none
SIP/2.0 500 Internal Server Error -- Internal result failure: unexpected UserNotificationResult Failure. RRS feed

  • Question

  • Hi Guys,

    In hosted lync server 2013 the federation with public skype users always worked, however this error is being reproduced when we try to exchange instant messages from a tenant with a public skype user:

    Follow the error:

    03/15/2018|16:15:03.148 1A10:1B28 INFO  :: Data Received -200.155.97.158:443 (To Local Address: 10.100.xx.1xx:59734) 1181 bytes:
    03/15/2018|16:15:03.148 1A10:1B28 INFO  :: 
    SIP/2.0 500 Internal Server Error -- Internal result failure: unexpected UserNotificationResult Failure.
    ms-user-logon-data: RemoteUser
    Via: SIP/2.0/TLS 10.100.11.133:59734;received=200.155.97.245;ms-received-port=22509;ms-received-cid=96B04F00
    Authentication-Info: TLS-DSK qop="auth", opaque="DF714E7C", srand="568FBEF3", snum="34", rspauth="792307571e910d5df08d1fbe733babcdb4fd3587", targetname="******LHDR01.prod.*****.local", realm="SIP Communications Service", version=4
    CONTENT-LENGTH: 0
    From: "Customer"<sip:customer@tenantdomain.com.br>;tag=c955483a29;epid=0a36253436
    To: <sip:evandro@hotmail.com>;tag=5n7ffdw7
    CSeq: 1 INVITE
    Call-ID: 872b3afdd6cf469a849003eda68a2308
    ms-telemetry-id: 16FC548D-066A-5754-8C5F-7845F294CC8E
    ms-diagnostics: 1033;reason="Previous hop server component did not report diagnostic information";Domain="hotmail.com";PeerServer="lync.bridge.messenger.live.com";source="federation.messenger.msn.com"
    ms-edge-proxy-message-trust: ms-source-type=AuthorizedServer;ms-ep-fqdn=lyncedgepool01.lyncdomain.local;ms-source-network=publiccloud;ms-source-verified-user=verified;ms-remote-fqdn=federation.messenger.msn.com

    03/15/2018|16:15:03.148 1A10:1B28 INFO  :: End of Data Received -200.155.xxx.yyy:443 (To Local Address: 10.100.xx.yyy:59734) 1181 bytes


    I got this error in event viewer "Lync Server" on the edge servers:

    TLS outgoing connection failures.

    Over the past 1 minutes, Lync Server has experienced TLS outgoing connection failures 16864 time(s). The error code of the last failure is 0x80004005(E_FAIL) while trying to connect to the server "sipfed.online.lync.com" at address [52.112.66.203:5061], and the display name in the peer certificate is "sipfed.online.lync.com".
    Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
    Resolution:
    Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

    TLS outgoing connection failures.

    Over the past 2 minutes, Lync Server has experienced TLS outgoing connection failures 321 time(s). The error code of the last failure is 0x80004005(E_FAIL) while trying to connect to the server "sipfed.online.lync.com" at address [52.112.66.214:5061], and the display name in the peer certificate is "sipfed.online.lync.com".
    Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
    Resolution:
    Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

    Any idea?


    Thursday, March 15, 2018 7:39 PM

All replies

  • Hi EvandroMalmsteen,

    This prolem that you cannot send IM to public skype user with Outlook web app?

    Could you use SFB client send IM to public skype user?

    Could you send IM to skype for business user with OWA?

    Based on the TLS outgoing connection failures.Please check the internal edge certificate like the following screenshot and “internal.domain,com” DNS record in the internal DNS.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 16, 2018 3:13 AM
    Moderator
  • Leon,

    This prolem that you cannot send IM to public skype user with Outlook web app? R: No.

    Could you use SFB client send IM to public skype user? R: No.

    Could you send IM to skype for business user with OWA? R: No.

    Based on the TLS outgoing connection failures.Please check the internal edge certificate like the following screenshot and “internal.domain,com” DNS record in the internal DNS.

    CN = lyncedgepool01.lyncdomain.local
    OU = Hosted Lync Server 2013
    O = Hosted Lync Server 2013
    L = ***
    S = ***
    C = **
    Friday, March 16, 2018 1:53 PM
  • I have discovered that only a tenant occurs in this problem.

    The others are running federation with public skype.

    I disabled an account with problem and enabled again but with no success.

