locked
SFB Server 2015 - Test-CsPhoneBootStrap RRS feed

  • Question

  • Hi,

    I meet an issue relating a fresh SFB deployment on Windows Server 2016 platform. At firts except some problems due to Windows Server 2016 platform recently approved such as ISS rewrite module, CLS Logging Tools..

    After fix this minor problems everything was worked well.

    Next day, after the delivery of new Yealink phones , I tried to register them unsuccessful manner for unknow reason (DHCP configuration using DHCP Util is OK and check again).

    I tried to troubleshoot the problem using Test-CsPhoneBootStrap cmd PS with the result as below.

    In the result, I don't understand  :

    • Error Message : Unable to perform authentication of credentials.
                      Inner Exception:ComputeSignature failed. -2147024662

    I compared to my lab, at the end of the sequence it seems to miss :        

    1. Registration Request hit against plume.domain.local
    2. 'Register' activity completed in '0.XXXXXXX' seconds.

    Thanks for your help

    Gerald

    PS C:\Users\Admin> Test-CsPhoneBootstrap -PhoneOrExtension 9999 -PIN 0000 -Verbose
    VERBOSE: Workflow Instance Id 'f39e1c6c-f3f3-4543-ba98-ca9119eee630', started.
    VERBOSE: Command line executed is 'Test-CsPhoneBootstrap -PhoneOrExtension 9999 -PIN 0000 -Verbose'.


    Target Fqdn   : plume.domain.local
    Target Uri    : https://plume.domain.local:443/CertProv/CertProvisioningService.svc
    Result        : Failure
    Latency       : 00:00:01.6161897
    Error Message : Unable to perform authentication of credentials.
                    Inner Exception:ComputeSignature failed. -2147024662

    Diagnosis     :


    VERBOSE: Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' started.
    Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' completed in '0.0003907' seconds.
    Target server Fqdn or web service Url not provided. Will have to do DHCP Registrar Discovery.
    An exception 'Unable to perform authentication of credentials.' occurred during Workflow
    Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow execution.
    Exception Call Stack:    at Microsoft.Rtc.Signaling.SipAsyncResult`1.ThrowIfFailed()
       at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult result)
       at Microsoft.Rtc.SyntheticTransactions.Activities.RegisterActivity.InternalExecute(ActivityExecutionContext
    executionContext)
       at Microsoft.Rtc.SyntheticTransactions.Activities.SyntheticTransactionsActivity.Execute(ActivityExecutionContext
    executionContext)
       at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
       at System.Workflow.Runtime.Scheduler.Run()
       at Microsoft.Rtc.Internal.Sip.SipAuthenticationHelper.SignString(SecurityAssociationBase sa, String stringToSign,
    String& signatureString)
       at Microsoft.Rtc.Internal.Sip.ProtocolAuth.SignStringWithSA(String signatureString, SecurityAssociation sa)
       at Microsoft.Rtc.Internal.Sip.ProtocolAuth.DoProtocolOutgoingNegotiation(SecurityAssociation sa, SipMessage message,
     ChallengeData challengeData)
       at Microsoft.Rtc.Internal.Sip.AuthenticationControlModule.NegotiateSecurityAssociation(SecurityAssociation sa,
    SipMessage message, NegotiateArgs negotiateArguments)
    'DHCPDiscover' activity started.
    Starting DHCP registrar discovery...
    Constructing a DHCP packet.
    Adding DHCP option PARAMETER_REQUEST_LIST.
    Successfully added DHCP option.
    Adding DHCP option VENDOR_CLASS_IDENTIFIER.
    Successfully added DHCP option.
    Successfully constructed DHCP packet.
    Trying to open an udp connection.
    Remote IP : 255.255.255.255.
    Local IP : 192.168.8.252.
    Creating a new UDP client.
    Udp connection successfully created.
    Sending packet.
    Remote IP : 255.255.255.255.
    Remote Port : 67.
    Packet sent successfully.
    DHCP discovery message send. Waiting for DHCP servers to respond.
    Data received successfully.
    Remote IP : 192.168.8.232.
    Remote Port : 67.
    Response received for the DHCP Discovery message.
    Constructing a DHCP packet from received raw data.
    Extracting DHCP Options.
    Successfully constructed DHCP packet.
    Return value for DHCP option : SIP_SERVER.
    Found registrar Fqdn : plume.domain.local.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1 - MS-UC-Client.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2 - https.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3 - plume.domain.local.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4 - 443.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5 - /CertProv/CertProvisioningService.svc.
    Successfully extracted sub option value.
    Found web service Url : https://plume.domain.local:443/CertProv/CertProvisioningService.svc.
    Disconnecting.
    DHCP registrar discovery activity completed successfully.
    'DHCPDiscover' activity completed in '1.053702' seconds.
    'GetRootCertChains' activity started.
    Trying to download a certificate chain from web service.
    Web Service Url : http://plume.domain.local/CertProv/CertProvisioningService.svc
    Certificate chain downloaded successfully.
    'GetRootCertChains' activity completed in '0.0983659' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://plume.domain.local:443/WebTicket/WebTicketService.svc
    Using PIN authentication with Phone\Ext : 9999 Pin : 0000
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:Plume.domain.local

