locked
External user login mobile and desktop clients RRS feed

  • Question

  • Hi. 

    I've been upgrading an on-prem Lync 2013 to Skype for Business. 

    Old environent was built up by:

    1 Lync 2013 FE Std. edition
    1 Edge Server
    1 Mediation Server
    1 Reverse Proxy Server

    New environment:
    1 Skype for Business FE enterprise edition.
    1 Edge Server
    1 Mediation Server

    Public certificate is assigned on the Reverse Proxy and Edge Server. 

    DNS has been changed (both internal and external) and Reverse Proxy reconfigured. Internal login, IM and Enterprise Voice and federation are all working, but external sign in from desktop clients and mobiles are not. 



    Error from testconnectivity.microsoft.com: 


    Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
    Error Type: RegisterException.
    Deregister Reason: None.
    Response Code: 503.
    Response Text: Service unavailable.

    I am also able to Telnet the external edge interface. When trying to sign in with a client I'm getting the error "You didn't get signed in. It might be your sign-in address or logon credentials, so try those again. If that doesn't work, contact your support team".

    Log from client display error:

     Error:
    There was an error communicating with the endpoint at 'https://webext.domain.com/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
    The requested resource requires user authentication.




    When tracing with Wireshark I see that traffic is coming in to the reverse proxy and beeing sent from the Reverse Proxy to the Front End server. 

    Does the public certificate need to be assigned on the Front End?

    I'm not sure how to proceed here and could really need som help. 




    • Edited by marrav Sunday, March 5, 2017 10:54 AM
    Saturday, March 4, 2017 4:51 PM

Answers

  • The issue has now been resolved. 

    Seems the problem was either certificates (wizard told they where valid) or something in the FE configuration. 

    I did a new certificate request, and a reboot of the FE, and after reboot both external and new users could log in. 

    Thanks for replies!

    • Marked as answer by marrav Monday, March 6, 2017 6:02 PM
    Monday, March 6, 2017 6:02 PM

All replies

  • Hi 

    I guess the CNAME records for few Public DNS entries is causing this issue 

    Check your public CNAME record for - SIP.domain.com , Lyncdiscover.domain.com & meet.domain.com 

    Mostly rechecking and correcting your public DNS entries will solve this issue 


    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

    Monday, March 6, 2017 7:19 AM
  • Hi marrav,

    Please check if you have configured static route between Edge server and FE to make sure Edge server could communicate with FE server. Also check connection between FE server and reverse proxy. On Edge server, make sure all Skype for business services are running.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 6, 2017 7:24 AM
  • Hi. 

    DNS records seem fine (Log in requests are reaching the front end server). 

    I see this error in the event log on the FE:

    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xC000005E
    Sub Status: 0x0

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    Monday, March 6, 2017 7:36 AM
  • Hi. 

    There is a static route configured to the subnet where the FE is located and all services on Edge are running. Connection between FE and RP also seems fine (resolves ping), I can see the log on requests in the event viewer on FE with Audit failure:

    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:  xx
    Account Domain: XX

    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xC000005E
    Sub Status: 0x0

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: xx
    Source Network Address: x.x.x.x
    Source Port: 64696

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


    Edit: After further investigation, this seems to apply to all devices that are not domain joined, and the error above applies both with wrong and correct password. Could it be IIS?
    • Edited by Lebecks1 Monday, March 6, 2017 8:40 AM
    Monday, March 6, 2017 7:45 AM
  • Update on the issue:

    This now also seems to be an issue for new created users. Also admins are unable to access Skype control panel through the /cscp link. 

    Monday, March 6, 2017 1:23 PM
  • The issue has now been resolved. 

    Seems the problem was either certificates (wizard told they where valid) or something in the FE configuration. 

    I did a new certificate request, and a reboot of the FE, and after reboot both external and new users could log in. 

    Thanks for replies!

    • Marked as answer by marrav Monday, March 6, 2017 6:02 PM
    Monday, March 6, 2017 6:02 PM
  • Hi marrav,

    Thanks for your back and sharing your solution, because your sharing will help someone who has similar issue could find this thread as soon as possible.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 7, 2017 9:58 AM