    Do I need to remove and re-create the entire tenant organization in lync?
    Friday, March 16, 2018 2:58 PM
  • Follow the log of Snooper.

    Friday, March 16, 2018 6:27 PM
  • any updates?
    Monday, March 19, 2018 7:24 PM
  • Hi EvandroMalmsteen,

    Could you please simply explain your environment topology?

    According your description, in my understanding, you seem have both on-premise and online Lync environment, do you deploy hybrid mode?

    Only one tenant has this issue, do you mean Office 365 tenant online users?

    About your provide logs, it seems related to sipfed.online.lync.com, could you please try to open https://sipfed.online.lync.com on your Edge server with Chrome or other browser (not IE), normally it should return “Status: 404 Not Found Server: RTC/7.0 FQDN: xxx.xxx.lync.com” and without certificate issue.

    And if you use online environment, please also compare the external communications setting in online page.

    If anything I misunderstood, feel free to let me know.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 23, 2018 7:48 AM
    Moderator
  • Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, March 26, 2018 10:10 AM
    Moderator
  • The environment is lync server hosting v2 pack for multi-tenancy. It has no integration with office 365 and is not on-premisses.

    Only one tenant have this problem.

    03/26/2018|10:46:04.854 22C8:136C INFO  :: Data Received -200.xxx.xxx.158:443 (To Local Address: 10.xx.xx.133:59428) 1181 bytes:
    03/26/2018|10:46:04.854 22C8:136C INFO  :: 
    SIP/2.0 500 Internal Server Error -- Internal result failure: unexpected UserNotificationResult Failure.
    ms-user-logon-data: RemoteUser
    Via: SIP/2.0/TLS 10.xxx.xx.133:59428;received=200.xxx.xxx.158;ms-received-port=20973;ms-received-cid=113FF600
    Authentication-Info: TLS-DSK qop="auth", opaque="A41083A2", srand="AD1AF509", snum="27", rspauth="e5e51ca62a14d716c44793003a62b4c081ffa3de", targetname="LHDR01.prod.mydomain.local", realm="SIP Communications Service", version=4
    CONTENT-LENGTH: 0
    From: "Majoral"<sip:joral@tenantdomain.com.br>;tag=d9acd13af8;epid=0a36253436
    To: <sip:evandro@hotmail.com>;tag=riaskaby
    CSeq: 1 INVITE
    Call-ID: 037e71240b654b229b71253e6a4e5479
    ms-telemetry-id: 98162FBE-CF86-5342-BA32-9C11096B0782
    ms-diagnostics: 1033;reason="Previous hop server component did not report diagnostic information";Domain="hotmail.com";PeerServer="lync.bridge.messenger.live.com";source="federation.messenger.msn.com"
    ms-edge-proxy-message-trust: ms-source-type=AuthorizedServer;ms-ep-fqdn=lyncedgepool01.prod.mydomain.local;ms-source-network=publiccloud;ms-source-verified-user=verified;ms-remote-fqdn=federation.messenger.msn.com

    03/26/2018|10:46:04.854 22C8:136C INFO  :: End of Data Received -200.xxx.xxx.158:443 (To Local Address: 10.***.**.133:59428) 1181 bytes

    Monday, March 26, 2018 1:55 PM
  • Hello,

    I deprovisioned the tenant that does not federate and provisioned again, and then activated an unsuccessful account. The error continues.

    Could you please simply explain your environment topology?
    R:

    My environment was deployed using the lync hosting pack v2 installation package.

    2 Director Servers
    3 Lync Servers
    2 Edge Servers
    2 Office Web Apps Servers
    2 Sql Cluster + Storage
    Integration with Exchange Servers 2013
    1 CA Enterprise
    2 Mediation Servers


    According your description, in my understanding, you seem have both on-premise and online Lync environment, do you deploy hybrid mode? R: No. My environment is a hosted lync server 2013 v2.

    Only one tenant has this issue, do you mean Office 365 tenant online users? No. Only one tenant can not send messages to public skype. The dns is ok, and even deprovisioning and provisioning again, I did not succeed.

    Monday, March 26, 2018 4:16 PM
  •  

    Hi EvandroMalmsteen,

    I did many research about your scenario, I think you may try to re-configure the federation with Skype for the tenant.

    In addition, please re-run “Enable-csservicetopology” to see if it works.

