a little background: we had an issue with our domain controller and had to flash a backup image that we took 2 weeks prior. after we got everything setup correctly again and added users that were not there when we took the image backup. it all seemed
fine, until we had to add some new hires. now when I add new users and configure them correctly with in OCS and active directory the user cannot sign in. from what I have read it could be a replication error, but when I try to force replication it fails. as
we rely on this service for our business it is very frustrating. I have ran the validation tool and this is what I get.
Attempting to login user using Kerberos | | Maximum hops: 2
Successfully established security association with the server: User nancy Domain lj Protocol Kerberos Target sip/Fileserver.LJ.local
Failed to register user: User sip:nancy@lj.local @ Server Fileserver.LJ.local
Failed registration response: [
SIP/2.0 403 Forbidden
FROM: <sip:nancy@lj.local>;epid=epid00;tag=af8d4a32c5
TO: <sip:nancy@lj.local>;tag=1A2FD46AB32C93C71252508422122A62
CSEQ: 2 REGISTER
CALL-ID: cd6769facadf4da68a88921dfc5a4807
VIA: SIP/2.0/TLS 192.168.0.23:57752;branch=z9hG4bKf130bb10;ms-received-port=57752;ms-received-cid=40200
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFF764B3F8B7D0AE7EC1B6FE36DAA9B10B1", srand="C0091F30", snum="1", opaque="EE6E2772", qop="auth", targetname="sip/Fileserver.LJ.local", realm="SIP Communications Service"
ms-diagnostics: 4004;reason="Credentials provided are not authorized to act as specified from URI";source="Fileserver.LJ.local";AuthenticatedIdentity="LJ\nancy"
ms-diagnostics-public: 4004;reason="Credentials provided are not authorized to act as specified from URI";AuthenticatedIdentity="LJ\nancy"
]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1
(immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported
domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and
configured correctly.
Suggested Resolution: Ensure that the supplied credentials are appropriate for the supplied user. If the user has been moved recently, run dbanalyze to ensure that the user is homed correctly. | | Failure
[0xC3FC200D] One or more errors were detected |
| | Maximum hops: 2
Successfully established security association with the server: User nancy Domain lj Protocol NTLM Target Fileserver.LJ.local
Failed to register user: User sip:nancy@lj.local @ Server Fileserver.LJ.local
Failed registration response: [
SIP/2.0 403 Forbidden
FROM: <sip:nancy@lj.local>;epid=epid01;tag=e91f12148
TO: <sip:nancy@lj.local>;tag=1A2FD46AB32C93C71252508422122A62
CSEQ: 5 REGISTER
CALL-ID: 9ac9e3fe41f64e6587b7e744ef4eabc4
VIA: SIP/2.0/TLS 192.168.0.23:57752;branch=z9hG4bK53b7532;ms-received-port=57752;ms-received-cid=40200
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="010000002A86488630F580CBB5BBDB1F", srand="D34E3231", snum="1", opaque="9FC5005B", qop="auth", targetname="Fileserver.LJ.local", realm="SIP
Communications Service"
ms-diagnostics: 4004;reason="Credentials provided are not authorized to act as specified from URI";source="Fileserver.LJ.local";AuthenticatedIdentity="LJ\nancy"
ms-diagnostics-public: 4004;reason="Credentials provided are not authorized to act as specified from URI";AuthenticatedIdentity="LJ\nancy"
]
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported
domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and
configured correctly.
Suggested Resolution: Ensure that the supplied credentials are appropriate for the supplied user. If the user has been moved recently, run dbanalyze to ensure that the user is homed correctly. |
|