Thursday, January 22, 2009

Communcator Web Access (error 0-1-492)

I recently had the pleasure of working with a senior Microsoft escalation engineer who helped us resolve this error message and thought it would be helpful to share my experiences with how it was resolved.

Apparently there is a bug with CWA and Windows 2008 where the Service Principal Name (SPN) isn't created for the FQDN of your CWA site. The result is the following error when you attempt to sign in with integrated Windows authentication:

Cannot sign in because your computer clock is not set correctly or your
account is invalid (error code: 0-1-492)


When I created our 'internal' and 'external' CWA web sites on our web server I set up two IP addresses so that each site could have a unique IP with the same certificate bound to it. We use the same FQDN for both the internal and external CWA site (i.e. https://cwa.contoso.com/). ISA Server 2006 is used to direct external clients to the IP bound to the external CWA site and vice versa. The key difference is that the internal site uses both forms-based authentication as well as Windows authentication.

The Windows authentication site will fail with the error if your site is running on Windows 2008 Server while the other site will work just fine. We limped along for a while by setting the IP address of the internal site to be the external site until this fix came along.

HOW TO FIX IT:

You need to add an SPN matching the FQDN of your internal site (cwa.contoso.com) to the user account you assigned in AD for CWA.

  1. Open ADSIEDIT and navigate to the OU where your CWA service account is stored.
  2. Locate the CWA service account (mine is called 'CWAService') and right-click then choose Properties.
  3. Turn on the checkbox to 'Show only attributes that have values' and scroll down to an entry called 'servicePrincipalName'.
  4. Click the Edit button.
  5. Type in the SPN using the following format (http/). For example, if your site is called "cwa.intel.com" then type in "http/cwa.intel.com". NOTE: Do NOT type http://.
  6. Click OK and you're done!

Depending on your topology and the location if your web server to a DC, replication may need to occur.


Cheers!

8 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hello Jasan,

    I need help in installing the SDK for Speech Server 2007. I don't want to install speech server as it is a trial version. Can I code my application just by using the SDK.


    Thanks,
    Ram.

    ReplyDelete
  3. I don't see why not. I believe there is a speech server component built into OCS so the SDK would give you the ability to leverage it.

    ReplyDelete
  4. Hi Jason, Hi Ram,

    Speech Server Component is only included in OCS 2007 R2! It is e.g. used for the Conference Announcement Service by the new Unified Communication Application Role (UCAS). You still can add Speech Server in to the OCS R2 infrastructure. But maybe the SDK 2.0 can interface UCAS/SpeechComponent so you can code your apps directly to it.

    Best regards,
    Jan Boguslawski

    Consultant IT Infrastructure
    MCSE, MCTS OCS2007

    ReplyDelete
  5. Hi ,

    I have OCS 2007 R2-CWA in a server, My OCSFE and OCSEDGE are working fine with R2, But I could able to sign in CWA, I am not getting any Error in Server end
    The only message i am getting is

    A problem occurred and the session was ended. Please sign in again. If the problem persists, contact your system administrator.(Error code: 0-0-18401-0-0)
    Sign in will be automatically

    I have tried changing the listening port to 1025, 5062. Not working. I checked the AD Setting for User account CWAService. Evrything looks fine. I check the Cert Also Looks fine .
    I dont knwo , at which place , i am getting disconnected

    Regards
    Ramkumar.A
    Ramkumar@chassasia.com

    ReplyDelete
  6. Ram, when you provisioned the CWA site did you choose "internal" or "external"? Where are you accessing CWA from? Are you trying from the Internet or your local network?

    ReplyDelete
  7. I have the same problem with an internal CWA and accesing from intranet.

    Any help arround here would be appreciated

    MeVs

    ReplyDelete
  8. What happens when you try logging into the site when you're on the CWA server?

    ReplyDelete