     


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 30, 2018 9:56 AM
    Moderator
  • Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, April 2, 2018 10:06 AM
    Moderator
  • Leon,

    The problem yet persist.

    I'll doing more troubleshootings.

    Thanks for now.

    Monday, April 2, 2018 1:06 PM
  • I installed on the Lync Server 2013 cluster the Cumulative Update KB 2809243 below supported by ODIN on the entire communicator cluster and after that I did the entire process of removing and reactivating the customer by API ODIN, but without success.

    https://www.microsoft.com/en-us/download/details.aspx?id=36820
    https://support.microsoft.com/en-us/help/4019183/july-2017-cumulative-update-5-0-8308-992-for-lync-server-2013-core-com
    https://kb.odin.com/en/112361

    I reexecuted the deployment setup in the environment on each server and performed a restart on all servers to see if there was any corrupted component.

    I made a manual provisioning via scripts (attached scripts) for the environment and reproduced the same problem and it is evident that it is a problem on the Microsoft Communicator platform.


    Param(
     [string]$MasterID
    )

    Import-Module ActiveDirectory
    Import-Module LyncOnline
    Import-Module Lync

    $OU = "OU=$masterID,OU=Provider,OU=hosting,DC=prod,DC=domain,DC=local"
    $OUObject = Get-ADOrganizationalUnit -Identity $OU
    $GUID = $OUObject.ObjectGUID

    $all = New-CsEdgeAllowAllKnownDomains

    Set-CsTenantFederationConfiguration -Tenant $GUID -AllowedDomains $all

    Invoke-CsManagementStoreReplication

    Wednesday, April 4, 2018 6:13 PM
  • My Provisioning Scripts:

    ###||###

    Provisioning Tenant


    Param(
      [string]$SipDomain,
      [string]$MasterID
    )

    Import-Module ActiveDirectory
    Import-Module LyncOnline
    Import-Module Lync

    $OU = "OU=$masterID,OU=Provider,OU=hosting,DC=prod,DC=domain,DC=local"

    $msRTCSIPDomainUrlMap = "$SipDomain#https://meet.hosterdomain.com.br/$SipDomain"
    $OUObject = Get-ADOrganizationalUnit -Identity $OU
    $GUID = $OUObject.ObjectGUID
    $OUObject |Set-ADOrganizationalUnit -Replace @{'msRTCSIP-TenantId'=$GUID}
    $OUObject |Set-ADOrganizationalUnit -Replace @{'msRTCSIP-ObjectId'=$GUID}
    $OUObject |Set-ADOrganizationalUnit -Add @{'msRTCSIP-Domains'=$SipDomain}

    Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-groupingID |set-adgroup -Replace @{'msrtcsip-groupingid'=$GUID}
    Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-TenantID |set-adgroup -Replace @{'msrtcsip-tenantid'=$GUID} 

    $OUObject |Set-ADOrganizationalUnit -Add @{'msRTCSIP-DomainUrlMap' = $msRTCSIPDomainUrlMap }

    New-CsSipDomain –Identity $SipDomain

    Enable-CsComputer
    (Get-CsTopology -AsXml).ToString() > C:\TopologiaAtivaCliente\$MasterID\Topology-AtivaClienteScript.xml

    start-sleep -s 5
    Publish-CsTopology -FileName "C:\TopologiaAtivaCliente\$MasterID\Topology-AtivaClienteScript.xml"

    start-sleep -s 5

    Invoke-CsManagementStoreReplication

    ###||###

    SIMPLE URL

    Import-Module ActiveDirectory,Lync,LyncOnline
    $TenantDomain = "testeft.com"
    $TenantDN = "OU=OUTenant,OU=Provider,OU=hosting,DC=prod,DC=domain,DC=local"
    $MeetingUrl = "https://meet.hosterdomain.com.br/$TenantDomain"
    $TenantDomainUrlMap = "$TenantDomain#$MeetingUrl"
    $TenantOU = Get-AdOrganizationalUnit -Identity $TenantDN -Properties msRTCSIP-Domains, msRTCSIP-DomainUrlMap
     
    $TenantOU | Set-ADOrganizationalUnit -Replace @{'msRTCSIP-Domains'=$TenantDomain}
    $TenantOU | Set-ADOrganizationalUnit -Replace @{'msRTCSIP-DomainUrlMap'=$TenantDomainUrlMap}