    X-MS-Correlation-Id:2147484922

    client-request-id:6e4682d2-3772-439a-bbc1-cd607bf8bc74

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2228

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sun, 23 Jul 2017 18:44:08 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0785498' seconds.
    'ResolveUser' activity started.
    Starting ResolveUser activity using Web Ticket.
    Web Service Url : https://plume.domain.local:443/CertProv/CertProvisioningService.svc
    Found user : sip:g.cheminant@domain.fr
    Setting sip uri 'sip:g.cheminant@domain.fr' back to parent workflow.
    ResolveUser activity completed.
    'ResolveUser' activity completed in '0.0840103' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://plume.domain.local:443/WebTicket/WebTicketService.svc
    Using PIN authentication with Phone\Ext : 9999 Pin : 0000
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:Plume.domain.local

    X-MS-Correlation-Id:2147484924

    client-request-id:1e7beb67-7d1a-4ead-9250-e983f40eccca

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2232

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sun, 23 Jul 2017 18:44:08 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.039111' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : g.cheminant@domain.frendpoint : STEpid
    Web Service Url : https://plume.domain.local:443/CertProv/CertProvisioningService.svc
    Cert Provisioning response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:Plume.domain.local

    X-MS-Correlation-Id:2147484925

    client-request-id:379f3fed-cc43-4690-83e7-220aa9423209

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    Content-Length:3228

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sun, 23 Jul 2017 18:44:09 GMT

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.2624507' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = plume.domain.local
       User Sip Address = sip:g.cheminant@domain.fr
       Registrar Port = No Port is provided..
    Authentication Type 'Certificate' is selected.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0327901' seconds.
    VERBOSE: Workflow Instance ID 'f39e1c6c-f3f3-4543-ba98-ca9119eee630' completed.
    VERBOSE: Workflow run-time (sec): 3.1988078.


    Gerald Cheminant

    Tuesday, July 25, 2017 6:21 PM

All replies

  • Hi gerald_che,

    Based on your description, I understand that you can’t use Yealink phone for your Skype for Business server, is that right?

    Did this issue happen to all IP phones for your environment ?

    For your information, it may be something wrong with your certificate.

    1.Make sure that the phones are able to reach the Lync FE Server on HTTP 80 in addition to HTTPS 443 as Lync Phone Edition device use TCP 80 initially to connect to the Lync web services to download the root certificate chain.2.Please check if you set AlternateSignatureAlgorithm=1 in the file CAPolicy.inf, if yes, try to change the registry key on your Enterprise CA server. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSPvalue AlternateSignatureAlgorithm from 1 to 0 and restart CA service


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 26, 2017 6:32 AM
  • Hi Alice,

    Thanks for your update.

    Exactly I can't register Yealink IP Phone.

    The certificate from PKI is correctly downloaded by the Yealink phone (I can see certifcate in web management of Yealink phone). Then I think is not a problem about certificate.

