locked
Problems with sign in in mobile ... RRS feed

  • Question

  • Hi guys,

    I have a problem when I try to access from mobile to my Skype Business send me the following error: We can't sign you in. Please check your account info and try again.

    Attach the log:

    08-15 18:25:20.900 11433 DEBUG NetworkMonitor: isNetworkAvailable ? Yes

    08-15 18:25:20.900 11433 DEBUG [Notifications] NotificationHub: Received CAlertReporterEvent, creating a NotificationData. NotificationData{mId=-1, mTraceId=eb4112b3-5241-4c40-9fe2-c77ba4f83020, mContentText='PII', mContentTitle='null', mActionsTarget=STATUS_BAR, mIntentTarget=STATUS_BAR, mTransientNotification=false, mDismissible=true, mAction1ToRightOfContent=false, mTickerText='PII', mNotificationContext='null', mExpiresAfterMs=0, mStyleId=0, mIsHighPriority=false, mNotificationType=UNKNOWN, mWhen=0}, CAlertReporterEvent{action=Add, category=CategoryConnection, type=SignInAlert, level=LevelError, priority=PriorityNormal, timeout=TimeoutInfinte, errorCode=E_AuthError, isGlobal=true, contextString='handleCommonUcwaRequestError', alertAction=null}, should show true

    08-15 18:25:20.900 11433 DEBUG DialogTelemetry: Skipped ui_error_alert_displayed {Type=SignInAlert, Kind=CategoryConnection, Level=LevelError, ErrorCode=E_AuthError}
    08-15 18:25:20.904 11433 DEBUG ErrorMessageUtils: getLocalizedErrorStringForErrorCode code: E_AuthError, type: SignInAlert, context: handleCommonUcwaRequestError, localized string: We can't sign you in. Please check your account info and try again.

    08-15 18:25:20.927 11433 DEBUG NetworkMonitor: isNetworkAvailable ? Yes

    08-15 18:25:20.927 11433 DEBUG [Notifications] NotificationHub: Received CAlertReporterEvent, creating a NotificationData. NotificationData{mId=-1, mTraceId=90ce9cd8-2088-4306-aa84-1554984166b4, mContentText='PII', mContentTitle='null', mActionsTarget=STATUS_BAR, mIntentTarget=STATUS_BAR, mTransientNotification=false, mDismissible=true, mAction1ToRightOfContent=false, mTickerText='PII', mNotificationContext='null', mExpiresAfterMs=0, mStyleId=0, mIsHighPriority=false, mNotificationType=UNKNOWN, mWhen=0}, CAlertReporterEvent{action=Add, category=CategoryConnection, type=SignInAlert, level=LevelError, priority=PriorityNormal, timeout=TimeoutInfinte, errorCode=E_AuthError, isGlobal=true, contextString='handleCommonUcwaRequestError', alertAction=null}, should show true

    08-15 18:25:20.927 11433 DEBUG DialogTelemetry: Skipped ui_error_alert_displayed {Type=SignInAlert, Kind=CategoryConnection, Level=LevelError, ErrorCode=E_AuthError}

    08-15 18:25:20.927 11433 DEBUG ErrorMessageUtils: getLocalizedErrorStringForErrorCode code: E_AuthError, type: SignInAlert, context: handleCommonUcwaRequestError, localized string: We can't sign you in. Please check your account info and try again.

    08-15 18:25:20.936 11433 INFO [SessionState] SessionStateManager: Received authentication manager event: CAuthenticationManagerEvent{eventType=PropertiesChanged, changedProperties=[IsCredentialPasswordNeeded]}

    08-15 18:25:20.936 11433 DEBUG [SessionState] SessionStateManager: onAuthenticationManagerEvent and isAuthTokenInvalidatedPropertyChanged: false

    08-15 18:25:20.936 11433 DEBUG [SessionState] SessionStateManager: onAuthenticationManagerEvent and isCredentialPasswordNeeded: false

    08-15 18:25:20.936 11433 INFO [SessionState] SessionStateManager: Received authentication manager event: CAuthenticationManagerEvent{eventType=PropertiesChanged, changedProperties=[IsCredentialPasswordNeeded]}

