locked
Lync client remotely prompts for credentials to retrieve response groups and keeps prompting. RRS feed

  • Question

  • Hello,

     

    I have configured an Enterprise Lync 2010 environment with front end pool, mediation server, A/V conferencing server, monitoring server and an Edge server in the DMZ. When I create a meeting internally using "Meet now" everything works. Users are able to share their programs, desktop, apps, video etc. But when I send an invite to external user, the user receives the meeting request, clicks on it. The meeting is launched but the guest user does not see the original participant. The internal user who sent out the invite does not see whether the guest has joined or not. On the guest side, the client only shows 1 participant. Nothing shared by internal user is available to external guest. After a few moments, the client on the external guest throws the error below:

     

     

    I have checked and all the DNS entries are in place and resolvable (including SRV records). Any help will be appreciated.

     

    Thanks!


    Palwinder Singh

    • Edited by SinghPalwinder Tuesday, August 16, 2011 5:47 PM Updated the title of the discussion to reflect the issue being discussed.
    Friday, August 5, 2011 3:46 PM

Answers

  • Ok I was finally able to resolve this.

    It was more carelessness on my part than anything else. After reviewing the TMG warnings for Lync rule, I noticed that the authentication on TMG rule for Lync was set  “No Authentication. Do not let the client authenticate directly” where as it should have been “No Authentication. Let the client handle the authentication directly”. 

     

    And I have set the 128 bit encryption back to be required. Everything is working smoothly.

     

    Sometimes I wish I had ZEN level focus and mental clarity :) 

    Actually all the time.....

     

    Thanks everyone.


    Palwinder Singh


    • Marked as answer by SinghPalwinder Thursday, August 18, 2011 2:16 PM
    Thursday, August 18, 2011 2:16 PM

All replies

  • Do you have configured the reverse proxy?
    regards Holger Technical Specialist UC
    Friday, August 5, 2011 8:39 PM
  • Yes reverse proxy is there and working fine. I have moved further. It was due to the fact that we were using internal certs for testing. Now everything is working except screen sharing with external users. As soon as I get the logs of that I will update this post.

     

    Thanks Holger!

     

    Palwinder


    Palwinder Singh
    Friday, August 5, 2011 8:49 PM
  • Hi, Palwinder,

    Here’re some tools for you to make some testing and troubleshooting.

    1.        Lync Server 2010 Remote Connectivity Analyzer

    2.        Lync Server 2010 Best Practices Analyzer

    Please have a try, and hope helps.

    Wednesday, August 10, 2011 9:53 AM
  • Hi, Palwinder,

    Any update?

    Thursday, August 11, 2011 11:00 AM
  • Hi Noya,

    Yes I have resolved that part. Everything is working great. It was just a corrupted client install. After I removed and re-install Lync Attendee on the test system, everything is working great. I have tested from multiple systems.

    The tool that really helped me was the snooper tool. The level of detail in the errors is great. 

    I only have one small kink to iron out now. Using the https://www.testocsconnectivity.com tool, I get an error:

     

    "Subscription for provisioning data did not return a valid MRAS URI" when I try a Microsoft Lync Remote Connectivity Test.

     

    The other test "Microsoft Lync Server Remote Connectivity Test with AutoDiscover" passes successfully though. And I am able to log in to the Lync Server using a Lync Client remotely. But I do get a credentials popup and if I enter my credentials, it just reappears instantly.  If I cancel out of it, the Lync client still seems to be working. Any help on this will be appreciated.

     

     

    Thanks!


    Palwinder Singh

    Thursday, August 11, 2011 1:24 PM
  • Hi, Palwinder,

    Glad to see you’ve fixed the first issue!

    For the Credentials are required issue, please update your client according to KB2571543.

    And there’s another similar post for reference, hope it helps.


    Friday, August 12, 2011 11:05 AM
  • Hi, Palwinder,

    Have you fixed this issue?

    Tuesday, August 16, 2011 10:21 AM
  • Hi Noya,

    The credentials issue is not resolved yet. The update didn't help. I will do some further logging today and advise.

