Confused Amused

One of my pieces of OCS testing involved putting it through the paces of various IM clients other than Office Communicator and seeing what works and what doesn’t work so well. Even though I’ve read several pieces stating that Mac Messenger 6.0.3 was supposed to work with OCS, I cannot find a way to do so. This was all strictly for internal testing, but I imagine at this point the external results would have been the same. The first step was importing the root CA certificate into my X509 anchors keychain. After importing the certificate I could see it listed so I knew Messenger should be able to connect at this point.

Scenario #1 - Enhanced Presence: My first attempt was with a user that already had signed into an OC 2007 client, so enhanced presence has been enabled for this user. Messenger throws back and error to me "Sign in to Microsoft Messenger failed because the service is not available or you may not be connected to the Internet". I know both parts are untrue - I’m on the LAN with no issues and the service is certainly available because other users are signed in at the same time with Office Communicator clients.

Scenario #2 - Fresh User: I had a hunch that enhanced presence might be causing the problems so I created a fresh user account and enabled it for OCS. I purposely did not sign-in to an Office Communicator 2007 client so enhanced presence would not be turned on. After trying to sign-in with the new user I received a different error: "Sign in failed because the password is incorrect or the sign-in name does not exist." Again, I know both of these are untrue (Can someone give the MacBU some lessons on writing error messages please?). The password is correct and the sign-in name does exist.

I figured I’d take a look at what was happening on the server side of things so I started up the OCS diagnostic logger, checked the SIPStack option and started logging. For scenario #1, I saw what I expected: a normal NTLM handshake attempt, but instead of succeeding the final message is "421 Extension required" error:

Start-Line: SIP/2.0 421 Extension required
ms-diagnostics: 2013;reason="msrtc-event-categories extension required";source="tap-ocs-2k7.ptown.com"
ms-diagnostics-public: 2013;reason="msrtc-event-categories extension required"

Ok, fair enough. The Mac Messenger client probably can’t handle enhanced presence just like the Office Communicator 2005 client can’t. The extension the server is asking for is probably enhanced presence related. So on to scenario #2 with a new user account. This is where is gets confusing - I receive a "404 Not Found" SIP error this time:

Start-Line: SIP/2.0 404 Not Found
ms-diagnostics: 4005;reason="Destination URI either not enabled for SIP or does not exist";source="tap-ocs-2k7.ptown.com"

Well, at least this error message is somewhat consistent with the error the user receives from Messenger. I know the URI exists and is enabled, so this error is bizarre. Just for kicks I opened an Office Communicator 2005 client and tried to sign in. Guess what? It worked fine. Maybe I needed to sign in to OC one time to make this work? Nope. I still can’t sign in to the Mac client.

So my conclusion from all of this is that having enhanced presence enabled probably prevents a user from ever signing into a Mac Messenger client, or at least until Microsoft’s MacBU releases the next version of Messenger. A user without enhanced presence should probably be able to sign in successfully, but I’m not sure why it doesn’t work. Has anyone out there gotten the Mac Messenger client to work with OCS 2007 yet?

Update:

I got it working! To be able to use Mac Messenger 6.0.3 you must first create the user on the OCS pool and then enable their account for Enhanced Presence. At that point they should be able to sign-in successfully. You can read my post about the different stages of Enhanced Presence for some more information.

So Vista SP1 officially went RTM today with one major headache - it won’t be available for download until mid-March. Microsoft hasn’t said yet what the reasoning here is, but either way I guess that clean install + SP1 I’ve waiting to do will have to wait another month. I don’t understand the holdup since they already made it a year past the official release date of Vista (by a few days) without releasing a service pack. Wasn’t that the point?

One of the more obnoxious pieces of OCS is the fact that there isn’t a dedicated MMC snap-in for the Edge Servers, but instead you have to open the entire Computer Management console. The method below will let you create a simple MMC that only opens the OCS Edge server parts.

