Wednesday, January 27, 2010 4:26 PMWe are testing Office Communicator with our company and have come across a weird issue. All of our employees will be remote and so we setup the server specific to that. In testing we can login just fine inside the domain and works perfect. However outside of the domain we can only get the client software to login successfully on Windows 7 pc's. All the vista and XP machines error out at login every time. We have uninstalled, applied the latest updates and same login failure error every time.
In validation test I get 2 errors.
Error: One or more pool hosted users are enabled for federation, remote access or public IM connectivity, but global federation is disabled.
Routing trust check and MTLS connectivity: outgoing TLS negotiation failed; HRESULT=-2146893022
Wednesday, January 27, 2010 10:51 PMHave you made sure that you trust the certificates you are using on your edge server on all your clients?
Matt Nixon | http://unifiedmatt.blogspot.com
Thursday, January 28, 2010 3:49 AMYes. We directly imported them to each machine and verified they we accepted. We followed the exact process on each machine. It really is weird that the Windows 7 machines work great but Vista and XP pc's wont get past the login.
Thursday, January 28, 2010 1:38 PMModeratorWhat specific error do you receieve when login fails? Turn on Event Viewer logging (http://support.microsoft.com/kb/871023) in Office Communicator and check the Application log on the workstation for more details. It's typically either 'unable to contact server' or some type of certificate-related error.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
Thursday, January 28, 2010 3:32 PMThis is from the log:
End of Sending Packet - 188.8.131.52:5061 (From Local Address: 192.168.2.12:1219) 1192 bytes
ASYNC_SOCKET::InternalSend no compression, BytesLeft = 1192, BytesToSend = 1192, cbDataToEncryptSize = 1192, psDataToEncrypt = 03DF0BE8
- encrypted buffer length: 1217 bytes. First 8 bytes:
17 03 01 04 BC DE AA 01 :....¼Þª.
ASYNC_SOCKET::SendOrQueueIfSendIsBlocking sending sendBuffer 03DECA88, this 00222088, pSendBuffer->m_BufLen = 1217
043 60AC:62BC TRACE :: ASYNC_SOCKET::SendHelperFn sendBuffer 03DECA88 sent, this 00222088, m_BytesSent = 1217, pSendBuffer->m_BufLen = 1217
SECURE_SOCKET: decrypting buffer size: 642 (first 8):
60AC:62BC TRACE :: 17 03 01 02 7D A1 2B 18 :....}¡+.
60AC:62BC INFO :: Data Received - 184.108.40.206:5061 (To Local Address: 192.168.2.12:1219) 617 bytes:
60AC:62BC INFO :: SIP/2.0 401 Unauthorized
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="domain.com", version=4
CSeq: 5 REGISTER
Via: SIP/2.0/TLS 192.168.2.12:1219;received=220.127.116.11;ms-received-port=1219;ms-received-cid=1700
ms-diagnostics: 1000;reason="Final handshake failed";source="Domain.com";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)"
Tuesday, February 02, 2010 8:31 AMModeratorHi Hurleymman,
Per your above description, do you have two validation wizard errors on your edge server;
For the first error, you can igore it.
Do you use your own internal CA for all the clients?
For the second error, it maybe cause by below: Cert for the internal interface of the edge server and the external interfaces
Internal PKI issues
Could not get to PKI servers
DNS A record issues
Mostly it seems the CERT issue, you can remove and request new certificates and test it again.
You referred that the clients could login successfully on win7 box, please check that the protocol used by the clients, tls or tcp.
According to the "reason="Final handshake failed";source="Domain.com";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)", there also some reasons maybe cause below:
NTLM minimum session security for NTLM SSP based (including secure RPC) clients setting for domain more restrictive than that of external non-domain joined machine
You can Change external machine settings to match domain requirements.
Please check whether or not telnet the edge server correct port successfully.
You can refer to below:
Tuesday, February 09, 2010 8:37 PMI am not sure about al the certificate stuff. I am still trying to sort that one out.
As far as logging in is concerned still having the same problem. All of our users will be outside the domain. I downloaded the certificate from the server. imported it into the root certificates. Installed the latest Office communicator client then ran the updates. Setup the OC client with manual settings pointing to our server using TLS. Put the required log in credentials in. On the domain I have tried both domain.com\username and just username and get the same result.
Windows 7 and Mac OS X work perfect. They log in and work as supposed to. However on Vista and XP machines we can not get past the login error as described above. I have tried TLS and TCP and same result. The settings are matched exactly on the windows 7 to the vista/xp machines.
Wednesday, February 10, 2010 2:21 AMModeratorHi
Kindly suggests that you can check the ocs server worked well in the internal of the domain, and use a account to make a test.
