RESOLVED – OCS 2007 R2 PIC fails against AOL




Microsoft Office Communicator 2007 R2 in conjunction with Office Communications Server 2007 R2 would intermittently fail to communicate with AOL AIM clients via PIC.  Note that this would only reproduce if your OCS 2007 R2 Edge role is running Windows Server 2008 (x64); not Windows Server 2003 (x64).





Essentially, it boils down to tweaking the Windows Server 2008 Edge role to initially establish the SSL dialog using the TLS_RSA_WITH_RC4_128_MD5 cipher suite.



In order to change the cipher suite order, do the following on your Windows Server 2008 (x64) Edge server:


1.       Start -> Run -> gpedit.msc -> OK

2.       Within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network

3.       Under Network, select SSL Configuration, and then double-click on SSL Cipher Suite Order (by default, the SSL Cipher Suite Order is set to “Not Configured”)

4.       Select the “Enabled” radio button, and in the in the SSL Cipher Suites text box, copy the entire string into Notepad.  It should look like the following:




5.       The objective here is to move TLS_RSA_WITH_RC4_128_MD5 to be a the front of the list.  So, in your Notepad document, find TLS_RSA_WITH_RC4_128_MD5, cut it, navigate to the beginning of your notepad document, and paste TLS_RSA_WITH_RC4_128_MD5.  The new order should look like the following:




6.       Paste the newly-formatted string back into the text field in the GPO Editor, click OK, then restart your Windows Server 2008 (x64) Edge server for these changes to take effect.



We have verified (and re-verified) these steps work, and can now successfully communicate with AOL AIM clients using Office Communicator 2007 R2 via PIC.


Comments (45)

  1. Microsoft OCS 2007 R2 users were having communications issues with AOL’s AIM when federating using PIC (Public IM Connectivity) and using a Windows Server 2008 (x64) Edge role server – Windows Server 2003 (x64) is unaffected by this problem….

  2. Come to find out, the issue does not appear on Windows 2003 x64 servers but only Windows 2008 x64. This is due to the order of the ciphers offered. Not to steal the thunder of the Microsoft fellow that figured it out, check out the full solution here.

  3. As all are aware Office Communication Server 2007 R2 was recently released and with it the ability to

  4. Fixing interoperability problems between OCS 2007 R2 Public Internet Connectivity and AOL IM

  5. Scott,

    Just wanted to note that you talk about cutting and pasting the TLS_RSA_WITH_RC4_128_MD5 entry into the front of the list in Notepad, but there’s no step to copy and paste the entire string back into the GPO Editor.

  6. Good catch; I appreciate the feedback & have updated step 6 accordingly … thx again!


  7. Решил свести информацию об известных ошибках / странностях в работе OCS R2 и методах решения проблем…

  8. Решил свести информацию об известных ошибках / странностях в работе OCS R2 и методах решения проблем

  9. Bill says:

    Just for men only works if nobody has met you before, bish.

  10. Curtis says:

    When I make these changes I can then send to AOL no problem at all but then I get the following error when I try to send from AOL back to OCS  

    Unable to deliver your text sent to remote user. Remote enterprise user is unable to receive your message at this time. Please try again later.

    Any ideas?  Also do we still have to install the cert for AOL???

  11. Curtis says:

    Should have mention that sending and receiving from both Yahoo and MSN is working great.

  12. Ozgur says:

    My provisioning request is approved now. But i cant seem to conatct with windows live. I can not get any presence info.. My messages from ocs gets through..but vice versa fails as the contact seems offline although not.any ideas

  13. Matt says:

    I had to do this on my Communicator Web Access server as well in order to support my customers who use CWA & PIC.  

  14. Great follow-up, Matt … many thanks for the feedback.


    Scott Oseychik

  15. Jason says:

    I have tried this fix and am not having any luck. I’ve run gpupdate and restarted 3 times and still no aol contacts. MSN is working just fine. Is the edge server the only server i need to appliy this to?

  16. Scott Oseychik says:

    Yes, this only get applied to the Edge.  If you’re still encountering issues, I recommend you engage Microsoft Customer Support Services ( for further assistance.


    Scott Oseychik

  17. Marcel says:

    Hi Scott,

    thanks for your solution. But when I change this policy as described, I can’t use RDP anymore to connect to this computer…does it need a reconfiguration?



  18. Scott Oseychik says:

    Hi Marcel,

    This is the first I’m hearing of this "side effect," and we’ve implemented this solution on both customer servers as well as some of our own here at Microsoft.

    Have you bounced the Edge box, and if so (and the problem persists), you could either set your Remote Desktop settings to "Allow connections from computers running any version of Remote Desktop," or enable schannel logging (and engage Microsoft Customer Support) for further troubleshooting:


    Scott Oseychik

  19. Marcel says:

    Hi Scott,

    did this change again and now teh complete is not working anymore 🙁

    No remote access working, no federation, no PIC.

    Have to revert the changes now. hmm

  20. Pat Jensen says:

    I just turned up PIC and ran into this exact issue on my deployment.  This did the trick, the key is to follow his exact words and not copy/paste the example order from the web page as it is a very long string in the group policy editor.

    Also, this did effect my ability to use MacOS Remote Desktop Connection to RDP into the edge server.  Too bad, but at least my Federation, XMPP and PIC is dialed in now!  Thanks Scott.

  21. Scott Oseychik says:

    Thanks for the feedback, Pat!


    Scott Oseychik

  22. Jason says:

    After doing this to our Edge server, we lost remote desktop and the Edge service will not start. Disabling this change allows remote desktop and the service to start properly. Very strange.

