locked
Can no longer login on to S4B, stops at WebTicket_Proof request RRS feed

  • Question

  • All of a sudden I can no longer login to my S4B's account on my pc. Let me summarize the situation:

    • Domain joined W10 (build 10.0.16299) pc with latest CU's
    • running Office Click to run version 9226.2156 (current version)
    • running S4B 2015 on premise servers
    • My pc alone cannot logon
    • happened suddenly perhaps after an update?
    • tried with different pc's (non domain joined) and it works
    • other users also cannot logon to S4B on my pc
    • On the other hand I can login just fine on my pc when using an account from a different forest all together

    What I have tried so far:

    • Clear the SIP cache under appdata lync folder
    • Removed the registry entries for the sip account
    • delete the auth cert that gets downloaded during logon (I actually get an auth certificate just fine from the webticket service)
    • Disabled firewalls, disabled antivirus
    • Reset Internet Explorer settings
    • Changed Password
    • emptied host file
    • flushed dns cache
    • Only tried externally, not internally
    • Completely removed and cleaned up Office with the fixit tool and reinstalled it
    • Removed files under AppData\Roaming\Microsoft\Crypto
    • Removed all keys under HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\

    Nothing seemed to have helped. When I look at what happens with Fiddler the communication just stops after I receive the authentication cert which gets published to my pc's personal cert store just fine :

    S4B then just throws an error with the following Sign-in logs:

    1 Login: FAIL (hr = 0x1) 
    
       VerifyOnEnableEvent result return ONENABLE_FAIL_AUTH_FAIL
       status=0x80ef0191
       authWebserviceBaseUrl=https://S4BWe*********.com:443/CertProv/CertProvisioningService.svc
        ACTION: AUTH FAIL
    Doing logon attempt with data:
       currState=AboutToLogIn
       sipUri=******.******@******.com
       server=sip.******.com:443, external, discovered
       authModes=0x1000c
       proxyAuthModes=0x3f
       epFlags=200
       withAutoRetrials=0
       credsAvailability=WaitForNewCreds
       newState=AboutToLogIn
       statusCode=0
    1.1 Lync-autodiscovery: PASS
    1.1.1 Get-NewWebTicket: PASS
    1.1.1.1 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    this request needs authentication, trying webticket from: https://s4bwe*********.com/WebTicket/WebTicketService.svc
    1.1.1.2 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
    this request needs authentication, trying webticket from: https://s4bwe*********.com/WebTicket/WebTicketService.svc
    1.1.1.3 ExecuteWithWindowsOrNoAuthInternal: PASS
    1.1.1.4 ExecuteWithTokenAuthInternal: FAIL (hr = 0x3d0000) 
    Executing Token Auth method, TokenProviderType=2, asyncContext=000002DA35C11040,
     context: WebRequest context@ :902245392
      MethodType:5
      ExecutionComplete? :1
      Callback@ :000002DA35A85D48
      AsyncHResult:3d0000
      TargetUri:https://s4bwe*********.com/WebTicket/WebTicketService.svc/cert
      OperationName:http://tempuri.org/:IWebTicketService
    
    .
    1.1.1.5 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
    Executing Token Auth method, TokenProviderType=2, asyncContext=000002DA35C11040,
     context: WebRequest context@ :902245392
      MethodType:5
      ExecutionComplete? :1
      Callback@ :000002DA35A85D48
      AsyncHResult:3d0000
      TargetUri:https://s4bwe*********.com/WebTicket/WebTicketService.svc/cert
      OperationName:http://tempuri.org/:IWebTicketService
    
    .
    1.1.1.6 ExecuteWithTokenAuthInternal: PASS
    1.2 BootStrap: PASS
    1.2.1 GetAndPublishCert: PASS
    1.2.1.1 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    Executing wws method with no auth auth, asyncContext=000002DA35A57DC0,
     context: WebRequest context@ :902176608
      MethodType:0
      ExecutionComplete? :1
      Callback@ :000002DA35624CE0
      AsyncHResult:3d0000
      TargetUri:https://S4BWe*********.com/CertProv/CertProvisioningService.svc/mex
    
