN will be the FQDN of the Pool associated with the Director.

(3) If you have multipe SIP domains in your environment, you require a DNS SRV record for each one.

InsideOCS has a free download tool (the Automatic Sign-In Troubleshooting Tool) that will query for all of the automatic sign-in DNS records and show which ones exist, and which one will be used.

For more details all the automatic sign-in process and it’s requirements, see:

• DNS Records and Office Communicator Automatic Client Sign-In
• Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate)
• Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)

Also, Page 65 of the Microsoft Office Communications Server 2007 Planning Guide details the DNS SRV requirements for automatic client sign-in.

Byron Spurlok has a good post with more details on how to create these DNS records on your DNS server.