locked
unable to login to SFB client after migrating fro lync 2010 to SFB server 2015 RRS feed

  • Question

  • Hi all,

    we are on the process of upgrading from lync 2010 to SFB 2015, i hve installed a new sfb 2015 pool successfully and all the services are running without any issues. i created new users in SFB pool with ent voice featues

    Unfortunately i am facing following issue

    currently the dns records are pointing to lync server

    1) unable to login to SFB control panel using the name of the  sfb server, i am getting the credential popup and unable to login, but if i tried to login using the ip address of the sfb server , login is successful without any issue

    2) SFB pool users are able to phones and able to make pstn calls but users are unable to login to SFB client getting error message " login credential erroor" but the same user can login to lync 2010 

    3) using SFB client lync 2010 pool users are able to login

    4)tried to manually configure the client to point sfb server and tried to login ,but login failed

    from the log file iam getting below message

    06/06/2018|15:55:19.552 D68:D6C INFO  :: 
    <?xml version="1.0" encoding="UTF-8"?>
    <root>
      <Login>
        <Info><![CDATA[Created DefaultCredential: CManagedCredential[DEFAULT this=051958C0]]]></Info>
        <Info><![CDATA[Adding new managed cred CManagedCredential[DEFAULT this=051958C0]]]></Info>
        <Info><![CDATA[Created DefaultProxyCredential: CManagedCredential[DEFAULT this=05195990]]]></Info>
        <Info><![CDATA[Adding new managed cred CManagedCredential[DEFAULT this=05195990]]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType return the cred: 00000000, type:specific, userId:PHO]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType return the cred: 00000000, type:certificate, userId:OCS]]></Info>
        <Info><![CDATA[Bootstrap task queued]]></Info>
        <Info><![CDATA[Starting bootstrap task: baseUrl=, invalidRootCerts=0, deviceId=070F08BC-E057-5067-AE8B-9D05DA2B2205, cert=00000000]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10000] -> [10000]]]></Info>
        <Info><![CDATA[Bootstrap task completed with hr=0x0]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10000] -> [10002]]]></Info>
        <Info><![CDATA[
       Starting LogonSession...
       Calculating Initial Endpoint Config:
       Local interfaces: count=0, allExternal=0, someInternal=0, allIdentifying=0, backend=0
       Using loaded endpoint config
       resultCode=0x0
       networksAvailable=0
       cacheAvailable=0
       takenFromCache=0
       allIdentifying=0]]></Info>
        <Info><![CDATA[
    Received network unavailable timer event
       statusCode (adjusted)=80ee00bd
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=1
       Login failed with temporary error and auto-retrials
       Recovery mode switched on, newMode=ActiveForLocalError
       nextAttemptDelay=500
       newState=LoggedOut]]></Info>
        <Info><![CDATA[
    Received network unavailable timer event
       statusCode (adjusted)=80ee00bd
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=1
       Login failed with temporary error and auto-retrials
       Recovery mode switched on, newMode=ActiveForLocalError
       nextAttemptDelay=500
       newState=LoggedOut]]></Info>
        <Info><![CDATA[
    Received timer event, recoveryAttemptCount=0, recoveryMode=ActiveForLocalError, waitingForLogonCred=0, waitingForProxyCred=0
       Calculating Initial Endpoint Config:
       Local interfaces: count=0, allExternal=0, someInternal=0, allIdentifying=0, backend=0
       Using loaded endpoint config
       resultCode=0x0
       networksAvailable=0
       cacheAvailable=0
       takenFromCache=0
       allIdentifying=0]]></Info>
        <Info><![CDATA[
    Received network unavailable timer event
       statusCode (adjusted)=80ee00bd
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=1
       Login failed with temporary error and auto-retrials
       Recovery mode switched on, newMode=ActiveForLocalError
       nextAttemptDelay=5000
       newState=LoggedOut]]></Info>
        <Info><![CDATA[
    Received network unavailable timer event
       statusCode (adjusted)=80ee00bd
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=1
       Login failed with temporary error and auto-retrials
       Recovery mode switched on, newMode=ActiveForLocalError
       nextAttemptDelay=5000
       newState=LoggedOut]]></Info>
        <Info><![CDATA[
    Received timer event, recoveryAttemptCount=1, recoveryMode=ActiveForLocalError, waitingForLogonCred=0, waitingForProxyCred=0
       Calculating Initial Endpoint Config:
       Local interfaces: count=1, allExternal=0, someInternal=0, allIdentifying=0, backend=0
       Using loaded endpoint config
       resultCode=0x0
       networksAvailable=1
       cacheAvailable=0
       takenFromCache=0
       allIdentifying=0
    Doing logon attempt with data:
       currState=LoggedOut
       sipUri=sfbtest1@test.com
       server=sfb-fe1.test.com, internal
       authModes=0x1000c
       logonCredPassword.CredType is Default
       proxyAuthModes=0x3f
       epFlags=200
       withAutoRetrials=1
       credsAvailability=CredsValid
       redirectedServersList=
       newState=AboutToLogIn
       statusCode=0]]></Info>
        <Info><![CDATA[Logon success state 2 reported by user id=OCS (adjusted=OCS) on CManagedCredential[DEFAULT this=051958C0]]]></Info>
        <Info><![CDATA[
       VerifyOnEnableEvent result return ONENABLE_FAIL_AUTH_FAIL_CERT_THEN_SPECIFIC
       status=0x80ef0191
       authWebserviceBaseUrl=https://SFB-FE1.test.com:443/CertProv/CertProvisioningService.svc
        ACTION: AUTH FAIL - NEED NEW CERT]]></Info>
        <BootStrap>
          <Info><![CDATA[GetBestManagedCredentialByType return the cred: 00000000, type:certificate, userId:OCS]]></Info>
          <Info><![CDATA[Bootstrap task queued]]></Info>
          <Info><![CDATA[Starting bootstrap task: baseUrl=https://SFB-FE1.test.com:443/CertProv/CertProvisioningService.svc, invalidRootCerts=0, deviceId=070F08BC-E057-5067-AE8B-9D05DA2B2205, cert=00000000]]></Info>
          <Info><![CDATA[Changed CBootstrapper status [10002] -> [10000]]]></Info>
          <Info><![CDATA[Changed CBootstrapper status [10000] -> [10001]]]></Info>
          <GetAndPublishCert>
            <Info><![CDATA[ExecuteWithMetadataInternal, asyncContext=0D1331A0,
     context: WebRequest context@ :221099992
      MethodType:8
      ExecutionComplete? :0
      Callback@ :0765B8A4
      AsyncHResult:0
      TargetUri:https://SFB-FE1.test.com:443/CertProv/CertProvisioningService.svc