    $MeetURLEntry = New-CsSimpleUrlEntry -Url $MeetingUrl
    $SimpleURL = New-CsSimpleUrl -Component "Meet" -Domain $TenantDomain -SimpleUrlEntry $MeetUrlEntry -ActiveUrl $MeetingUrl
    Set-CsSimpleUrlConfiguration -SimpleUrl @{Add=$SimpleURL}

    Set-CsSimpleUrlConfiguration -UseBackendDatabase $true

    Enable-CsComputer

    Invoke-CsManagementStoreReplication

    ###||###

    Enable User


    Param(
      [string]$SipDomain,
      [string]$MasterID,
      [string]$User
      )

    Import-Module ActiveDirectory
    Import-Module LyncOnline
    Import-Module Lync

    $OU = "OU=$masterID,OU=Provider,OU=hosting,DC=prod,DC=domain,DC=local"
    $OUObject = Get-ADOrganizationalUnit -Identity $OU
    $GUID = $OUObject.objectguid

    $BaseURL = "https://meet.hosterdomain.com.br/"+$SIPDomain

    Get-ADObject -LDAPFilter "(ObjectClass=user)" -SearchBase $OU -Properties UserPrincipalname | ? {$_.UserPrincipalName -match "$user" } | Set-ADUser -replace @{'msRTCSIP-GroupingID'=$GUID}
    Get-ADObject -LDAPFilter "(ObjectClass=user)" -SearchBase $OU -Properties UserPrincipalname | ? {$_.UserPrincipalName -match "$user" } | Set-ADUser -replace @{'msRTCSip-TenantID'=$GUID}
    Get-ADObject -LDAPFilter "(ObjectClass=user)" -SearchBase $OU -Properties UserPrincipalname | ? {$_.UserPrincipalName -match "$user" } | Set-ADUser -Replace @{'msRTCSIP-BaseSimpleUrl'=$BaseURL}

    start-sleep -s 5

    Enable-CsUser -Identity $User -RegistrarPool lyncpool01.prod.domain.local -SipAddressType UserPrincipalName

    start-sleep -s 10

    Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-groupingID |set-adgroup -Replace @{'msrtcsip-groupingid'=$GUID}
    Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-TenantID |set-adgroup -Replace @{'msrtcsip-tenantid'=$GUID}



    Wednesday, April 4, 2018 6:15 PM
  • Hi,

    This thread is dead?!

    Wednesday, April 11, 2018 1:10 PM
  • Looks like the error: SIP/2.0 500 Internal Server Error -- Internal result failure: unexpected UserNotificationResult Failure. points to be an issue on regards your Edge Server.

    Important point: In order to get federation working with other partners sip domains or with PIC (Public Instant Communication) the SRV record for federation should be created and pointing correctly:
    *To your Edge Onprem server (when you have onprem environment)
    *To sipfed.online.lync.com ( when you have online environment)
    *To your Edge Onprem server (when you have Hybrid environment)
    Example:
    Sip domain "microsoft.com" / _sipfederationtls._tcp.microsoft.com should point to: sipfed.microsoft.com

    Step 1.- Make sure the SRV record for federation for the affected sip domain is created and pointing correctly: https://technet.microsoft.com/en-us/library/gg398758(v=ocs.15).aspx
    "When creating SRV records, it is important to remember that they must point to a DNS A and AAAA (if you are using IPv6 addressing) record in the same domain in which the DNS SRV record is created. For example, if the SRV record is in contoso.com, the A and AAAA (if you are using IPv6 addressing) record it points to cannot be in fabrikam.com"

    Step 2.- Make sure you are following the correct process to provioning your sip domain for PIC
    *Process for Onprem ( https://technet.microsoft.com/en-us/library/dn440173%28v=ocs.15%29.aspx )

    *Process for Online ( https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/allow-users-to-contact-external-skype-for-business-users )

    *Process for Hybrid ( https://technet.microsoft.com/en-us/library/dn440172.aspx ) Q: How do I enable Lync-Skype Connectivity in a split-domain scenario?

    Step 3.- Make sure the external edge certificate has the reference for your sip domain, if you have Onprem or Hybrid environment.


    PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"


    Monday, April 16, 2018 6:47 PM
  • The problem was on https://pic.lync.com.

    The microsoft support redeploy the sip domains in skype consumers by pic and the problem is solved.

    Is not my Hosted Lync Server 2013.

    Thanks.

    Thursday, May 2, 2019 12:04 AM