1. I know this seems like a long-winded way to open Computer Management, but we need the full MMC window to save the custom snap-in, so go to Start | Run, type in mmc and press OK.
2. Go to File | Add/Remove Snap-In and press Add.
3. Choose Computer Management and press Add, Finish, Close and OK.
4. Expand Computer Management | Services and Applications, right-click on Microsoft Office Communications Server 2007 and choose New window from here.
5. Now you should have a window with the root as your OCS controls. Click on File | Options.
6. Click the Change Icon button and then browse to C:\Program Files\Common Files\Microsoft Office Communications Server 2007\RTCMMCR2.dll and press OK.
7. You should now have a few options for icons. My preference is the first one that matches up with the icon for internal servers. 
   
8. You can also rename the console to something friendlier, like Office Communications Server 2007. I’d also suggesting change the console mode to User mode - full access to keep the console from opening in author mode each time.
   
9. Click on File | Save As… and save your custom MMC somewhere safe, say, C:\Documents and Settings\Administrator\My Documents.
10. Personally, I find it dumb to have a shortcut in Administrative Tools that doesn’t work, so I like to replace the one OCS installs. Right-click on the existing OCS 2007 shortcut in Programs | Administrative Tools and choose Properties.
11. Change the target for the shortcut to wherever you saved your custom MMC. Mine was at C:\Documents and Settings\Administrator\My Documents\OCS Edge.msc.
    
12. You should be all set now. Opening the Office Communications Server 2007 shortcut will now open a usable snap-in.

One of the changes with OS X 10.5 Leopard is the lack of the X509Anchors keychain being installed by default. The problem this creates is that a lot of Microsoft applications for the Mac depend on this keychain for their certificate authentication. They check the X509 keychain for a certificate and when it doesn’t exist, they fail to authenticate. The annoying part here is that the application doesn’t even have appropriate error messages included. Instead of something logical like the "the certificate is not valid or trusted" the user gets an error that their sign-in name or password is incorrect. Fortunately there’s a workaround and you can add this keychain back to make it functional again.

1. Open Keychain Access (Using Spotlight to search for it is probably easiest)
2. Click File > Add Keychain
3. Browse to Machintosh HD | System | Library | Keychains and select the X509Anchors keychain. Press Open.
4. Now select the X509 keychain in the Keychain Access window and drag all of the certificates you need onto this window. You should be prompted for your admin credentials.
5. Now you’ll see a window asking which keychain you want to install the certificates to. Choose X509Anchors and press OK.
6. Once your certificates are installed, try signing in again. This time it should succeed!

Yesterday afternoon I was tinkering with the custom states you can define within Office Communicator 2007 and found actually creating the custom states obnoxiously difficult for an end-user. In an effort to remedy that problem I whipped up an application I’m going to call the Communicator 2007 Custom Presence Tool. Let’s call it a beta version for now, just to be trendy.

It provides a GUI interface for users to select their custom availability and a status note to go along with the availability. The tool creates the XML file and updates the CustomStates registry value with the location of the XML file.

A few screenshots to demonstrate the functionality:

Here’s a basic rundown of what happens:

• Upon startup, the tool tries to read the value of HKCU\SOFTWARE\Policies\Communicator\CustomStates.
• If the value exists, it loads the XML file location that is specified.
• If the value doesn’t exist, the user is prompted for a location to save the XML file. It defaults to %AppData%\Microsoft\Communicator\CustomPresence.xml. I chose that location to accommodate roaming profiles.
• At this point the user is presented with a blank sheet (or filled if the XML file existed) of their custom availabilities and status notes that they can fill out.
• Once Save is pressed the registry value is updated to reflect the location of the XML file.

It seems to work fine for my purposes in a lab environment, but by no means am I a programmer so I would thoroughly test this tool out on some non-production machines before you try implementing this. I’d also love any kind of feedback, so please let me know what you think. I’m positive there are some issues I haven’t found yet so feel free to point them out.

Download Communicator 2007 Custom Presence Tool

Requirements: Microsoft .NET Framework 2.0

So you want to redirect any client HTTP requests for OWA to the HTTPS version? Easy enough. For our external clients this is fairly simple because you can simply have ISA do the hard work. For the internal clients, which I’ll show here, it requires a little more work.