    08-15 18:25:20.936 11433 DEBUG [SessionState] SessionStateManager: onAuthenticationManagerEvent and isAuthTokenInvalidatedPropertyChanged: false

    08-15 18:25:20.937 11433 DEBUG [SessionState] SessionStateManager: onAuthenticationManagerEvent and isCredentialPasswordNeeded: false

    08-15 18:25:20.937 11433 INFO [SessionState] SessionStateManager: Actual Session State Changed from IsSigningIn to IsSignedOut, topology: OnPrem

    08-15 18:25:20.938 11433 DEBUG NetworkMonitor: isNetworkAvailable ? Yes

    Now the problem is only in the mobile application logon to the WiFi in my office, all the local clients connected to the same network works fine I mean laptops or pc.

    Thanks very much for your help.

    Kind regards.

    Wednesday, August 15, 2018 6:50 PM

Answers

  • Hi Penny,

    this pretty much looks like you need to install the latest CU:

    https://ucmart.uk/2017/12/12/skype-for-business-server-2015-december-2017-cumulative-update-lots-of-fixes-and-improvements

    or

    https://support.microsoft.com/en-au/help/4036633/we-can-t-sign-you-in-because-you-aren-t-set-up-to-use-skype-for

    kind regards


    • Edited by zaikun Wednesday, September 26, 2018 7:40 AM
    • Marked as answer by Penny1mx Wednesday, September 26, 2018 6:51 PM
    Wednesday, September 26, 2018 7:37 AM

All replies

  • Hi Penny,

    Can you log in SFB normally before in mobile?

    Do other users in your organization have the same problem?

    Do Android and IOS mobile phone have this issue?

    If all users cannot sign in , did you  deploy reverse proxy in your SFB environment? Because SFB sign in the internal environment should use the reverse proxy. Deploying reverse proxy ,you could refer to the following link.

    https://docs.microsoft.com/en-us/skypeforbusiness/deploy/deploy-and-configure-mobility

    If internal users cannot sign in with Wi-Fi, external users can sign in with cellular normally, please check following A records in the internal DNS(Lyncdiscoverinternal.<SIPDomain>) and external DNS(<LyncextwebFQDN>.<SIPDomain>) firstly

    Then Autodiscover setup check:

    please add https://lyncdiscover.contoso.com in the browser of mobile phone, you should receive a prompt to open or save the lyncdiscover_contoso.com file

    When you open the lyncdiscover_contoso.com file in notepad, you should see the following content: {"AccessLocation":"External","Root":{"Links":[{"href":"https:\/\/lyncexternal.contoso.com\/Autodiscover\/AutodiscoverService.svc\/root\/domain","token":"Domain"},{"href":"https:\/\/lyncexternal.contoso.com\/Autodiscover\/AutodiscoverService.svc\/root\/user","token":"User"}]}}

    Access http://lyncdiscover.contoso.com/autodiscover/autodiscoverservice.svc/root/domain and you should receive the same file

    Next Web services authentication check:

    Try to browse the URL https://lyncexternal. contoso.com/mcx/mcxservice.svc/mex in your web browser and we should receive an XML response

    For Lync 2013 and SFB 2015, https://lyncexternal. contoso.com/ucwa and we should see an IIS unauthorized response

    Next Web services configuration check:

    Run following cmd in your SFB management shell,

    Get-CsWebServicesConfiguration | fl

    ExposedWebUrl is set to External

    Verify the value for the UseWindowsAuth parameter is set to Negotiate


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, August 16, 2018 5:48 AM
  • Thanks for your quick replay Leon.

    Let me answer first your questions:

    - In my environment never use the skype mobile version.

    - All the users have the same problem I try with several mobiles and several user names.

    - Are the same problem with the 2 version in Android or IOS.

    - I try the following link as you tell me and have all the first part until reverse proxy ( in the first point says "Open your Reverse proxy interface" but where are this option ???