    .
    1.2.1.2 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
    Executing wws method with no auth auth, asyncContext=000002DA35A57DC0,
     context: WebRequest context@ :902176608
      MethodType:0
      ExecutionComplete? :1
      Callback@ :000002DA35624CE0
      AsyncHResult:3d0000
      TargetUri:https://S4BWe*********.com/CertProv/CertProvisioningService.svc/mex
    
    .
    1.2.1.3 ExecuteWithWindowsOrNoAuthInternal: PASS
    1.2.1.4 ExecuteWithTokenAuthInternal: FAIL (hr = 0x3d0000) 
    Executing Token Auth method, TokenProviderType=0, asyncContext=000002DA35A57DC0,
     context: WebRequest context@ :902562304
      MethodType:2
      ExecutionComplete? :1
      Callback@ :000002DA32A47288
      AsyncHResult:3d0000
      TargetUri:https://s4bwe*********.com/CertProv/CertProvisioningService.svc/WebTicket_Proof
    
    .
    1.2.1.5 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
    Executing Token Auth method, TokenProviderType=0, asyncContext=000002DA35A57DC0,
     context: WebRequest context@ :902562304
      MethodType:2
      ExecutionComplete? :1
      Callback@ :000002DA32A47288
      AsyncHResult:3d0000
      TargetUri:https://s4bwe*********.com/CertProv/CertProvisioningService.svc/WebTicket_Proof
    
    .
    1.2.1.6 ExecuteWithTokenAuthInternal: PASS

    I could not check the server logs sadly as I do not have access to this, however the support guy that briefly did saw a similar logon failure on the server side. 



    • Edited by Najib br Monday, May 21, 2018 5:14 PM
    Monday, May 21, 2018 5:11 PM

All replies

  • check telneting to the sfb pool at 5061.. if it works.. then may be you need to instal the certificate
    Monday, May 21, 2018 8:55 PM
  • Telnet works fine, however it seems like the s4b client never attempts to connect to the pool as this address (sip.domain.com) is never mentioned in the fiddler trace (only in the autodiscover response), unless fiddler does not pick this up as it would not be http/s traffic. The certificate is also a public CA certificate from digicert which seems to be valid according to my pc:

    Also would like to mention that event viewer shows nothing special when login attempt happens. And I also compared the trace logs between the working external forest account and could hardly see a difference.

    • Edited by Najib br Monday, May 21, 2018 9:51 PM
    Monday, May 21, 2018 9:43 PM
  • Hi Najib,

     

    Did you enable VPN ,firewall and anti-virus software? Please close it ,then login in the SFB.

    You could try to use skype for business basic version  and make a test.

    https://www.microsoft.com/en-us/download/details.aspx?id=49440



    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, May 22, 2018 6:49 AM
  • As mentioned in my first post I have disabled windows firewall and windows defender (no other fw or av is used) but this did not help. Also not connected to a VPN.
    Tuesday, May 22, 2018 9:40 AM
  • Just thinking out loud, if the computer is perhaps no longer trusted because it hasn't been on the domain for a while, could this perhaps cause this issue? I wonder why/how though as the computer account is not used during the authentication flow as far as I'm aware?
    Tuesday, May 22, 2018 10:25 AM
  • Hi Najib,

    You could try to disable your SFB account in your SFB control panel, than re-enable it.

    If you re-enable the account ,but the issue was still existed,you also could try to join the domain ,and make a test.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, May 23, 2018 8:38 AM
  • Disabling and enabling the account does not help also remember that singin in is not possible with any account, so the accounts are not at fault here. The pc IS domain joined, however I haven't been on the domain for a few weeks.
    Wednesday, May 23, 2018 9:19 PM
  • Hi Najib,

    Based on your log,please try to delete the personal certification(issued by Communications Server) like the following screenshot,then re-login the SFB client.

    You could operate a clean boot in windows, This helps eliminate software conflicts that occur when you install a program or an update or when you run a program in Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.

    Did you try to use skype for business basic version ?

    if above steps was not worked,please try to re-intall the win 10 OS


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, May 28, 2018 9:55 AM
  • Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, May 28, 2018 1:16 PM