So open up the IIS snap-in. By default CWA creates web sites outside of the Default Web Site, which makes this process easy for us. All we have to do is redirect requests to the default web site to the CWA one.

1. Right-click the Default Web Site and choose Properties.
2. Click the Home Directory tab.
3. Under "The content for this resource should come from" choose A redirection to a URL.
4. Enter the redirect URL, https://cwa.confusedamused.com in my case, and press OK.

Now that should work well if you have a dedicated CWA server and nothing else clogging up your Default Web Site. But what if another application is already there? The method above won’t work so hot in that case. As a workaround we need to create another virtual web site that will redirect our clients to the appropriate page.

1. Right-click the Web Sites node and choose New | Website.
2. Click Next to start the wizard and enter CWA Redirect as the description. Press Next.
3. Leave Port 80 as the port and enter the hostname for your CWA site, cwa.confusedamused.com in my case. Press Next.
4. For the path you can use the default IIS contents so just browse or enter C:\Inetpub\wwwroot. Make sure anonymous access is checked. Press Next.
5. Accept the default access permissions by pressing Next and then click Finish.
6. Now, just follow the steps above that I outlined for the Default Web Site, but do it instead for the CWA Redirect website you just created.
7. When all is said and done, your IIS websites should look like this:

Now you can browse to http://cwa.confusedamused.com and IIS will pick up the host-header, point your client at the CWA Redirect website, which immediately redirects the request to https://cwa.confusedamused.com.

The OCS team posted a PowerShell commandlet today that lets you pull out conversations between users and output to an HTML file. I’ll try it out soon, but it has to be much better than the current method of writing your own SQL queries and retrieving some ugly looking code. Here’s the link: http://communicationsserverteam.com/archive/2008/01/14/69.aspx

Update: I stood up an Archiving and CDR this afternoon and gave this commandlet a shot. Much better than digging through SQL logs and trying to parse out an actual conversation. Here’s a screenshot of the resulting HTML page:

I’ll probably tweak the script myself (left-justified text) a bit, but it’s a solid improvement over what we had before.

On the same subject as the previous post, I ran into some more issues with the integrated authentication on CWA. It worked from any PC except for the CWA server itself. If I tried to sign in from the CWA box I’d get the endless Windows authentication dialogs and it would eventually fail. The solution? Follow method 2 from this KB: http://support.microsoft.com/default.aspx?scid=kb;EN-US;896861

I created the BackConnectionHostNames multi-string in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 with a value of cwa.confusedamused.com, my internal CWA host name, restarted IIS and was able to login successfully.

This morning I set about adding a Communicator Web Access (CWA) server to my lab and had a small issue with the integrated Windows authentication piece. Basically, I’d click the sign in button and get a Windows authentication dialog instead of being signed into CWA. Even with valid credentials my login would fail and I’d see an error "Cannot sign in. The password or sign-in address may be incorrect. Make sure that your sign-address matches your user account and try again."

Turns out there a few steps you need to take to make this work:

1. Open Internet Explorer.
2. Click Tools | Options.
3. Click the Security tab.
4. Click on Local intranet and press the Sites button.
5. Uncheck the box Automatically detect intranet network and press the Advanced button.
6. Type in the URL for your CWA website, in my case it was https://cwa.confusedamused.com and press Add, Close and then OK.
7. Click the Custom level button.
8. Scroll all the way to the bottom and ensure Automatic logon only in Intranet zone is selected and press OK and OK.
9. Refresh the page, click Sign in once more and you should log in no problem.

I took the plunge yesterday and registered for the Server 2008 Beta Exams, 71-646 and 71-647. Combined with some tinkering of the Betas and RC’s of Server 2008 and the free Server 2008 eBook I might have a chance of doing alright. I’ve got nothing to lose since the exams are free with the voucher codes. I guess we’ll find out just how well I do in about 2 weeks.

If you’re planning on taking the exams yourself I’d recommend checking the Microsoft Preparation Guides first:

• 70-646: http://www.microsoft.com/learning/exams/70-646.mspx
• 70-647: http://www.microsoft.com/learning/exams/70-647.mspx