    Using Test-CsPhoneBootStrap command, I don't see full registration request:

    • In customer site :

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.1022695' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = plume.domain.local
       User Sip Address = sip:g.cheminant@domain.fr
       Registrar Port = No Port is provided..
    Authentication Type 'Certificate' is selected.

    .....

    !!! <No Registration Request> !!!

    ....
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0002206' seconds.
    VERBOSE: Workflow Instance ID '403d8078-218d-4c57-905a-01cf525a9b7d' completed.
    VERBOSE: Workflow run-time (sec): 1.8876033.

    • In my lab :

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.6295375' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = virt-skypefe-01.domain.local
       User Sip Address = sip:gerald.cheminant@domain.com
       Registrar Port = No Port is provided..
    Authentication Type 'Certificate' is selected.
    Registration Request hit against VIRT-SKYPEFE-01.domain.local.
    'Register' activity completed in '7.6648965' seconds.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.5304408' seconds.
    VERBOSE: Workflow Instance ID '143a8358-acd1-47a0-8e38-b21752dd2be7' completed.
    VERBOSE: Workflow run-time (sec): 13.5772177.

    More over, using sniffer on FE server, DHCP request and answer is OK (sub-options 1,2,3,4,5 and options 120 with FE FQDN).

    I don't understand why there is no registration request in customer site.

    Thanks for your helpGérald


    Gerald Cheminant

    Wednesday, July 26, 2017 11:47 AM
  • In addition, I tried Test-CsRegistration

    PS C:\Users\Adminabc> Test-CsRegistration -TargetFqdn plume.domain.local -UserCredential $cred1 -UserSipAddress "sip:g.cheminant@domain.fr"
    Target Fqdn   : plume.bct.local
    Result        : Success
    Latency       : 00:00:02.0681741
    Error Message :
    Diagnosis     :

    With ClientCertificate Authentication, the result is also failure with the same error message

    PS C:\Users\Adminabc> Test-CsRegistration -TargetFqdn plume.domain.local -UserCredential $cred1 -UserSipAddress "sip:g.cheminant@domain.fr" -Authentication ClientCertificate

    Target Fqdn   : plume.domain.local
    Result        : Failure
    Latency       : 00:00:00.6509297
    Error Message : Unable to perform authentication of credentials.
                    Inner Exception:ComputeSignature failed. -2147024662

    Diagnosis     :

    Gérald


    Gerald Cheminant

    Wednesday, July 26, 2017 11:57 AM
  • I check CA and signature algorithm is SHA256RSA and not RSA-ASS-PSS then it should work fine.

    Again using Test-CsPhoneBootStrap, we can see in CLS Logs the information below :

    TL_INFO(TF_COMPONENT) [plume\plume]FB80.2C2C::07/26/2017-14:44:09.082.0000221E (WebInfrastructure,KeyManagerBase.IsValidForSigning:webticketkeystore.cs(662))

    (00000000028B0C66)Key is not valid for signing, has been in rotation too long: <key.Id, 8d4d420bef1d344> <TimeInRotation, 01:22:26.7174766>

    Gérald


    Gerald Cheminant

    Wednesday, July 26, 2017 3:28 PM
  • Hi,
    I'm facing same issue.
    Did you managed to resolve it?
    Monday, December 11, 2017 4:48 PM
  • I am also facing the same issue , SFB on windows server 2016

     MY CA is on win2016DC & CNGhashalgorith used on is SHA256 [ the default] , all clients & servers trust the CA

    Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com" -UserCredential $cred1

    Result        : Success

     Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com"
     -UserCredential $cred1 -Authentication ClientCertificate

    Error Message : Unable to perform authentication of credentials.
                    Inner Exception:ComputeSignature failed. -2147024662

    I could successfully login from SFB client as user "b" , and verified the user get a certificate in the client

    /one thing I noticed in the client certificate information in the general tab, it shows "windows does not have enough information to verify this certificate"............certificate issued by communication server...

