none
Lync 2013 - control panel (cannot sign in)

    Question

  • Greetings.

    After installing standard Lync 2013 pool (it's coexisting with our Lync 2010 in production environment), everything went well until I wanted to open Lync control panel on the Lync2013 server.

    When I start icon Lync control panel it gives me URL's from previous Lync control panel 2010 and from Lync control panel 2013. If I chose 2010 URL I am able to sign in with an domain admin, but if I choose lync 2013 control panel URL I am not able to log in with an domain admin.

    And yes domain admin is a member of CSAdministrator group.

    I have looked permissions on the Lync 2013 server under IIS\sites\lync server internal web site\cscp and I see that domain admin has full permisionss. Under authentication only Windows Authentication is enabled by default.

    LyncIntManagement application pools has identity: NetworkService.

    Domain admin is a local admin on this Lync 2013 server.

    Even If I manually type Lync Control Panel URL in IE: https://newlync2013srvname.company.local/cscp I can not login. It looks like I was typing the password and credentials window reopens just like I would typing the wrong password. I have checked in AD if domain admin is locked out but it isn't. Keyboard input settings on the Lync 2013 server are set up right, because if I type password in notepad I see that I'm typing the right words.

    I have added https://newlync2013srvname.company.local to trusted sites.

    Restarted server several times, don't know where else to look for the root of this problem.

    Please help. It's a fresh installation of Lync 2013 server.


    bostjanc

    Wednesday, April 10, 2013 10:54 AM

Answers

  • I have solved the mystery but to tell you the truth I don't understand it, soo someone please clarify that for me.

    If I put FQDN of Lync2013 srv on the server's IE under trusted sites the problem remains, buuuuuuut, if i put that address under intranet zone, Lync Control Panel 2013 works like a charm. Soo where's the trick?


    bostjanc

    • Proposed as answer by Kent-Huang Thursday, April 18, 2013 9:49 AM
    • Marked as answer by Kent-Huang Thursday, April 25, 2013 8:57 AM
    Thursday, April 11, 2013 8:20 AM

All replies

  • Hello,

    check your security eventlogs on the Lync Server. Perhaps you see same sign-in issue with the account that you use to sign-in on cscp. Verifiy the IIS Logs, they log every Access an the Lync Server IIS.

    regards

    Wednesday, April 10, 2013 12:11 PM
  • Add your account to the RTCUniversalServerAdmins group as well as CSAdministrators. Also, make sure the front end service is running on the 2013 box. You will get the web page without that service running but you will never be able to log in without that service running.

    Have you visited Lync News lately? All of the latest Lync news, articles, and tips collected in one giant aggregator. http://lyncne.ws

    Wednesday, April 10, 2013 3:57 PM
  • Hi,

    Please check following link and add your account also RTCUniversalServerAdmins group (log off and log on)

    http://technet.microsoft.com/en-us/library/gg195689.aspx

    - Internet Browser Requirements
    - DNS Record and Certificate Requirements for the Administrative Access URL
    - Internet Information Services (IIS) Requirements
    - User Rights and Permissions

    Regards

    Wednesday, April 10, 2013 5:41 PM
  • Thank you for you replies. First of all I have checked IIS logs: %SystemDrive%\inetpub\logs\LogFiles but it did not record any log in attempts. Do you need to enable any advanced logging in ISS to achieve that?
    Members of a RTCUniversalServerAdmins group are:
    -my domain account
    -domain admin account
    -lync2010 computer
    -lync2013 computer
    -RTCService

    -I have put an A RECORD with hostname "admin" to point to an IP address of Lync2013 srv in our internal DNS.
    -Certificate on FE Lync 2013 contains admin.company.local in the SAN.

    -On the server 2012 where Lync 2013 FE std pool is installed there is a silverlight version 4.1.10111.0 installed. Windows update does not offers me
    any new updates or versions for Silverlight
    -On the client computer (windows 8 x64) I have Silverlight version 5.1.20125.0.
    But I dont think that silverlight would be the problem, because if I open site https://lync2013servername.company.local/cscp the problem for sign-in is the
    same if I would run it on the server side.
    -World Wide Publishing Service is started
    -Lync Server Front-End service is started.

    -With Lync shell I was able to move a user from Lync 2010 to Lync 2013 pool:
    Move-CsUser -Identity "testuser" -Target "fqdnlync2013srv.company.local"

    A strange thing is that one user suggested to move CMS on the new pool but I don't see his reply on the forum.
    I only see it in my email inbox.

    His suggestion was:

    Another user, Raju_raju, has replied to a thread you have subscribed to in the Lync Server 2013 - Management, Planning, and Deployment Forum.
    Thread Title Lync 2013 - control panel (cannot sign in)
    Started by: Bostjan Cvelbar
    Reply:
    HI
    Is the Lync CMS still on the Lync 2010 pool? Check this
    http://technet.microsoft.com/en-us/library/jj688013.aspx

    Well I have not done that yet, should I?
    What will that do to our current users on Lync2010 server? Can I "damage" anything?

    with best regards,

     

     


    bostjanc

    Thursday, April 11, 2013 7:32 AM
  • I have solved the mystery but to tell you the truth I don't understand it, soo someone please clarify that for me.

    If I put FQDN of Lync2013 srv on the server's IE under trusted sites the problem remains, buuuuuuut, if i put that address under intranet zone, Lync Control Panel 2013 works like a charm. Soo where's the trick?


    bostjanc

    • Proposed as answer by Kent-Huang Thursday, April 18, 2013 9:49 AM
    • Marked as answer by Kent-Huang Thursday, April 25, 2013 8:57 AM
    Thursday, April 11, 2013 8:20 AM
  • Hi,

    You can try to check the proxy settings in IE. You can refer to this link:

    http://support.microsoft.com/kb/303650/en-us


    Kent Huang
    TechNet Community Support

    Friday, April 12, 2013 1:39 AM
  • I needed to do this change in the IIS Before it worked for me:

    "IIS 7 was difficult for figuring out why i was getting the 401 - Unauthorized: Access is denied due to invalid credentials... until i did this...

    1.) Open iis and select the website that is causing the 401

    2.) Open the "Authentication" property under the "IIS" header

    3.) Click the "Windows Authentication" item and click "Providers"

    4.) For me the issue was that Negotiate was above NTLM. I assume that there was some kind of handshake going on behind the scenes, but i was never really authenticated. I moved the NTLM to the top most spot, and BAM that fixed it."

    Thursday, August 29, 2013 12:04 PM
  • I needed to do this change in the IIS Before it worked for me:

    "IIS 7 was difficult for figuring out why i was getting the 401 - Unauthorized: Access is denied due to invalid credentials... until i did this...

    1.) Open iis and select the website that is causing the 401

    2.) Open the "Authentication" property under the "IIS" header

    3.) Click the "Windows Authentication" item and click "Providers"

    4.) For me the issue was that Negotiate was above NTLM. I assume that there was some kind of handshake going on behind the scenes, but i was never really authenticated. I moved the NTLM to the top most spot, and BAM that fixed it."


    Correct answer IMHO - thx

    ChichioIT

    Thursday, October 03, 2013 9:59 AM