none
lync phone device sign in failed

    Question

  • Hi. I have an environment of Lync 2010.

    Front End Pool - 1 server

    Director pool - 2 servers

    AV pool - 2 servers

    My DNS system is split brain. Local domain company.net, external domain company.com

    DNS pinpoint zones:

    lyncpool01.company.net pointed to Lync FE server IP address

    _sipinternaltls._tcp.company.com SRV 0 0 5061 pointed to sip.company.com

    sip.company.com pointed to Lync FE server IP address.

    dialin.company.com pointed to Lync FE server IP address

    meet.company.com pointed to Lync FE server IP address

    ucupdates-r2.company.com pointed to Lync FE server IP address

    _ntp._udp.company.com SRV 0 0 123 pointed to my DC (WIN2K8R2)

    =================================================

    DHCP options

    I tried to point option 120 and 43 to FE and Director pool, but no result.

    All 6 options of DHCP successfully deployed:

    ==============================================================================

    The result of Test-CsPhoneBootStrap

    VERBOSE: Target server fqdn AND web service URL provided by user.
    'STActivity' activity started.
    Trying to download a certificate chain from web service.
    Web Service url :
    http://lyncpool01.company.net/CertProv/CertProvisioningService.svc
    Certificate chain downloaded successfully.
    'STActivity' activity completed in '0,0185095' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url :
    https://lyncpool01.company.net:443/WebTicket/WebTicketService.svc
    Using PIN auth with Phone\Ext : 1010 Pin : 180291
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0,1102579' secs.
    'STActivity' activity started.
    Starting ResolveUser activity using Web Ticket.
    Web Service url :
    https://lyncpool01.company.net:443/CertProv/CertProvisioningService.svc
    Found user : sip:raliyev@company.com
    Setting sip uri 'sip:raliyev@company.com' back to parent workflow.
    ResolveUser activity completed.
    'STActivity' activity completed in '0,0988848' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url :
    https://lyncpool01.copmany.net:443/WebTicket/WebTicketService.svc
    Using PIN auth with Phone\Ext : 1010 Pin : 180291
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0,1038949' secs.
    'STActivity' activity started.
    Trying to download a CS certificate for User : raliyev@company.com endpoint :
    STEpid
    Web Service url :
    https://lyncpool01.company.net:443/CertProv/CertProvisioningService.svc
    GetCSCertificate activity completed.
    'STActivity' activity completed in '0,4309389' secs.
    'Register' activity started.
    Sending Registration request:
     Target Fqdn      = lyncpool01.company.net
     User Sip Address = sip:raliyev@company.com
     Registrar Port = No Port is provided..
    Auth Type 'Certificate' is selected.
    Registration Request hit against LC2K10EES.company.net
    'Register' activity completed in '0,0913775' secs.
    Starting cleanup...
    cleanup successful.
    'UnRegisterActivity' activity started.
    'UnRegisterActivity' activity completed in '0,0049845' secs.
    Workflow
    'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow',
    succeded.
    VERBOSE: Workflow Instance Id d80e2d02-5e25-47dd-9927-ec8809c19089, completed.
    VERBOSE: Workflow Execution Time (sec): 0.9030903

    ===========================================================================

    The result of Test-CsClientAuth

    VERBOSE: Target web service url not provided. Will have to extract it from auth
     challenge.
    'STActivity' activity started.
    Starting STS Uri Discovery...
    Found sts-uri :
    https://lyncpool01.company.net:443/CertProv/CertProvisioningService.svc.
    STS Uri Discovery activity completed successfully.
    'STActivity' activity completed in '0,0141103' secs.
    'STActivity' activity started.
    Trying to get web ticket.
    Web Service url :
    https://lyncpool01.company.net:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerb auth.
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0,0556596' secs.
    'STActivity' activity started.
    Trying to download a CS certificate for User : raliyev@company.com endpoint :
    STEpid
    Web Service url :
    https://lyncpool01.company.net:443/CertProv/CertProvisioningService.svc
    GetCSCertificate activity completed.
    'STActivity' activity completed in '0,5940291' secs.
    'Register' activity started.
    Sending Registration request:
     Target Fqdn      = lyncpool01.company.net
     User Sip Address = sip:raliyev@company.com
     Registrar Port = No Port is provided..
    Auth Type 'Certificate' is selected.
    Registration Request hit against LC2K10EES.company.net
    'Register' activity completed in '0,0951852' secs.
    'UnRegisterActivity' activity started.
    'UnRegisterActivity' activity completed in '0,0046577' secs.
    Starting cleanup...
    cleanup successful.
    Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STClientAuthWorkflow',
    succeded.
    VERBOSE: Workflow Instance Id 5419b6d7-ff06-4244-9dba-708d61978e88, completed.
    VERBOSE: Workflow Execution Time (sec): 0.8020802