    All my clients trust the enterprise root CA which issued cert to all FE servers

    no cert errors on SFB clients when users sign in

    Only error is with Test-CsRegistration/Test-Csauthentication commands

    Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com" -UserCredential $cred1 -Authentication ClientCertificate -Verbose
    VERBOSE: Reading Registrar port from topology process started.
    VERBOSE: Reading Registrar port '5061' from topology process successfully finished.
    VERBOSE: Workflow Instance Id 'ae7f0023-4c04-4f8f-b9c6-9f5db69ebbf6', started.
    VERBOSE: Command line executed is 'Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com" -UserCredential $cred1
    -Authentication ClientCertificate -Verbose'.


    Target Fqdn   : dxbpool.krishna.com
    Result        : Failure
    Latency       : 00:00:00.4144779
    Error Message : Unable to perform authentication of credentials.
                    Inner Exception:ComputeSignature failed. -2147024662

    Diagnosis     :


    VERBOSE: Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow' started.
    Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow' completed in '5.04E-05' seconds.
    Error Detail: Unable to perform authentication of credentials.
    Inner Exception:ComputeSignature failed. -2147024662

     Diagnosis:

    An exception 'Unable to perform authentication of credentials.' occurred during Workflow Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow
    execution.
    Exception Call Stack:    at System.Workflow.ComponentModel.ThrowActivity.Execute(ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
       at System.Workflow.Runtime.Scheduler.Run()
       at Microsoft.Rtc.Internal.Sip.SipAuthenticationHelper.SignString(SecurityAssociationBase sa, String stringToSign, String& signatureString)
       at Microsoft.Rtc.Internal.Sip.ProtocolAuth.SignStringWithSA(String signatureString, SecurityAssociation sa)
       at Microsoft.Rtc.Internal.Sip.ProtocolAuth.DoProtocolOutgoingNegotiation(SecurityAssociation sa, SipMessage message, ChallengeData challengeData)
       at Microsoft.Rtc.Internal.Sip.AuthenticationControlModule.NegotiateSecurityAssociation(SecurityAssociation sa, SipMessage message, NegotiateArgs
    negotiateArguments)
    'RegisterActivity2' sequence activity started.
    'RegisterActivity2' sequence activity completed in '1.34E-05' seconds.
    Retrying... (1 of 3)
    Retrying... (2 of 3)
    Retrying... (3 of 3)
    'ClientAuth' sequence activity started.
    'ClientAuth' sequence activity completed in '2.42E-05' seconds.
    Using certificate Auth.
    'GetSTSUri' activity started.
    Starting STS Uri Discovery...

    Get Sts Uri Activity : Internal Execute: Sip Uri=sip:b@krishna.com

    Get Sts Uri Activity : Internal Execute: Autodiscover result: Is Internal = False

    Enter Get Sts Uri Activity : Get STS Uri Via Autodiscover : Sip Uri=sip:b@krishna.com ; Is Internal= False

    Get Sts Uri Activity : Get STS Uri Via Autodiscover : User Resources is NULL. Check if Autodiscover was Enabled and it succeeded.

    Get Sts Uri Activity : Internal Execute: Sts Uri from Get STS Uri Via Autodiscover =

    Enter Get Sts Uri Activity : Get STS Uri: Sip Uri=sip:b@krishna.com ; Fqdn=dxbpool.krishna.com; Port=5061
    REGISTER response:

    CALL-ID: 54968fdf328b48ee9774bf3a736cb367

    CONTENT-LENGTH: 0

    CSEQ: 1 REGISTER

    DATE: Sat, 06 Jan 2018 08:01:44 GMT

    FROM: <sip:b@krishna.com>;epid=AB16B4D2A7;tag=b6f84a5d1e

    SERVER: RTC/6.0

    TO: <sip:b@krishna.com>;tag=802B17E03B3969F72D9EA5D8A8DDDC58

    VIA: SIP/2.0/TLS 192.168.137.102:51784;branch=z9hG4bK18d9c8e;ms-received-port=51784;ms-received-cid=F400

    WWW-AUTHENTICATE: NTLM realm="SIP Communications Service",targetname="SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: Kerberos realm="SIP Communications Service",targetname="sip/SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: TLS-DSK realm="SIP Communications
    Service",targetname="SFB1.krishna.com",version=4,sts-uri="https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc"

