Unable to connect mobility services externally. RRS feed

  • Question

  • Hi all,

    Currently i have an issue with the mobility services. I can successfully connect with my phone within the internal network but when i try to connect from external it fails.

    First error:So i tried to open autodiscover url with https and i got internal server 500 error target principal name is incorrect.

    Second one :And dont know if this also connected with the first but when i open the autodiscover.scv from the internal network both external and internal paths are pointing to my .local domain name. This is obivious a mistake.

    Also when i run this "Get-CsService -PoolFqdn lyncpool.contoso.com -WebServer | Select-Object McxService* | fl" i also confirmed both address is .local.

    I tried to run

    Set-CsMcxConfiguration –ExposedWebUrl External

    But nothing change with the links.

    FYI:just for testing i input the lyncdiscover.mydomain.com to my hosts file with the internal ip to test cert and it worked. My client was able to download scv without error.

    So please advise and thanks for advance.

    Wednesday, February 29, 2012 8:36 AM


All replies

  • Hi ,

    Can you cross check SAN entries on reverse proxy/FE certificate ?

    Please have a look at this article ; http://technet.microsoft.com/en-us/library/hh690030.aspx 


    Wednesday, February 29, 2012 11:18 AM
  • Hi Saleesh,

    I checked the document but everything seems in that order. The only different thing in the documents i read is my cert CN=sip.domain.com but lyncdiscover and FQDN is included in SAN. Is this a problem itself? I'm not sure about it maybe the error i mentioned in my previous post  "target principal name error" is because of this? 

    Any other ideas? 

    Update: Local url problem fixed by finding out mistype of the external web services (.local) but still getting the principal name incorrect error with the lyncdiscover.domain.com It must be something with the TMG.
    • Edited by Bora Engin Wednesday, February 29, 2012 4:27 PM
    Wednesday, February 29, 2012 3:22 PM
  • Hi,

    For mobility services , SAN entry would be sufficient on certificate. Can you verify following on TMG;

    1. Website publishing rule , FQDN mentioned on "To" tab and ensure that it is matching with certificate entry.
    2. Authentication delegation option should be ; client may authenticate directly . http://www.proexchange.be/blogs/ocs_wave_14/archive/2011/12/13/publish-reverse-proxy-urls-for-lync-mobility-discover-service-with-isa-tmg.aspx.
    3. Ensure that root CA and intermediate CA is trusted by TMG.



    • Proposed as answer by Sharon.Shen Thursday, March 1, 2012 10:54 AM
    • Unproposed as answer by Bora Engin Thursday, March 1, 2012 11:57 AM
    • Marked as answer by Bora Engin Thursday, March 1, 2012 12:36 PM
    Wednesday, February 29, 2012 5:27 PM
  • Hi,Bora,

    Would you please check the autodiscover record does match the external web service URL which has been exposed to public?

    Details please check http://technet.microsoft.com/en-us/library/hh690040.aspx  and http://technet.microsoft.com/en-us/library/hh690044.aspx



    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************************************************************************Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This will be benef

    • Proposed as answer by Sharon.Shen Thursday, March 1, 2012 10:54 AM
    Thursday, March 1, 2012 10:54 AM
  • Hi,

    It looked like the issue was about the TO tab in TMG publish. When i changed it to lyncdiscover.domain.com its working as it should be.

    Thank you Saleesh and Sharon for both helping me out.

    • Edited by Bora Engin Thursday, March 1, 2012 12:39 PM
    Thursday, March 1, 2012 12:03 PM
  • Great news, cheers..!!



    Thursday, March 1, 2012 1:38 PM
  • I'm using a Wildcard certificate on my reverse proxy *.domain.com and receiving this error.

    Is this a supported solution?

    Wednesday, March 28, 2012 2:02 AM
  • hi there.. i got the same problem..

    Ipad can login from internal but not external.

    internal autodiscover address : https://lyncpool.domain.net/autodiscover/autodiscoverService.svc/root
    external autodiscover address: https://lyncdiscover.domain.com/autodiscover/autodiscoverService.svc/root

    I try to download root file from TMG using https://lyncdiscover.domain.com/autodiscover/autodiscoverService.svc/root and the respond is unable to download root file.

    then i try to access external mcxservice and got respond "403 - Forbidden: Access is denied."

    in my ipad, i got message error "Can't connect to the server. It may be busy or temporarily unavailable. Please Try again"

    my TMG certificate also use public certificate and have SAN "lyncdiscover.domain.com"

    its make me dizzy to resolve the problem..

    Monday, April 9, 2012 11:18 AM