  23. Brock says:

    This worked liked a charm, thank you very much. We’ve been banging our heads on this issue for so very long. How come MS hasn’t made this a KB article????

  24. Glad to hear it worked, and I submitted it for a "Fix It" KB article a while back (  I’ll follow-up to see what happened, but in the meantime, I’m pleased it’s working for you now.


    Scott Oseychik

  25. hh says:

    Tried fix but RDP fails on W2K8. Change doesn’t affect W2K8R2 ??

  26. Unfortunately, I’m unaware of another workaround, but I recommend that you engage the Unified Communications Support team via Microsoft Customer Support Services ( to full resolve this issue.


    Scott Oseychik

  27. DTD says:

    Hi, Scott. Thanks for this article. Not sure if you have ran into this or not but by changing the order of the SSL Dialog, presence no longer works to AOL, Yahoo, or MSN.  The tweak allowed for me to finally PIC to AOL, but presene is no longer functional to AOL, Yahoo, or MSN. Removing the tweak, presence becomes available again, but PIC no longer works with AOL.  Any thoughts or guidance on what could be the problem?  Thanks for all that you do!

  28. Hello,

    This is the first reported incident of it breaking PIC with the other providers … definitely a side effect we’d like to avoid!  Unfortuantely, I think this would be something that would take some time for us to dig into & better understand.  My advice is to formally engage Microsoft Customer Support Services either via your Technical Account Manager (if you have Premier support contract) or through any of the means detailed at


    Scott Oseychik

  29. DTD says:

    Hi, Scott.

    Thank you so much for your response.  I’ve been able to determine why presence wasn’t working after the reordering of the SSL Cipher Suite. The problem was that Office Communicator caches the presence information.  Logging off of Communicator and even rebooting the system did not clear these cache files.  I had to manually delete all the presence xml files.  Once deleted, I logged back into Communicator and Presences was all good to AOL, Yahoo, and MSN/Windows Live Messenger.

    Again, thank for your help and support Scott!!

  30. Scott Oseychik says:

    Great workaround, and thanks so much for following-up!!  I’m sure others will find your response valuable, so thanks again for the awesome reply.


    Scott Oseychik

  31. Harper says:

    This AOL fereration fix ultimately work for me. However, I had to make a local security policy firewall change to allow all inbound traffic before making this SSL change.  Otherwise, I had some really strange firewall issues. Once the server was back up I set it back to my local security policy changes back to not configured and bounced the server again. All is well now.

  32. Hi Harper,

    Thanks for the feedback!  Glad to hear things are working well for you now (despite some initial hurdles you had to overcome), as well as for taking the time to drop me a line.


    Scott Oseychik

  33. Helmuth Baum says:

    The steps outlined worked, thanks for the information.

  34. Scott,

    I was having this exact same problem but on a 2008 R2 edge server.  No matter what I tried I couldn't get the entire cipher list to paste back into the policy editor (might explain the RDP issues reported earlier).

    To save someone else the time, Dodeitte pasted the solution here…/ocs-2007-r2-pic-with-aol-on-windows-2008-r2.aspx



  35. Derek says:

    Hi Scott,

    Thanks for the post, this helped me immensely. Do you happen to know if there is a similar requirement for cipher priority that might prevent Yahoo Messenger mobile clients from consuming presence information and receiving OCS-sourced messages (yahoo mobile sourced messages come through fine)? So far, only the full desktop client is the only messenger client that works successfully for bi-directional presence and IM.



  36. Scott Oseychik says:

    Hi Derek,

    Wish I had an answer for ya … I'd start by capturing a network trace on your Edge; one trace for the "success" (Yahoo Mobile) case, and one for the "failure" (OCS-sourced) case.


    Scott Oseychik

  37. Derek says:

    Yeah, I did that. It gets successfully routed to yahoo and just ends there. No errors or anything. Seems like a failure on yahoo's part to deliver to the mobile device, but it just seems strange that it would only fail for OCS contacts (would think it to be agnostic once the message gets to yahoo). I also tried this using a mobile messenger client developed by "MSN" (Droid) and it works the opposite – Yahoo-sourced messages fail, but OCS-sourced messages get through. I'll try and do some further tracing, but like I said, everything I've seen shows successful routing and delivery.

  38. Scott Oseychik says:

    Hi Derek,

    Sounds like you've definitely gone above & beyond here; perhaps may be a good time to enlist the assistance of our rock star Unified Communications Support Team! 🙂


    Scott Oseychik

  39. Zdenek Stava says:

    Thank you very much for your advice. It help me too.

  40. Geckotek says:

    Hey Scott, I just got PIC up and running and sure enough, AIM was EXTREMELY flaky (1 in 10 messages would get through..if that).  This article resolved my issue.  Wondering why this hasn't been patched by MS?

  41. Mbassett says:

    Thanks for the info, this fixed my issue with Lync 2010

  42. Shailesh Dudpuri says:

    Hi Scott,

    Does this fix Lync 2010 PIC issue with AOL as well? If yes, the text field accepts string only 1023 charc long. I will have to remove 2 cipher suites from the string to complete these steps successfully. Which should they be? By default even if i copy paste whole string at the time of pasting the string will get truncated after 1023 chars.



  43. Hi Shailesh,

    Please see…/ocs-2007-r2-pic-with-aol-on-windows-2008-r2.aspx for the workaround in regards to this limitation.


    Scott Oseychik

  44. Rafael says:

    This is AWESOME! thanks

  45. Alin says:

    Also if this does not work, make sure to disable FIS policy.