none
Vista and XP Login Error

    Question

  • We are testing Office Communicator with our company and have come across a weird issue.  All of our employees will be remote and so we setup the server specific to that.  In testing we can login just fine inside the domain and works perfect.  However outside of the domain we can only get the client software to login successfully on Windows 7 pc's.  All the vista and XP machines error out at login every time.  We have uninstalled, applied the latest updates and same login failure error every time.

    In validation test I get 2 errors.

    Error: One or more pool hosted users are enabled for federation, remote access or public IM connectivity, but global federation is disabled.

    and

    Routing trust check and MTLS connectivity: outgoing TLS negotiation failed; HRESULT=-2146893022

    Wednesday, January 27, 2010 4:26 PM

Answers

  • Make this change to the registry on the xp/vista machines:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
    "NtlmMinClientSec"=dword:20080000
    "NtlmMinServerSec"=dword:20080000

     

    This worked for us.  Our xp machines could not connect remotely to our OCS 2007R2 server installed on 2008R2 OS.

    Wednesday, June 23, 2010 8:52 PM

All replies

  • Have you made sure that you trust the certificates you are using on your edge server on all your clients?
    Matt Nixon | http://unifiedmatt.blogspot.com
    Wednesday, January 27, 2010 10:51 PM
  • Yes.  We directly imported them to each machine and verified they we accepted.  We followed the exact process on each machine.  It really is weird that the Windows 7 machines work great but Vista and XP pc's wont get past the login.
    Thursday, January 28, 2010 3:49 AM
  • What specific error do you receieve when login fails?  Turn on Event Viewer logging (http://support.microsoft.com/kb/871023) in Office Communicator and check the Application log on the workstation for more details.  It's typically either 'unable to contact server' or some type of certificate-related error.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, January 28, 2010 1:38 PM
  • This is from the log:

    End of Sending Packet - 192.41.32.11:5061 (From Local Address: 192.168.2.12:1219) 1192 bytes
    ASYNC_SOCKET::InternalSend no compression, BytesLeft = 1192, BytesToSend = 1192, cbDataToEncryptSize = 1192, psDataToEncrypt = 03DF0BE8
     - encrypted buffer length: 1217 bytes.  First 8 bytes:
    17 03 01 04 BC DE AA 01  :....¼Þª.
    ASYNC_SOCKET::SendOrQueueIfSendIsBlocking sending sendBuffer 03DECA88, this 00222088, pSendBuffer->m_BufLen = 1217
    043 60AC:62BC TRACE :: ASYNC_SOCKET::SendHelperFn sendBuffer 03DECA88 sent, this 00222088, m_BytesSent = 1217, pSendBuffer->m_BufLen = 1217
    SECURE_SOCKET: decrypting buffer size: 642 (first 8):
    60AC:62BC TRACE ::     17 03 01 02 7D A1 2B 18  :....}¡+.
    60AC:62BC INFO  :: Data Received - 192.41.32.11:5061 (To Local Address: 192.168.2.12:1219) 617 bytes:
     60AC:62BC INFO  :: SIP/2.0 401 Unauthorized



    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="domain.com", version=4

    From: <sip:usenamer@domain.com>;tag=0a49f809e1;epid=2d2eb84dd2

    To: <sip:username@domain.org>;tag=EAB8079216B4DA7784DA7E4305462BE9

    Call-ID: 8d98ec205f2b42f9b76261278795b72e

    CSeq: 5 REGISTER

    Via: SIP/2.0/TLS 192.168.2.12:1219;received=98.202.25.79;ms-received-port=1219;ms-received-cid=1700

    ms-diagnostics: 1000;reason="Final handshake failed";source="Domain.com";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)"

    Content-Length: 0



    Thursday, January 28, 2010 3:32 PM
  • Hi Hurleymman,
    Per your above description, do you have two validation wizard errors on your edge server;  
    For the first error, you can igore it.
    Do you use your own internal CA for all the clients?
    For the second error, it maybe cause by below: Cert for the internal interface of the edge server and the external interfaces
                                                                         Internal PKI issues 
                                                                         Could not get to PKI servers
                                                                         DNS A record issues
    Mostly it seems the  CERT issue, you can remove and request new certificates and test it again.
    You referred that the clients could login successfully on win7 box, please check that the  protocol used by the clients, tls or tcp.
    According to the "reason="Final handshake failed";source="Domain.com";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)", there also some reasons maybe cause below:
    NTLM minimum session security for NTLM SSP based (including secure RPC) clients setting for domain more restrictive than that of external non-domain joined machine 
    You can Change external machine settings to match domain requirements.  
    Please check whether or not telnet the edge server correct port successfully.
    You can refer to below:
    http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx

    Regards!
    gavin                                          
    Tuesday, February 02, 2010 8:31 AM
  • I am not sure about al the certificate stuff.  I am still trying to sort that one out. 

    As far as logging in is concerned still having the same problem.  All of our users will be outside the domain.  I downloaded the certificate from the server.  imported it into the root certificates.  Installed the latest Office communicator client then ran the updates.  Setup the OC client with manual settings pointing to our server using TLS.  Put the required log in credentials in.  On the domain I have tried both domain.com\username and just username and get the same result.

    Windows 7 and Mac OS X work perfect.  They log in and work as supposed to.  However on Vista and XP machines we can not get past the login error as described above.  I have tried TLS and TCP and same result.  The settings are matched exactly on the windows 7 to the vista/xp machines. 