    ===========================================================

    Configuration information of Lync 2010 Client

    ==============================================================================

    The result of Get-CsWebServiceConfiguration


    PS C:\Users\raliyev> Get-CsWebServiceConfiguration

    Identity                             : Global
    TrustedCACerts                       : {}
    MaxGroupSizeToExpand                 : 100
    EnableGroupExpansion                 : True
    UseWindowsAuth                       : Negotiate
    UseCertificateAuth                   : True
    UsePinAuth                           : True
    AllowAnonymousAccessToLWAConference  : True
    EnableCertChainDownload              : True
    InferCertChainFromSSL                : True
    CASigningKeyLength                   : 2048
    MaxCSRKeySize                        : 16384
    MinCSRKeySize                        : 1024
    MaxValidityPeriodHours               : 8760
    MinValidityPeriodHours               : 8
    DefaultValidityPeriodHours           : 4320
    MACResolverUrl                       :
    SecondaryLocationSourceUrl           :
    ShowJoinUsingLegacyClientLink        : True
    ShowDownloadCommunicatorAttendeeLink : True

    =====================================================

    The result of Get-CsProxyConfiguration

    Identity                           : Global
    Realm                              : Microsoft.Rtc.Management.WritableConfig.Se
                                         ttings.SipProxy.UseDefault
    MaxClientMessageBodySizeKb         : 128
    MaxServerMessageBodySizeKb         : 5000
    TreatAllClientsAsRemote            : False
    OutgoingTlsCount                   : 4
    DnsCacheRecordCount                : 30000
    EnableWhiteSpaceKeepAlive          : True
    UseKerberosForClientToProxyAuth    : False
    UseNtlmForClientToProxyAuth        : True
    DisableNtlmFor2010AndLaterClients  : False
    UseCertificateForClientToProxyAuth : True
    AcceptClientCompression            : True
    MaxClientCompressionCount          : 15000
    AcceptServerCompression            : True
    MaxServerCompressionCount          : 1024
    RequestServerCompression           : True

    ===========================================================

    Lync logging tool is not showing any usefull information.

    I cheked for logs: CertProvisioning, S4, Sipstack and WebInfrastructure.

    ====================================================

    Finally can't catch the problem.


    RFT

    Friday, December 28, 2012 12:37 PM

Answers

  • Are you able to sign-in on a phone using USB tethering at least?  That should be your first test as that process does not use any of the DHCP 43/120 settings so it can help pinpoint where in the configuration the problem may reside.

    I suggest walking through all the sections of this article and reporting back what does and does not work in your testing: http://blog.schertz.name/2012/03/troubleshooting-lync-phone-edition-issues


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    • Marked as answer by Kent-Huang Wednesday, January 09, 2013 5:05 AM
    Friday, December 28, 2012 1:53 PM
    Moderator
  • Yes, Lync doesn't not support certificate authorities using that type of signing algorithm on any certificates (server or CA).  You'll need to replace all the certs to use a supported hash.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    • Marked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:07 PM
    Monday, January 07, 2013 2:19 PM
    Moderator

All replies

  • Are you able to sign-in on a phone using USB tethering at least?  That should be your first test as that process does not use any of the DHCP 43/120 settings so it can help pinpoint where in the configuration the problem may reside.

    I suggest walking through all the sections of this article and reporting back what does and does not work in your testing: http://blog.schertz.name/2012/03/troubleshooting-lync-phone-edition-issues


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    • Marked as answer by Kent-Huang Wednesday, January 09, 2013 5:05 AM
    Friday, December 28, 2012 1:53 PM
    Moderator
  • Hi Jeff. No, USB tethering is also not working.

    I already cheked your blog.

    My phones model is Polycom CX 500,600,700 and 3000.


    RFT



    Friday, December 28, 2012 1:58 PM
  • OK, that is very telling as USB tethering has very few requirements and in most environments works rought out of the box.

    Here the main things to check:

    • Is the Lync User's Telephony setting set to Enterprise Voice?  This is a requirement to use Lync Phone Edition (the Line URI does not need to be populated).
    • Time Server issues can also prevent sign-in.  If a Time Server is not provided via DHCP or DNS SRV then the phone will fallback to connecting to time.windows.com, so if the phone does not have Internet access or NTP traffic is blocked at a firewall, then this could be your problem as well.
    • Obvious, but worth pointing out: make sure the phone is connected to Ethernet and receiving a basic DHCP lease (IP, subnet, gateway, DNS, etc).  USB tethering does not work unless the device is also connected to Ethernet.

    Follow the steps in this article to at least get USB tethering working

    http://blog.schertz.name/2010/12/externally-provisioning-lync-phone-edition-3

    Then you can move on to PIN authentication:

    http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Friday, December 28, 2012 3:40 PM
    Moderator
  • Thanx for responce Jeff.

