ukstokes.com

tech stuff from a tech bloke

• Configure automatic login on OCS 2007

  Apr 11th 2009

  By: ben

  5 comments

  A A

  

  Here's the scenario: You have a single OCS 2007 standard edition server on your network. Your Active Directory uses a DNS suffix that is not available externally, for example ocs.internal.ad. You are using a certificate issued by your domain CA on your OCS server (this is recommended) and automatic logon works fine while your clients are on the internal network.

  You have also deployed an OCS 2007 Edge Access Server. The server's name in external DNS is sip.yourdomain.com.

  The goal is to enable clients to log in automatically. This is a nice to have - and I think even nicer when they can log in automatically from both within the corporate LAN and the outside of your network.

  The problem
  If you change your users OCS sign-in names to their email addresses (i.e. user@yourdomain.com), the automatic logon works fine on the outside but not from the inside (providing your Edge Access server and supporting DNS records are set up correctly). Meanwhile from outside of your network if your users have sign-in names using your internal AD namespace (i.e. user@internal.ad), automatic logon fails - this is because the internal.ad DNS suffix does not exist on the outside and your OCS client cannot find an SRV record in DNS to locate the OCS server.

  The solution!
  There are several components that need to be in place for this to work.

  1. DNS Configuration
  For this to work you are required to set up a copy of your external DNS as a primary zone in your Active Directory DNS. Then in your internal DNS configure an A Record for sip.yourdomain.com pointing to the IP address of your internal OCS server. In addition, set up some SRV records:

  _tcp._sipinternal.yourdomain.com -- sip.yourdomain.com (0 0 5061)
  _tcp._sipinternaltls .yourdomain.com -- sip.yourdomain.com (0 0 5061)

  2. Certificate configuration
  For authenticating external clients, you will need an SSL certificate on your Edge Access server. Choosing the right sort of certificate is vital for the Edge Access role. You have to select one from this list for federation and public IM connectivity to work properly.  Other certificates may work, but have not been approved for use with OCS 2007 by Microsoft.

  For authenticating internal clients, Microsoft recommend you use a certificate from the CA on your domain. From your standard edition server, run setup on the OCS CD and go through the certificate wizard. When configuring the certificate, specify ocs.internal.ad (insert your internal server name here) as the primary name of your server and sip.yourdomain.com (your external namespace) as the alternative name on the certificate.

  3. Sign-In names
  Last thing is to configure sign in names, these will need to be changed to use your external DNS suffix, i.e. user@yourdomain.com. One word of warning on this - if you change sign-in names while the users are logged on, they will be kicked off the system and receive an error about invalid credentials. Instead, make the changes while the users are logged off and they will then be picked up automatically the next time the computers are booted up on the network.

  After making this change users should then be able to log in automatically from both the corporate network and the Internet.

  This is one area IMHO where the OCS 2007 documentation does not go into enough detail.

  Share this

  Windows Servers
  Comments
  • Comments (5)
  • Trackbacks (0)
  • rss
  • Leave a comment
  • 

    Favad Qaisar

    March 18th, 2010 at 10:55

    Return to top

    Ben, this is indeed a very useful post, and hats off to you for writing in detail; about a pretty common scenario.

    1. Would it be possible to use a Communicator to login externally with manual settings using sign-in names like user@internal.ad, since I'm able to do it through my Communicator Web Acess?

    2. What DNS entries I would need to make that happen? I have OCS 2007 R2. Standard Edition, Communicator Web Access, Edge, Mediation and Internal CA besides Public CA Wild Card Certificate for my domian.

    Thanking you in anticipation

    Favad
  • 

    ben

    March 19th, 2010 at 15:47

    Return to top

    Well, if you don't want to change users principal names in AD you would have to buy the domain internal.ad and then set up the SRV records for it in external DNS.

    _tcp._sipinternal.yourdomain.com -- sip.internal.ad (0 0 5061)
    _tcp._sipinternaltls .yourdomain.com -- sip.internal.ad (0 0 5061)

    However this does expose your internal namespace to the internet, this may or may not bother you.

    This is assuming that you're using a domain suffix that can be bought from domain registries - in my example internal.ads, the .ads domain isn't available.
  • 

    Favad Qaisar

    March 20th, 2010 at 05:21

    Return to top

    Hey Ben, thank you for the reply. Since I cannot my .local domain, the only option would be to use external DNS suffix i.e @domain.com

    However, I am still a bit curious. Since I can login with .local suffix externally using Communicator Web Access set up using Reverse Proxy, why can I not login in Office Communicator using manual configuration. Do we not need External DNS entries for Automatic logons only?

    Favad
  • 

    ben

    March 25th, 2010 at 14:25

    Return to top

    Now you've gone and confused me

    You would be able to use Communicator Web Access, or 'manual login' to the OCS client, whatever your domain name or username convention is?

    "Do we not need External DNS entries for Automatic logons only?"

    The external DNS entries are for automatic login, and for other OCS installations to locate your Edge server.
  • 

    Orval Eske

    June 15th, 2010 at 14:58

    Return to top

    I’m happy! It is pleasant to see somebody extremely educated about what they do. Maintain up the excellent function and I’ll return for far more! Thank you!
  No Trackbacks yet

  Leave a Reply

  Click here to cancel reply.

  Name (required)

  Mail (will not be published) (required)

  Website

  Notify me of followup comments via e-mail

• Subscribe

  

  

• Recent Posts

  • Connect Skydrive as a Windows mapped drive
  • D-Link DWA-131 and Ubuntu
  • Configure a non-enterprise Blackberry handset for Exchange
  • Upgrading bugzilla from 3.0.x to 3.4.6
  • Compile your own droid – Part 1a

• Spam Blocked

  12,952 spam comments blocked by
  Akismet

• Recent Comments

  • Andrew Montague on How to purge an orphaned mailbox
  • Orval Eske on Configure automatic login on OCS 2007
  • ben on Vista: Run a script at shutdown
  • Jakob G on Vista: Run a script at shutdown
  • Jakob G on Vista: Run a script at shutdown

• Categories

  • Android
  • Blackberry
  • Blogging
  • Desktop Linux
  • Enterprise Linux
  • Exchange
  • Messaging
  • Mobile
  • News
  • Nintendo
  • OCS
  • Random stuff
  • Rants
  • Scripting
  • Technology
  • VMware
  • Windows Servers
  • Windows Vista

• Tags

  Active Directory Android Bash scripting BES Blackberry Bugzilla Cacti CentOS Citrix Desktop Linux DivX Dr DivX Enterprise Linux Google iptables K2 Wordpress 2.5 kickstart Linux Logical Volumes LVM Messaging Mobile N95 netfilter networking Open Source Performance Putty Random Rant Red Hat Red Hat Summit RHEL routing Scripting SSH thin client Ubuntu VBScript Video Encoding VMware Windows Windows Vista wireless

• Tweets

  • @THErealDVORAK filezilla 2010/07/30
  • Office 2007 tip of the day. Ctrl+F1 hides the ribbon! Useful on a laptop screen. 2010/07/29
  • @Danielsaan what's demob? 2010/07/28
  • @Jedipottsy I haven't tried opendesire for about 3 weeks. Been using Pays froyo rom and it rocks. How about you? 2010/07/28
  • @Jedipottsy mythreed loads faster I think, there's not much in it though. Nice work btw! 2010/07/28

© Copyright ukstokes.com. All rights reserved.

Theme designed by Nischal Maniar