     
    Tuesday, February 09, 2010 8:37 PM
  • Hi
    Kindly suggests that you can check the ocs server worked well in the internal of the domain, and use a account to make a test.
    And then check the ocs edge server deployment correctly refer to below link
    http://technet.microsoft.com/en-us/library/dd441282(office.13).aspx

    Regards!
    gavin
    Wednesday, February 10, 2010 2:21 AM
  • I did a test inside the domain and it works without any problems.  I also did several verification test and they also didn't have user login issues.

    I am reviewing the document you suggested making sure the EDGE Server is up and working correctly.  Will post those results.

    Here is the errors I am getting from the other IM Client I tried.

    Uccapi Error (2/10/2010 8:17 PM): 80ef0191, KERBEROS + NTLM, Default Creditals, SIP status code: 401 Unauthorized.
    Uccapi Error (2/10/2010 8:17 PM): 80ee0010, KERBEROS, Default Creditals, The authentication type requested is not supported.
    Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM, Default Creditals, SIP status code: 401 Unauthorized.
    Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM + DIGEST, User Defined Creditals, SIP status code: 401 Unauthorized.
    Uccapi Error (2/10/2010 8:17 PM): 80ef0191, NTLM, User Defined Creditals, SIP status code: 401 Unauthorized.
    Uccapi Error (2/10/2010 8:17 PM): 80ee0010, DIGEST, User Defined Creditals, The authentication type requested is not supported.
    Thursday, February 11, 2010 3:22 AM
  • After doing a lot of reading I am a little confused and maybe the reason for the login errors. 

    We are using a OCS Standard edition 2007 R2 with NO edge servers.  In doing some reading I find that in order to have remote access and Public IM I have to have a EDGE Server.  Is that correct?  I found a brief mention that it is possible by adding SRV records in your public DNS, and forward port 5061. 

    If I am required to have an EDGE server for external users than that makes the mystery of how I can login from Windows 7 and MAC OS X outside the internal domain just fine even more of a confusing mess.

    Is it possible for us to IM windows live contacts - such as joe.smith(companydomain.com)@msn.com without an EDGE Server?
    Sunday, February 14, 2010 1:02 AM
  • Hi,

     

    we are facing the same issue ATM.

    I am pretty sure it's a difference in the NTLM version. will keep you posted.

    • Proposed as answer by GlennB4u Wednesday, June 23, 2010 8:51 PM
    Wednesday, May 12, 2010 9:33 AM
  • Hi there,

    You definitely need an Edge server for External Access unless you are going to VPN in. Do your Win 7 clients VPN in but not your MAC?

    To IM with Windows Live contacts you have to go through the Public IM connectivity provisioning process. More info is here:

    http://blogs.technet.com/b/ucedsg/archive/2010/05/13/how-do-i-federate-ocs-im-with-live-edu-windows-live-or-aol.aspx

    Here is the guide:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=9ccaac38-2da8-4a76-8193-96f4bbf04678&displaylang=en

     

    Tuesday, May 25, 2010 4:43 AM
  • Make this change to the registry on the xp/vista machines:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
    "NtlmMinClientSec"=dword:20080000
    "NtlmMinServerSec"=dword:20080000

     

    This worked for us.  Our xp machines could not connect remotely to our OCS 2007R2 server installed on 2008R2 OS.

    Wednesday, June 23, 2010 8:52 PM
  • I see that some time has past, but I am running into the same situation where Win7 PCs connect fine from External, but XP Pro SP3 cannot WITHOUT a SOFT VPN being established first, did you find a solution?
    Tuesday, October 19, 2010 8:42 PM
  • Hello, i face the same problem, my win 7 client connect successfully on my edge server but win xp return a  "lync was unable to sign in. Please verify your logon credentials and try again. if the problem continues, please contact your support team" message.

    i try to change the registry as GlennB4u suggests but nothing change.

    i notice something strange also.

    on winxp pc i connect with vpn to my local network and finally connects successfully. after that from that winxp machine the specific account connects without problem and without vpn. looks like something change after the first login and after that connects successfully. now if i try different account a the same winxp pc i get the same error. after the vpn proccess, it works again for both accounts...

    any suggestions??

    i have my events logging enabled but nothing logged there about the error...

    Friday, December 10, 2010 12:16 PM
  • What OS is your edge running?
    Sunday, December 12, 2010 6:22 PM
  • win 2008 R2 64bit
    Monday, December 13, 2010 12:52 PM
  • It's possible the Edge is requiring a stronger level of encryption than the client currently supports. What does a sipstack trace on the edge show? If you want to try a quick test, disable the 128 bit encryption requirement on the edge server - that'll tell you if the NTLM encryption is the issue.

    http://www.tincupsandstring.com/2010/11/11/lync-2010-ntlm-client-authentication-mismatch/

    A more in depth explanation is here (including one of the recommendations above from GlennB4U):

    http://blog.tiensivu.com/aaron/archives/1917-OCS-2007,-NTLM,-and-Edge-server-login-problems.html

    From a security perspective it's best to increase encryption used on your clients but that's not always possible - do what is appropriate for your environment.

     

     

    Monday, December 13, 2010 6:14 PM
  • First of all how to do a sip stack trace on lync

    i finally face a login problem to local machine. the machine is in lan but not in domain. running windows 7 64bit get the following message... Lync was unable to sign in. Please verify your login credentials and tryagain. If the problem continues, please contact your support team.

     

    in the same lan i have many windows 7 clients that connect correctly, and i can't understand why that client doesn't connect. i enable the events but there is no error/info/warning. i try the same account to other computer and connects without problem, so it's not an account issue, any ideas??

    Thursday, December 16, 2010 3:39 PM