    .]]></Info>
            <Info><![CDATA[Executing wws method with no auth auth, asyncContext=0D1331A0,
     context: WebRequest context@ :220690040
      MethodType:0
      ExecutionComplete? :0
      Callback@ :0D238730
      AsyncHResult:0
      TargetUri:https://SFB-FE1.test.com/CertProv/CertProvisioningService.svc/mex

    .]]></Info>
            <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x07656E98 id=8 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
            <ExecuteWithWindowsOrNoAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.1</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithWindowsOrNoAuthInternal>
            <ExecuteWithMetadataInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.2</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithMetadataInternal>
            <Info><![CDATA[Executing wws method with no auth auth, asyncContext=0D1331A0,
     context: WebRequest context@ :220690040
      MethodType:0
      ExecutionComplete? :1
      Callback@ :0D238730
      AsyncHResult:3d0000
      TargetUri:https://SFB-FE1.test.com/CertProv/CertProvisioningService.svc/mex

    .]]></Info>
            <ExecuteWithWindowsOrNoAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.3</SequenceID>
              <hr>0x0</hr>
            </ExecuteWithWindowsOrNoAuthInternal>
            <Info><![CDATA[ExecuteWithMetadataInternal, asyncContext=0D1331A0,
     context: WebRequest context@ :221099992
      MethodType:8
      ExecutionComplete? :0
      Callback@ :0765B8A4
      AsyncHResult:3d0000
      TargetUri:https://SFB-FE1.test.com:443/CertProv/CertProvisioningService.svc

    .]]></Info>
            <Info><![CDATA[Executing Token Auth method, TokenProviderType=0, asyncContext=0D1331A0,
     context: WebRequest context@ :221099992
      MethodType:2
      ExecutionComplete? :0
      Callback@ :0765B8A4
      AsyncHResult:3d0000
      TargetUri:https://sfb-fe1.test.com/CertProv/CertProvisioningService.svc/WebTicket_Proof

    .]]></Info>
            <Get-NewWebTicket>
              <Info><![CDATA[ExecuteWithMetadataInternal, asyncContext=0D1331A0,
     context: WebRequest context@ :222570896
      MethodType:9
      ExecutionComplete? :0
      Callback@ :0D391B14
      AsyncHResult:0
      TargetUri:https://sfb-fe1.test.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
              <Info><![CDATA[Executing wws method with no auth auth, asyncContext=0D1331A0,
     context: WebRequest context@ :222580488
      MethodType:0
      ExecutionComplete? :0
      Callback@ :0D238730
      AsyncHResult:0
      TargetUri:https://sfb-fe1.test.com/WebTicket/WebTicketService.svc/mex

    .]]></Info>
              <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x07656E98 id

    ---------------------------------------------------------------------------------------------------------------------------------------

