AIM 6.X or Higher IM Client Cannot Log In When kdc.uas.aol.com not Resolving Correctly on IM Manager Server

Article:TECH132798  |  Created: 2010-01-28  |  Updated: 2011-05-12  |  Article URL http://www.symantec.com/docs/TECH132798
Article Type
Technical Solution

Product(s)

Issue



AIM 6.X or higher IM client cannot log in.

  • The AIM client log shows the following:

 

    The AIM client has is connecting to IM Manager server on port 443. The connection is successfully made. IM Manager never responds and the client times out.
      00:13.24 Socket 014E43B8: Issued connect request to 192.168.1.1, port 443
      00:13.24 DnsResolver 014E48B0 deleted
      00:13.24 Timer 014F12C0: stopped
      00:13.24 Timer 014F12C0: started, interval=120000
      00:13.24 Timer 014F12C0: stopped
      00:13.24 Timer 014F12C0: started, interval=30000
      00:13.24 SslBoxNss 014E4128: OnReadyForData
      00:13.24 SslBoxNss 014E4128: Continue handshake
      00:13.24 SslBoxNss 014E4128: OnSend, actual=54
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=3
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=2
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=74
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=5
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=3741
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=5
      00:13.25 SslBoxNss 014E4128: OnRecv, actual=4
      00:13.25 SslBoxNss 014E4128: OnSend, actual=182
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.25 SslBoxNss 014E4128: OnDataAvailable
      00:13.25 SslBoxNss 014E4128: Continue handshake
      00:13.26 SslBoxNss 014E4128: OnDataAvailable
      00:13.26 SslBoxNss 014E4128: Continue handshake
      00:13.26 SslBoxNss 014E4128: OnRecv, actual=5
      00:13.26 SslBoxNss 014E4128: OnRecv, actual=1
      00:13.26 SslBoxNss 014E4128: OnRecv, actual=5
      00:13.26 SslBoxNss 014E4128: OnRecv, actual=32
      00:13.26 SslBoxNss 014E4128: Handshake complete
      00:13.26 BufferSpool 014D3778 created
      00:13.26 HttpReceiver 014D33E8 created
      00:13.26 SslBoxNss 014E4128: InternalWrite
      00:13.26 SslBoxNss 014E4128: OnSend, actual=424
      00:13.26 SslBoxNss 014E4128: InternalRead for 4096 bytes, read -1
      00:13.26 HttpReceiver 014D33E8: received 0 bytes
      00:13.26 SslBoxNss 014E4128: OnDataAvailable
      00:13.26 SslBoxNss 014E4128: InternalRead for 4096 bytes, read -1
      00:13.26 HttpReceiver 014D33E8: received 0 bytes
      00:13.26 SslBoxNss 014E4128: OnDataAvailable
      00:13.26 SslBoxNss 014E4128: InternalRead for 4096 bytes, read -1
      00:13.26 HttpReceiver 014D33E8: received 0 bytes
      00:13.26 SslBoxNss 014E4128: OnDataAvailable
      00:13.26 SslBoxNss 014E4128: InternalRead for 4096 bytes, read -1
      00:13.26 HttpReceiver 014D33E8: received 0 bytes
      00:28.22 SslBoxNss 014D5068: OnDataAvailable
      00:43.22 Timer 014E48F8: fires
      00:43.24 Timer 014F12C0: fires
      00:43.24 Error 014D59B8 created
      00:43.24 Error set, cat=SignOnFlow, code=Timeout, subcode=0, url=



Conditions

    • IM Manager MMC Snap-In is configured with kdc.uas.aol.com.
      1. Open the IM Manager MMC Snap In from the Desktop or from the Start|Symantec IM Manager|IM Manager MMC Snap In menu item.
      2. Click on the AIM Agent tab.
      3. The value of the SSL Server Name/IP Address textbox must be kdc.uas.aol.com.
    • The following information is seen in the IM Manager debug log imlinkage.log (default location is c:\imlinkage.log):
      [|] 0xdf4 | 01/09/09 20:57:01 | Error | ACENetworkingService::verify_callback | Got invalid certificate. (Issued to:improxy.symantec.local)[-]

      The "issue to" data shows that the certificate IM Manager received is for improxy.symantec.local.  This certificate should be one for AOL.

       

 


Cause



The SSL certificate properties recieved from the AIM service do not match the hostname requested by IM Manager.

When IM Manager opens an SSL socket connection to the AIM service it uses the hostname configured in the MMC Snap In and opens a socket connection to that entry. As part of the SSL protocol the server then sends the SSL certificate to the client. IM Manager takes the certificate and validates that it is connected to the right host. Part of this validation is comparing the DNS hostname connected to with the name specified in the certificate. If the names do not match then this error message is reported.


Solution



Ensure that the SSL Server Name/IP Address is kdc.uas.aol.com.

  • Ensure that kdc.uas.aol.com resolves to an AOL address.


Problems with this resolution typically include incorrect DNS setup and other networking issues in the environment.





Technical Information
It may be useful to look at the certificate information being passed from kdc.uas.aol.com.


1. Download and install the Open SSL client from here: http://www.openssl.org/related/binaries.html.
2. Run the following from a command line:

      openssl s_client –connect kdc.uas.aol.com:443


3. The beginning part of the results will be something like this:

      CONNECTED(00000003)
      ---
      Certificate chain
      0 s:/C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Session Management Services/CN=kdc.uas.aol.com/emailAddress=tech_sess-mgmt-svcs@corp.aol.com
      i:/C=US/ST=Virginia/L=Dulles/O=America Online Inc./CN=AOL Member CA
      1 s:/C=US/ST=Virginia/L=Dulles/O=America Online Inc./CN=AOL Member CA
      i:/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
      2 s:/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
      i:/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
      ---
      Server certificate

 




Legacy ID



2010052811145154


Article URL http://www.symantec.com/docs/TECH132798


Terms of use for this information are found in Legal Notices