    For the autodiscover web check:

    {"_links":{"self":{"href":"https://lyncpoolfe01.mydomain/Autodiscover/AutodiscoverService.svc/root?originalDomain=mydomain"},"user":{"href":"https://lyncwebservices.mydomain/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=mydomain"},"xframe":{"href":"https://lyncwebservices.mydomain/Autodiscover/XFrame/XFrame.html"}}}

    For the second file:

    Are not the same file is this:

    {"code":"NotFound","message":null}

    The final idea is allow my local users ( in my corporate WiFi ) use the Skype Business over your own smartphones.

    Thanks very much.

    Kind regards.

    Thursday, August 16, 2018 3:12 PM
  • Hi Penny,

    Please sign in SFB manually, if you can sign in?

    have you checked the internal DNS, if have a A record (Lyncdiscoverinternal.<SIPDomain>.com)


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, August 21, 2018 10:26 AM
  • Hi Leon,

    Thanks very much for your feedback. Yes, if I try to logon manually in a single computer are not in domain works fine, in a computer are in domain works fine, but if I configure the phone application to do the same don't work.

    And yes I have the DNS register with this line. ( is CNAME ).

    I don't know why the application from the cell phone don't work.

    Kind regards.

    Wednesday, August 22, 2018 9:36 PM
  • Hi Penny,

    did I get you right that you are stuck at the "reverse proxy" set up?

    Basically your autodiscover externally points to something like "skypewebext.domain.com" - this is the URL that you declared in your topology builder and this will be used by your mobile app.

    this URL needs to be accessible from externally of course, with port 443 - directed to the front end server port 4443

    you can use a reverse proxy or you can NAT it directly to the front end server. the latter is not recommended.

    if you have a meeting URL accessible from external, then it's best to define the skypewebext URL DNS entry with the same WAN IP and this should do the deal.

    if a reverse proxy is in place, you might need to add a content matching rule so the webext url also gets directed to the front end server.


    • Edited by zaikun Wednesday, August 29, 2018 3:17 PM content adjusted
    Wednesday, August 29, 2018 3:16 PM
  • Hi,

     

    Are there any updates for this issue, if the reply is helpful, please try to mark it as an answer,  it will help others who have similar issue.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, August 30, 2018 9:40 AM
  • Hi Leon,

    I'm so sorry for my late response I'm really sorry.

    Yes you right I'm stuck in the reverse proxy setup.

    About the auto discovery where I can find the URL use for that in the topology in with part ???

    Thanks very much !!!

    And I promise you I never give a feedback late from me.

    Kind regards.

    Wednesday, September 5, 2018 7:26 PM
  • Hi Penny,

    it's this inside the topology builder:


    so this needs to be available on your public DNS server as "A record".

    it should show to the reverse proxy (or if you don't have one to the front end server)

    if you have a reverse proxy, you need incoming port 443, directing to front end port 4443

    and for port 80 I would do a "302  redirect" to https

    if you don't have reverse proxy, you need to NAt it directly to the front end, also with the external 443 incoming port and change port to 4443 internally.

    regards




    • Edited by zaikun Friday, September 7, 2018 7:44 AM
    Friday, September 7, 2018 7:38 AM
  • Hi Zaikun,

    Thanks very much for your answer. And yes I have this record in my DNS so the problem I think is the reverse proxy. In this case is better if I create a Edge server ???

    Because create a NAT I think is not recommended right ???

    Thanks very much.

    Kind regards.

    Friday, September 7, 2018 1:41 PM
  • Hi Penny,

    the apps work via UCWA, so an Edge server won't help in this case.

    You don't necessarily need a reverse proxy. You can NAT traffic directly to the front end server to port 443 incoming and translate prot to internal 4443

    but then you need either a publicly signed certificate on the front end OR your selfsigned certificate (at least the chain) needs to be pushed to your devices.

    Sunday, September 9, 2018 5:42 PM
  • Hi Zaikun,

    Thanks for your answer, and you have some instruction to make this possible ???

    About the certificate when I try to sign in in my mobile the certificate are requested and added to the mobile.

    So the idea is make the NAT possible you know who do that ???

    Kind regards !!!