    Found STS Uri : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc.
    STS Uri Discovery activity completed successfully.
    'GetSTSUri' activity completed in '0.0047896' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://intdxbpool.krishna.com:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerberos authentication.
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483847

    client-request-id:411a0150-27e2-4162-8fb6-3f7e1a83cd42

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2205

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:44 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0151887' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : b@krishna.com endpoint : abbd8e43-0c8e-40
    Web Service Url : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc
    Cert Provisioning response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483782

    client-request-id:18dc21af-fdc5-4dab-b728-f2de31e4e08a

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    Content-Length:3155

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:44 GMT

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.1923876' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = dxbpool.krishna.com
       User Sip Address = sip:b@krishna.com
       Registrar Port = 5061.
    Authentication Type 'Certificate' is selected.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0003704' seconds.
    'ClientAuth' sequence activity started.
    'ClientAuth' sequence activity completed in '4.98E-05' seconds.
    Using certificate Auth.
    'GetSTSUri' activity started.
    Starting STS Uri Discovery...

    Get Sts Uri Activity : Internal Execute: Sip Uri=sip:b@krishna.com

    Get Sts Uri Activity : Internal Execute: Autodiscover result: Is Internal = False

    Enter Get Sts Uri Activity : Get STS Uri Via Autodiscover : Sip Uri=sip:b@krishna.com ; Is Internal= False

    Get Sts Uri Activity : Get STS Uri Via Autodiscover : User Resources is NULL. Check if Autodiscover was Enabled and it succeeded.

    Get Sts Uri Activity : Internal Execute: Sts Uri from Get STS Uri Via Autodiscover =

    Enter Get Sts Uri Activity : Get STS Uri: Sip Uri=sip:b@krishna.com ; Fqdn=dxbpool.krishna.com; Port=5061
    REGISTER response:

    CALL-ID: b594b7dbc3aa4f89b3fcfa972a917f11

    CONTENT-LENGTH: 0

    CSEQ: 1 REGISTER

    DATE: Sat, 06 Jan 2018 08:01:50 GMT

    FROM: <sip:b@krishna.com>;epid=A5EC6B976C;tag=d025c3ec7a

    SERVER: RTC/6.0

    TO: <sip:b@krishna.com>;tag=802B17E03B3969F72D9EA5D8A8DDDC58

    VIA: SIP/2.0/TLS 192.168.137.102:51788;branch=z9hG4bK7df5be7;ms-received-port=51788;ms-received-cid=F600

    WWW-AUTHENTICATE: NTLM realm="SIP Communications Service",targetname="SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: Kerberos realm="SIP Communications Service",targetname="sip/SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: TLS-DSK realm="SIP Communications
    Service",targetname="SFB1.krishna.com",version=4,sts-uri="https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc"

    Found STS Uri : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc.
    STS Uri Discovery activity completed successfully.
    'GetSTSUri' activity completed in '0.0130796' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://intdxbpool.krishna.com:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerberos authentication.
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483848

    client-request-id:4917f29f-ed53-4db2-bd16-8dfd8eb9ac19

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2207

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:50 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0069085' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : b@krishna.com endpoint : abbd8e43-0c8e-40
    Web Service Url : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc
    Cert Provisioning response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483783

    client-request-id:f82f7f6c-2cd9-4549-82e9-6bb10356be2c

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    Content-Length:3154

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:50 GMT

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.0555722' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = dxbpool.krishna.com
       User Sip Address = sip:b@krishna.com
       Registrar Port = 5061.
    Authentication Type 'Certificate' is selected.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0007174' seconds.
    'ClientAuth' sequence activity started.
    'ClientAuth' sequence activity completed in '2.01E-05' seconds.
    Using certificate Auth.
    'GetSTSUri' activity started.
    Starting STS Uri Discovery...

    Get Sts Uri Activity : Internal Execute: Sip Uri=sip:b@krishna.com

    Get Sts Uri Activity : Internal Execute: Autodiscover result: Is Internal = False

    Enter Get Sts Uri Activity : Get STS Uri Via Autodiscover : Sip Uri=sip:b@krishna.com ; Is Internal= False

    Get Sts Uri Activity : Get STS Uri Via Autodiscover : User Resources is NULL. Check if Autodiscover was Enabled and it succeeded.

