Error -- “Unable to register with Relay Server”

by Gregg Johnston

Scenario

You have just set up your Groove server environment, and it looks good. You have your Groove Manager server running and a connection to SQL server. Groove Relay is all fired up and has been added to the Groove domain. Users have been added too, and you are ready to activate. However, after a successful activation, your users suddenly get this message popping up:

“Unable to register with Relay Server”

What happened?

Groove is returning this error message because it is reaching a Relay server which has the option Authenticate Groove users enabled, but the account has not been registered on the Relay. This option is commonly called pre-authentication because when it is set, the Management Server needs to register users with the Relay Server before users can use that Relay Server. The procedure goes like this:

1. User added to Management Server
2. User registered with Relay by Manager
3. User activates account
4. User's account connects to Relay Server
5. Relay Server validates the account’s registration

In Connection Manager on a user's computer, click Advanced Network Settings, click Network Diagnostics, click to expand Home Relay Devices, and then click to expand the device URL. You will see this line:

Status: Disconnected,Created Connect,Received Secured ConnectResponse,Connected,Sent ConnectAuthenticate,Sent Attach,Received AttachResponse,Created AttachAuthenticate,Sent AttachAuthenticate,Sent Register

If pre-authentication was properly implemented, you would see one more entry: Received RegisterResponse. Because we see Sent Register but not Received RegisterResponse, we know that pre-authentication is enabled, but the user's account is not registered with the Relay. Because of this, the Relay will not provide services to the account.

There are two different issues that cause this problem.

Communications issues

The Manager may be unable to contact the Relay correctly. Try opening a telnet connection from Manager to Relay over port 8009. If that fails, but you can ping the Relay from the Manager, the port may be blocked on your Relay server. In Windows Server 2008, all ports are blocked by default in Windows Firewall, so problems here are especially likely. If the issue is not port access, look for other communications blocks between the two servers. Once you can telnet to from the Manager to port 8009 on the Relay, restart both servers. Take a look at the Audit log on Manager Server. Do you see user adds in the log? If so, success! If not, time to look for another solution.

Auditing services problem

The other common cause of this problem is a faulty installation of Manager. Even if you go through each step of the installation carefully, there is one old issue that can trip you up. In the unpatched Office Groove Server Manager release, you could not run Manager and Audit services on the same computer. If you added Auditing Services during installation, but did not slipstream Office Server Service Pack 1 (SP) or 2 into the Manager Server updates folder prior to installing Manager, you will not be able to register users with the Relay Server. (You will also be unable to synchronize a directory integration point to share user information with Active Directory.) To test for this issue, run the following query on your SQL server:

select EnableDirectorySynchronization, EnableRelayServerSynchronization from gmsservers

If you installed without SP2 updates, this query will return 0. Unfortunately, resolving this problem requires uninstalling and reinstalling the Manager. This is time-consuming, but will only become more of a chore if you use the server first and then return to this solution.

Is there an alternative? Sort of. As a workaround, you can disable the option Authenticate Groove users on the Relay. (See https://technet.microsoft.com/en-us/library/cc261658.aspx for instructions.) We don't usually recommend this approach, as it has two major problems:

• Security and Performance risk: If you turn off pre-authentication, and someone gets a hold of your ServerID.xml file from the Relay Server, they could, hypothetically, use that file on their Manager Server and then use your Relay Server as their Relay. They would not have any access to any data on your Relay, or your Manager for that matter. But they could launch a Denial-of-Service attack by deluging the Relay with data.
• Functionality loss: You will be unable to synchronize users with Active Directory.

For a more complete resolution, uninstall and reinstall Management server. Here are a few things to keep in mind:

• After you uninstall Groove Management Server, you also need to remove the registry key HKLM\SOFTWARE\Microsoft\Office\12.0\Groove\Audit Server
• You will need to remove all GMS and Audit databases from SQL
• You must slipstream Office Server Service Pack 2 into the GMS updates folder before reinstalling. For directions, go here: https://technet.microsoft.com/en-us/library/cc178995.aspx#DeployInitialUpdViaUpdatesFolder

Now you are ready to reinstall GMS. However, take a moment to think about Auditing services. Do you really want Auditing services running on the same computer as your production Manager server? More often than not, the answer to that question is “no”. The Groove Audit Server was meant to run on a separate server and can take up quite a lot of system resources. So even though you can (with slipstreamed SP2) run Audit Services with Manager, it does not mean you should. For more details, see the documentation at https://technet.microsoft.com/en-us/library/cc262178.aspx.

When you have made your decision, reinstall the servers and recreate your domain members.