    Monday, September 10, 2018 6:03 PM
  • Hi Penny,

    first off you need to publish the external DNS record for your external web services, as defined in the topology:

    the WAN IP must be configured on your firewall / router to accept incoming requests on port 443 and forward it to local IP of front end server, but on port 4443.

    talk to your network team, they usually should know what to do.

    Tuesday, September 11, 2018 8:38 AM
  • Hi Zaikun,

    Thanks very much for your feedback.

    I make all the changes I view the address over the web and if I make a telnet the port open ( I think is fine ) Its possible check this with something ???

    When I try to logon outside of my network like a carrier internet send me error:

    Your account does not allow access from outside your organization network.

    If I try in my local network ( WiFi ) send me:

    We cant sign you in. Please check your account info and any updates you made in Advanced option.

    There is some I need change ???

    Kind regards.

    Tuesday, September 11, 2018 4:25 PM
  • Hi Penny,

    what about lyncdiscover and lyncdiscoverinternal DNS records?

    the app tries to resolve "lyncdiscover". best practise is to not make this record available from the internal network, but this is required for the app.

    Can you verify that these records point to the front end server?

    regards

    Thursday, September 13, 2018 7:10 AM
  • Hi Zaikun,

    Yes I have it :(

    The record exist in my internal DNS.

    Kind regards.

    Thursday, September 13, 2018 2:24 PM
  • Hi Penny,

    which certificate is used on the front end server?

    a self-signed?

    Friday, September 14, 2018 9:02 AM
  • Hi Zaikun,

    Yes is a self sign, create my local domain.

    Thanks very much.

    Kind regards.

    Friday, September 14, 2018 3:42 PM
  • is the chain built on the mobile devices?

    you can verify by browsing the external web services URL via web browser on the phones. dou you encounter any certificate warnings?

    Monday, September 17, 2018 7:56 AM
  • Hi Zaikun,

    Thanks very much for you answer and your help.

    Only send me the certificate error, and after that don't have privileges to view the following webpage.

    I have a question for you ( this service use the port 80 ) ???

    Because in the FW don't allow the port 80.

    Thanks very much.

    Kind regards.

    Monday, September 17, 2018 10:46 PM
  • Hi Penny,

    incoming port 80, directing to port 8080 front end

    and/or

    incoming port 443, directing port 4443 front end

    these are the two options.

    as long as you get the certificate error, it won't work. so you need to install the root and intermediate certificate on the device

    regards





    • Edited by zaikun Tuesday, September 18, 2018 6:58 AM
    Tuesday, September 18, 2018 6:52 AM
  • Hi Zaijun,

    A good news and a bad news …

    Good news is now I can connect and view all my contacts but a few seconds are connected send me an error and disconnected says:

    Your account does not allow access from outside your organization's network. Please contact to your organization's network and try signing in.

    You have any idea ???But finally I can connect !!!

    :D

    Friday, September 21, 2018 7:34 PM
  • Hi Penny,

    have you checked the mobility policy via S4B control panel? Clients -> mobility policy

    if enabled, make sure that the user also has the proper mobility policy set up.

    kind regards

    Monday, September 24, 2018 8:47 AM
  • Hi Zaikun,

    Its enable attach the image …

    :(

    Monday, September 24, 2018 7:33 PM
  • Hi Penny,

    this pretty much looks like you need to install the latest CU:

    https://ucmart.uk/2017/12/12/skype-for-business-server-2015-december-2017-cumulative-update-lots-of-fixes-and-improvements

    or

    https://support.microsoft.com/en-au/help/4036633/we-can-t-sign-you-in-because-you-aren-t-set-up-to-use-skype-for

    kind regards


    • Edited by zaikun Wednesday, September 26, 2018 7:40 AM
    • Marked as answer by Penny1mx Wednesday, September 26, 2018 6:51 PM
    Wednesday, September 26, 2018 7:37 AM
  • Perfect !!!

    Works like a charm !!!

    Thanks very much for your help and your time really.

    Kind regards.

    Wednesday, September 26, 2018 6:52 PM
  • great to hear :)

    have a nice weekend and take care!

    Friday, September 28, 2018 10:28 AM