    Get Sts Uri Activity : Internal Execute: Sts Uri from Get STS Uri Via Autodiscover =

    Enter Get Sts Uri Activity : Get STS Uri: Sip Uri=sip:b@krishna.com ; Fqdn=dxbpool.krishna.com; Port=5061
    REGISTER response:

    CALL-ID: ce1967b91b0f4f908405fac885789daa

    CONTENT-LENGTH: 0

    CSEQ: 1 REGISTER

    DATE: Sat, 06 Jan 2018 08:01:55 GMT

    FROM: <sip:b@krishna.com>;epid=3EFEFEBBFD;tag=b7c1146b9

    SERVER: RTC/6.0

    TO: <sip:b@krishna.com>;tag=802B17E03B3969F72D9EA5D8A8DDDC58

    VIA: SIP/2.0/TLS 192.168.137.102:51796;branch=z9hG4bK2a49dbeb;ms-received-port=51796;ms-received-cid=F800

    WWW-AUTHENTICATE: NTLM realm="SIP Communications Service",targetname="SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: Kerberos realm="SIP Communications Service",targetname="sip/SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: TLS-DSK realm="SIP Communications
    Service",targetname="SFB1.krishna.com",version=4,sts-uri="https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc"

    Found STS Uri : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc.
    STS Uri Discovery activity completed successfully.
    'GetSTSUri' activity completed in '0.0070744' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://intdxbpool.krishna.com:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerberos authentication.
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483849

    client-request-id:a644c785-7370-44c6-a3c0-57326e524591

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2199

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:55 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0094125' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : b@krishna.com endpoint : abbd8e43-0c8e-40
    Web Service Url : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc
    Cert Provisioning response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483784

    client-request-id:48a84116-3482-4a55-9579-12c2a71a3e91

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    Content-Length:3154

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:55 GMT

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.0446275' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = dxbpool.krishna.com
       User Sip Address = sip:b@krishna.com
       Registrar Port = 5061.
    Authentication Type 'Certificate' is selected.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0002922' seconds.
    'ClientAuth' sequence activity started.
    'ClientAuth' sequence activity completed in '3.71E-05' seconds.
    Using certificate Auth.
    'GetSTSUri' activity started.
    Starting STS Uri Discovery...

    Get Sts Uri Activity : Internal Execute: Sip Uri=sip:b@krishna.com

    Get Sts Uri Activity : Internal Execute: Autodiscover result: Is Internal = False

    Enter Get Sts Uri Activity : Get STS Uri Via Autodiscover : Sip Uri=sip:b@krishna.com ; Is Internal= False

    Get Sts Uri Activity : Get STS Uri Via Autodiscover : User Resources is NULL. Check if Autodiscover was Enabled and it succeeded.

    Get Sts Uri Activity : Internal Execute: Sts Uri from Get STS Uri Via Autodiscover =

    Enter Get Sts Uri Activity : Get STS Uri: Sip Uri=sip:b@krishna.com ; Fqdn=dxbpool.krishna.com; Port=5061
    REGISTER response:

    CALL-ID: 0ddec2a97d984422a5d1b87a3339e8c4

    CONTENT-LENGTH: 0

    CSEQ: 1 REGISTER

    DATE: Sat, 06 Jan 2018 08:02:00 GMT

    FROM: <sip:b@krishna.com>;epid=7F46D78DF8;tag=c4343a9cf

    SERVER: RTC/6.0

    TO: <sip:b@krishna.com>;tag=802B17E03B3969F72D9EA5D8A8DDDC58

    VIA: SIP/2.0/TLS 192.168.137.102:51798;branch=z9hG4bK189fd490;ms-received-port=51798;ms-received-cid=FA00

    WWW-AUTHENTICATE: NTLM realm="SIP Communications Service",targetname="SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: Kerberos realm="SIP Communications Service",targetname="sip/SFB1.krishna.com",version=4

    WWW-AUTHENTICATE: TLS-DSK realm="SIP Communications
    Service",targetname="SFB1.krishna.com",version=4,sts-uri="https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc"

