OCS 2007 R2 PIC with AOL on Windows 2008 R2
I was troubleshooting PIC connectivity with a customer recently and we ran into an issue when following the steps in Scott Oseychik's blog post on changing the cipher suite order (https://blogs.msdn.com/b/scottos/archive/2009/04/03/resolved-ocs-2007-r2-pic-fails-against-aol.aspx). I've used the steps outlined in the blog post on Windows 2008 before, but never on Windows 2008 R2. It just so happened that this customer had a Windows 2008 R2 Edge server. When we went to paste the newly ordered cipher suite back into the Group Policy Editor, we noticed that the whole string didn't paste back in:
The string got cut off close to the end, but it was missing the last few ciphers. It appeared that the text box could only accept so many characters and in doing a little research, that's exactly the case. Scrolling down in the help section on the right, you will find the instructions for editing the cipher suite order:
Step 6 is the key. The maximum length is 1023 characters. So the text box will only accept 1023 characters, but I never ran into this issue on Windows 2008? Digging a little deeper it appears that there were some additional ciphers added between Windows 2008 and 2008 R2. In Windows 2008 the list of ciphers is 831 characters. In Windows 2008 R2 the list of ciphers is 1071 characters. So we can't use the Group Policy Editor to reorder the list of cipher suites.
The workaround that I came up with is to modify the registry key that this group policy object updates. The standard warnings about modifying the registry apply...be careful when editing the registry! The key that the group policy object updates is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
Type = REG_SZ
Name = Functions
Data = TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,...
The "Functions" value shouldn't already exist, so you will probably need to create a new "String Value". Take your newly ordered list of ciphers and paste them into the value data field. This time the whole list will paste in correctly. Reboot your server and the new cipher suite order should be in effect.
Comments
Anonymous
January 01, 2003
@Rasheedah Did you check to see if the certificate for Access Edge has the client EKU on it? If it does, then you would need to take tracing on the Edge Server to see if you get any SIP traffic from AOL. If you don't then that normally means it's a certificate issue.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
@Greg Walrath Are you sure that the AOL provisioning is complete? Does the certificate for Access Edge include the Client EKU? Does the contact that you're trying to get presence on have an aol.com or aim.com address? I'd take SIPStack tracing on the Edge and see what response AOL is sending back when you try to subscribe to an AOL contact.Anonymous
January 01, 2003
Its not working. After enabling gpo it still shows "Not configured" in GPO list, bet when i open it the radio is on Endabled.Anonymous
August 26, 2010
Thanks so much for the thorough explanation & follow-up, Doug! Regards, Scott OseychikAnonymous
September 10, 2010
So, I've done this, and it still doesn't work, I still don't see presence information being exchanged between my Edge server and AIM. Works great with msn/live/hotmail addresses as well as Yahoo, but not AIM. I can sit on my Edge server and successfully telnet to port 5061 on sip.oscar.aol.com. Any suggestions?Anonymous
October 07, 2010
Do I need to remove the GPO we originally editted?Anonymous
November 23, 2011
This is not working at all and I checked the provision as we have msn and aol...msn works aol does not...even after following this blog, thanks!Anonymous
January 25, 2013
Make sure that FIPS policy is disabled otherwise the TLS_RSA_WITH_RC4_128_MD5 cipher will not apply as per registry key file.Anonymous
February 21, 2014
very important information, this helped me to resolve our long term issue with federation between Lync and AOLAnonymous
November 15, 2014
OCS 2007 R2 PIC with AOL on Windows 2008 R2 - Doug Deitterick's Blog - Site Home - TechNet Blogs