    06/06/2018|15:55:05.939 D68:D6C INFO  :: Data Received -128.128.2.162:5061 (To Local Address: 172.16.16.9:49203) 887 bytes:
    06/06/2018|15:55:05.939 D68:D6C INFO  :: 
    SIP/2.0 401 Unauthorized
    Date: Wed, 06 Jun 2018 12:55:29 GMT
    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="SFB-FE1.test.com", version=4
    WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/SFB-FE1.test.com", version=4
    WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="SFB-FE1.test.com", version=4, sts-uri="https://SFB-FE1.test.com:443/CertProv/CertProvisioningService.svc"
    From: <sip:sfbtest1@test.com>;tag=9511f6025c;epid=9f7ca812eb
    To: <sip:sfbtest1@test.com>;tag=1453501B659AD178E4E331F5F09033DB
    Call-ID: 8bf0213ae833407d968e2c01f0e86e66
    CSeq: 4 REGISTER
    Via: SIP/2.0/TLS 172.16.16.9:49203;ms-received-port=49203;ms-received-cid=3E00
    ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="SFB-FE1.test.com"
    Server: RTC/6.0
    Content-Length: 0

    06/06/2018|15:55:05.939 D68:D6C INFO  :: End of Data Received -128.128.2.162:5061 (To Local Address: 172.16.16.9:49203) 887 bytes

    Wednesday, June 6, 2018 9:02 PM

Answers

  • Hi Leon,

    the infrastructure is in coexistence state and we didn't start moving production users.

    while testing the services with pilot users i was facing the issues.

    The issues are resolved now, please find the below details

    1) unable to login to SFB control panel using the name of the  sfb server, i am getting the credential popup and unable to login, but if i tried to login using the ip address of the sfb server , login is successful without any issue

    change the authentication provider order under windows authentication for the virtual directory CSCP in lync internal web site, move the NTLM to the top 

    2) SFB pool users are able to phones and able to make pstn calls but users are unable to login to SFB client getting error message " login credential erroor" but the same user can login to lync 2010 

    3) using SFB client lync 2010 pool users are able to login

    4)tried to manually configure the client to point sfb server and tried to login ,but login failed

    While runnig Test-CsKerberosAccountAssignment -Identity "site:Sitename" , sfb server showing error with the kerbers account, 

    reset the passord for the account

    Set-CsKerberosAccountPassword -UserAccount "account name"

    enable-cstopology

    after that replicated the password from sfb to lync pool

    Set-CsKerberosAccountPassword -FromComputer sfbservername -ToComputer lync server name

    enable-cstopology

    after the above procedure, sfb users are able to login without any issue


    • Marked as answer by sarmakumar Friday, June 8, 2018 6:36 PM
    Thursday, June 7, 2018 1:04 PM

All replies

  • Hi sarmakumar,

    Could you give me the reasons about currently the dns records are pointing to lync server?

    If you have depoly a new SFB server ,please operate the follow steps.

    1. Migrate users and user’s data from legacy pool to Skype for Business Pool
    2. Migrate conference data to Skype for Business
    3. Migrate CMS to Skype for Business
    4. Decommission legacy Lync pool and hardware
    5. Enjoy Skype for Business!

    1. unable to login to SFB control panel using the name of the  sfb server, i am getting the credential popup and unable to login, but if i tried to login using the ip address of the sfb server , login is successful without any issue

    did you add the A record for your new SFB server in the exteranl DNS?if no,please add it.

          2) SFB pool users are able to phones and able to make pstn calls but users are unable to login to SFB client getting error message " login credential erroor" but the same user can login to lync 2010 

                    Please check the Edge server’s certifiate and SFB ‘s FE certifiate,check the SN and SAN  like the following screenshot.

    You also could refer to this link about migrate the Lync 2010 to SFB 2015

    https://synchedup.co.uk/2015/07/02/demystifying-migrations-strategies-from-lync-to-skype-for-business/


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, June 7, 2018 8:10 AM
  • Hi Leon,

    the infrastructure is in coexistence state and we didn't start moving production users.

    while testing the services with pilot users i was facing the issues.

    The issues are resolved now, please find the below details

    1) unable to login to SFB control panel using the name of the  sfb server, i am getting the credential popup and unable to login, but if i tried to login using the ip address of the sfb server , login is successful without any issue

    change the authentication provider order under windows authentication for the virtual directory CSCP in lync internal web site, move the NTLM to the top 

    2) SFB pool users are able to phones and able to make pstn calls but users are unable to login to SFB client getting error message " login credential erroor" but the same user can login to lync 2010 

    3) using SFB client lync 2010 pool users are able to login

    4)tried to manually configure the client to point sfb server and tried to login ,but login failed

    While runnig Test-CsKerberosAccountAssignment -Identity "site:Sitename" , sfb server showing error with the kerbers account, 

    reset the passord for the account

    Set-CsKerberosAccountPassword -UserAccount "account name"

    enable-cstopology

    after that replicated the password from sfb to lync pool

    Set-CsKerberosAccountPassword -FromComputer sfbservername -ToComputer lync server name

    enable-cstopology

    after the above procedure, sfb users are able to login without any issue


    • Marked as answer by sarmakumar Friday, June 8, 2018 6:36 PM
    Thursday, June 7, 2018 1:04 PM