    User is enabled for Enterprise Voice. (LineURI also populated) (all normalization rules created and tested)

    Time server provided via DNS as I mentoined. After Phone factory reset i see that in a few seconds phone getting correct time from my DC.

    Phone connected to ethernet and I captured the traffic between phone and network using port mirroring on my cisco switches with Wireshark. I see that all defined DHCP options are reseving by the phone.

    I don't have problems with PIN authentication. As you see the result of Test-CsPhoneBootStrap.


    RFT

    Friday, December 28, 2012 4:37 PM
  • At this point I would look into a certificate-related issue preventing a TLS session from establishing.

    Are you using an internal private certificate or a trusted public certificate on your Lync Server?  If using an internal CA then run a network capture on Lync server during phone bootstrap and look for HTTP/80 connections (POST for CertProv URL and HTTP 200 OK repsonse). 

    This would indicate a successful download of the root CA certificate, and then the phone should switch to HTTPS 443 and TLS 5061 for the remaining communications.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    • Marked as answer by Kent-Huang Tuesday, January 01, 2013 1:54 AM
    • Unmarked as answer by Kent-Huang Tuesday, January 01, 2013 1:54 AM
    Friday, December 28, 2012 5:35 PM
    Moderator
  • Hi Jeff. First time i have a big problem with certificates on my Lync server. I have two tier CA in my infrastructure.

    All my certificates using RSASSA-PSS signature algorithm. After 3 month of searching an issue about this I find out that Lync server supports only sha1RSA signature algorithm. I changed some settings on my internal enterprise CA and request new certificate for my Lync server and everything ok. But now my root and enterprise CA's still using RSASSA-PSS, I don't think that this setting can bring a problem.

    I can show you the result of network capture between Polycom CX 600 and my Lync server.

    192.168.67.80 is my Lync server, 192.168.1.193 is Polycom CX 600 LPE. 


    RFT


    • Edited by Rufat Aliyev Saturday, December 29, 2012 5:06 PM
    Saturday, December 29, 2012 7:01 AM

  • RFT

    Saturday, December 29, 2012 7:02 AM
  • Hi,
    Have you tried to add the parameters of Test-CsPhoneBootstrap to test like this:
    Test-CsPhoneBootstrap -PhoneOrExt 7501 -PIN 14789
    Please make sure the extension would be translated to E.164 format number correctly.

     


    Kent Huang
    TechNet Community Support

    Thursday, January 03, 2013 9:28 AM
  • Hi Kent. Thank you for your response.

    Yes the parametrs of Test-CsPhoneBootStrap are added as you see from this:

    Using PIN auth with Phone\Ext : 1010 Pin : 180291
    GetWebTicketActivity completed.
    'STActivity' activity completed in '0,1038949' secs.
    'STActivity' activity started.
    Trying to download a CS certificate for User : raliyev@company.com endpoint


    RFT


    Friday, January 04, 2013 7:57 PM
  • The problem is temporary solved by configuring additional ADCS Enterprise server with new root certificate (sha1RSA signature algorithm). My question is still in progress. If in my structure (with root offline and Enterprise CA's) I renew my SubCA certificate is this will work? Or  I need to renew my root offline CA certificate too? with sha1RSA signature algorithm.

    RFT

    • Marked as answer by Rufat Aliyev Monday, January 07, 2013 1:37 PM
    • Unmarked as answer by Rufat Aliyev Monday, January 07, 2013 1:37 PM
    • Marked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:07 PM
    • Unmarked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:07 PM
    • Marked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:07 PM
    • Unmarked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:08 PM
    Monday, January 07, 2013 12:18 PM
  • Yes, Lync doesn't not support certificate authorities using that type of signing algorithm on any certificates (server or CA).  You'll need to replace all the certs to use a supported hash.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    • Marked as answer by Rufat Aliyev Tuesday, January 08, 2013 1:07 PM
    Monday, January 07, 2013 2:19 PM
    Moderator
  • Hi Jeff. Thanks. The problem is solved by renewing all tree certificates (replace RSASSA-PSS with sha1RSA).

    Good to know that this pain finished)))


    RFT

    Tuesday, January 08, 2013 1:06 PM
  • Sorry to awake an old thread but I believe I may have the same issue. Can you confirm that Lync Phones (DHCP or USB Tethering) will not work when the ROOT CA is using sha256RSA?

    Thanks in advance. This was not intentional, CA has been previously set this way.

    Would the solution be then to:

    1. Establish another Enterprise CA with the default sha1RSA

    2. Wait for propagation so my Lync Desktop clients trust this CA

    3. Re-Issue all Lync Edge and FE (and UM in my case as well) Certs using this new CA?

    Friday, November 01, 2013 6:59 PM
  • Hi Rutaf

    I have the same scenario and I need know if is necessary re-build my topology of CA - Offline CA and Subordinate

    Thanks Advance!



    Robson Hasselhoff - Follow me @Robk9e

    Friday, May 30, 2014 3:22 AM