And then check the ocs edge server deployment correctly refer to below link
Thursday, February 11, 2010 3:22 AMI did a test inside the domain and it works without any problems. I also did several verification test and they also didn't have user login issues.
I am reviewing the document you suggested making sure the EDGE Server is up and working correctly. Will post those results.
Here is the errors I am getting from the other IM Client I tried.
Uccapi Error (2/10/2010 8:17 PM): 80ef0191, KERBEROS + NTLM, Default Creditals, SIP status code: 401 Unauthorized.
Uccapi Error (2/10/2010 8:17 PM): 80ee0010, KERBEROS, Default Creditals, The authentication type requested is not supported.
Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM, Default Creditals, SIP status code: 401 Unauthorized.
Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM + DIGEST, User Defined Creditals, SIP status code: 401 Unauthorized.
Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM, User Defined Creditals, SIP status code: 401 Unauthorized.
Uccapi Error (2/10/2010 8:17 PM): 80ee0010, DIGEST, User Defined Creditals, The authentication type requested is not supported.
Sunday, February 14, 2010 1:02 AMAfter doing a lot of reading I am a little confused and maybe the reason for the login errors.
We are using a OCS Standard edition 2007 R2 with NO edge servers. In doing some reading I find that in order to have remote access and Public IM I have to have a EDGE Server. Is that correct? I found a brief mention that it is possible by adding SRV records in your public DNS, and forward port 5061.
If I am required to have an EDGE server for external users than that makes the mystery of how I can login from Windows 7 and MAC OS X outside the internal domain just fine even more of a confusing mess.
Is it possible for us to IM windows live contacts - such as joe.smith(companydomain.com)@msn.com without an EDGE Server?
Wednesday, May 12, 2010 9:33 AM
we are facing the same issue ATM.
I am pretty sure it's a difference in the NTLM version. will keep you posted.
- Proposed As Answer by GlennB4u Wednesday, June 23, 2010 8:51 PM
Tuesday, May 25, 2010 4:43 AM
You definitely need an Edge server for External Access unless you are going to VPN in. Do your Win 7 clients VPN in but not your MAC?
To IM with Windows Live contacts you have to go through the Public IM connectivity provisioning process. More info is here:
Here is the guide:
Wednesday, June 23, 2010 8:52 PM
Make this change to the registry on the xp/vista machines:
Windows Registry Editor Version 5.00
This worked for us. Our xp machines could not connect remotely to our OCS 2007R2 server installed on 2008R2 OS.
- Marked As Answer by Gavin-ZhangModerator Thursday, June 24, 2010 7:47 AM
Tuesday, October 19, 2010 8:42 PMI see that some time has past, but I am running into the same situation where Win7 PCs connect fine from External, but XP Pro SP3 cannot WITHOUT a SOFT VPN being established first, did you find a solution?
Friday, December 10, 2010 12:16 PM
Hello, i face the same problem, my win 7 client connect successfully on my edge server but win xp return a "lync was unable to sign in. Please verify your logon credentials and try again. if the problem continues, please contact your support team" message.
i try to change the registry as GlennB4u suggests but nothing change.
i notice something strange also.
on winxp pc i connect with vpn to my local network and finally connects successfully. after that from that winxp machine the specific account connects without problem and without vpn. looks like something change after the first login and after that connects successfully. now if i try different account a the same winxp pc i get the same error. after the vpn proccess, it works again for both accounts...
i have my events logging enabled but nothing logged there about the error...
Sunday, December 12, 2010 6:22 PMWhat OS is your edge running?
Monday, December 13, 2010 12:52 PMwin 2008 R2 64bit
Monday, December 13, 2010 6:14 PM
It's possible the Edge is requiring a stronger level of encryption than the client currently supports. What does a sipstack trace on the edge show? If you want to try a quick test, disable the 128 bit encryption requirement on the edge server - that'll tell you if the NTLM encryption is the issue.
A more in depth explanation is here (including one of the recommendations above from GlennB4U):
From a security perspective it's best to increase encryption used on your clients but that's not always possible - do what is appropriate for your environment.
Thursday, December 16, 2010 3:39 PM
First of all how to do a sip stack trace on lync
i finally face a login problem to local machine. the machine is in lan but not in domain. running windows 7 64bit get the following message... Lync was unable to sign in. Please verify your login credentials and tryagain. If the problem continues, please contact your support team.
in the same lan i have many windows 7 clients that connect correctly, and i can't understand why that client doesn't connect. i enable the events but there is no error/info/warning. i try the same account to other computer and connects without problem, so it's not an account issue, any ideas??