    Found STS Uri : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc.
    STS Uri Discovery activity completed successfully.
    'GetSTSUri' activity completed in '0.0047988' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url : https://intdxbpool.krishna.com:443/WebTicket/WebTicketService.svc
    Using NTLM\Kerberos authentication.
    Webticket response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483850

    client-request-id:6bfa7071-bde5-4040-96b6-7c9a1bc97bbe

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    X-Content-Type-Options:nosniff

    Content-Length:2189

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:59 GMT

    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0130881' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : b@krishna.com endpoint : abbd8e43-0c8e-40
    Web Service Url : https://intdxbpool.krishna.com:443/CertProv/CertProvisioningService.svc
    Cert Provisioning response headers:

    Content-Encoding:

    Vary:Accept-Encoding

    X-MS-Server-Fqdn:SFB1.krishna.com

    X-MS-Correlation-Id:2147483785

    client-request-id:1bc6b568-5e5c-4b84-b7d0-d2fd38b1d048

    Strict-Transport-Security:max-age=31536000; includeSubDomains

    Content-Length:3146

    Cache-Control:private

    Content-Type:text/xml; charset=utf-8

    Date:Sat, 06 Jan 2018 08:01:59 GMT

    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.0461704' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = dxbpool.krishna.com
       User Sip Address = sip:b@krishna.com
       Registrar Port = 5061.
    Authentication Type 'Certificate' is selected.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.000213' seconds.
    VERBOSE: Workflow Instance ID 'ae7f0023-4c04-4f8f-b9c6-9f5db69ebbf6' completed.
    VERBOSE: Workflow run-time (sec): 15.6637078.

    Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com" -UserCredential $cred1 -Verbose
    VERBOSE: Reading Registrar port from topology process started.
    VERBOSE: Reading Registrar port '5061' from topology process successfully finished.
    VERBOSE: Workflow Instance Id '9469f597-ff98-498f-b857-5c2f206273cd', started.
    VERBOSE: Command line executed is 'Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com" -UserCredential $cred1 -Verbose'.


    Target Fqdn   : dxbpool.krishna.com
    Result        : Success
    Latency       : 00:00:00.1340142
    Error Message :
    Diagnosis     :

    VERBOSE: Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow' started.
    Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow' completed in '4.89E-05' seconds.
    Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow', succeeded.
    'RegisterActivity2' sequence activity started.
    'RegisterActivity2' sequence activity completed in '2.26E-05' seconds.
    'Register' activity started.
    Sending Registration request:
        Target Fqdn      = dxbpool.krishna.com
       User Sip Address = sip:b@krishna.com
       Registrar Port = 5061.
    Authentication Type 'IWA' is selected.
    Registration Request hit against sip/SFB1.krishna.com.
    'Register' activity completed in '0.1340142' seconds.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0992575' seconds.
    VERBOSE: Workflow Instance ID '9469f597-ff98-498f-b857-5c2f206273cd' completed.
    VERBOSE: Workflow run-time (sec): 0.340267.




    • Edited by Krishnadas1 Saturday, January 6, 2018 8:19 AM
    Saturday, January 6, 2018 6:41 AM
  • Dear Experts

    Please help

    Is there any problem in using signaturealgorith SHA256RSA & Signature hash algorithm SHA2 ? is it the reason why I am getting the following   error with

    Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com"
     -UserCredential $cred1 -Authentication ClientCertificate

    "Error Message : Unable to perform authentication of credentials.
                    Inner Exception:ComputeSignature failed. -2147024662"

    Test-CsRegistration -TargetFqdn dxbpool.krishna.com -UserSipAddress "sip:b@krishna.com"
     -UserCredential $cred1   RAN succefully [ without -Authentication ClientCertificate]

    users can sign in successfully to all SFB clients, have enabled UCS[exchange 2016]..All servers and clients trust my enterprise root CA which is running on my 2016 DC

    I am getting the same error message with Test-CsPhoneBootstrap & test-csclientauthentication

     is it mandatory to use SHA1 on my CA as some forums says ?

    Kindly advice

    Thanks & Regards

    Krishna

    Sunday, January 7, 2018 7:11 AM