    Thanks


    Palwinder Singh
    Tuesday, August 16, 2011 1:27 PM
  • This is what I see in logs:

     

    TL_INFO(TF_PROTOCOL) [0]04B4.0DD4::08/16/2011-17:19:50.586.0000085a (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record

    Trace-Correlation-Id: 3498557960

    Instance-Id: 000005D0

    Direction: incoming;source="internal edge";destination="external edge"

    Peer: lyncpool1.domain.com:5061

    Message-Type: response

    Start-Line: SIP/2.0 401 Unauthorized

    From: <sip:lynctest1@domain.com>;tag=aac8db8391;epid=406833f106

    To: <sip:lynctest1@domain.com>;tag=309BA1B36629A56EB809088455BD883D

    CSeq: 1 REGISTER

    Call-ID: eca5c45b7f0b4e0ba4c9358061757dbf

    Date: Tue, 16 Aug 2011 17:19:59 GMT

    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="lync1.domain.com", version=4

    WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="lync1.domain.com", version=4, sts-uri="https://lyncweb.domain.com:443/CertProv/CertProvisioningService.svc"

    Via: SIP/2.0/TLS 192.168.100.109:64736;branch=z9hG4bK637BC333.D47730B6390344A6;branched=FALSE;ms-received-port=64736;ms-received-cid=330600

    Via: SIP/2.0/TLS 10.106.15.99:20653;received=224.12.6.52;ms-received-port=25546;ms-received-cid=25900

    Server: RTC/4.0

    Content-Length: 0

    Message-Body: –

    $$end_record

     

     


    Palwinder Singh
    Tuesday, August 16, 2011 5:37 PM
  • I have modified all the public IP addresses in this post for obvious reasons.

     

    Here is another error:

     

     

    TL_INFO(TF_PROTOCOL) [0]04B4.0BB4::08/16/2011-17:19:39.853.00000835 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record

    Trace-Correlation-Id: 4044974097

    Instance-Id: 000005CC

    Direction: outgoing;source="internal edge";destination="external edge"

    Peer: 2244.12.6.52:7373

    Message-Type: response

    Start-Line: SIP/2.0 401 Unauthorized

    From: <sip:lynctest1@domain.com>;tag=a1b63f9f0a;epid=406833f106

    To: <sip:lynctest1@domain.com>;tag=309BA1B36629A56EB809088455BD883D

    CSeq: 3 REGISTER

    Call-ID: e5e681fa77a64191a0ef2a56542f66fd

    ms-user-logon-data: RemoteUser

    Date: Tue, 16 Aug 2011 17:19:48 GMT

    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="lync1.domain.com", version=4

    WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="lync1.domain.com", version=4, sts-uri="https://lyncweb.domain.com:443/CertProv/CertProvisioningService.svc"

    Via: SIP/2.0/TLS 10.106.15.99:20649;received=224.12.6.52;ms-received-port=7373;ms-received-cid=25700

    Server: RTC/4.0

    Content-Length: 0

    Message-Body: –

    $$end_record

     


    Palwinder Singh
    Tuesday, August 16, 2011 5:40 PM
  • Found another error and I think this is the reason. I am using Windows 7 machine to test external client.

    ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="lync1.domain.com"

    Not sure how to resolve it yet:

     

     

    TL_INFO(TF_PROTOCOL) [0]04B4.116C::08/16/2011-17:57:48.590.00000b54 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record

    Trace-Correlation-Id: 1523557481

    Instance-Id: 0000061A

    Direction: incoming;source="internal edge";destination="external edge"

    Peer: lyncpool1.domain.com:5061

    Message-Type: response

    Start-Line: SIP/2.0 401 Unauthorized

    From: <sip:lynctest1@domain.com>;tag=a35177956f;epid=406833f106

    To: <sip:lynctest1@domain.com>;tag=309BA1B36629A56EB809088455BD883D

    CSeq: 3 REGISTER

    Call-ID: 93c4a31206fc41d8a7547e07d4f2b53f

    Date: Tue, 16 Aug 2011 17:57:57 GMT

    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="lync1.domain.com", version=4

    WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="lync1.domain.com", version=4, sts-uri="https://lyncweb.domain.com:443/CertProv/CertProvisioningService.svc"

    Via: SIP/2.0/TLS 192.168.100.109:64795;branch=z9hG4bKAE29C237.138FE415652A4D8C;branched=FALSE;ms-received-port=64795;ms-received-cid=333E00

    Via: SIP/2.0/TLS 10.106.15.99:20945;received=224.12.6.52;ms-received-port=42701;ms-received-cid=25C00

    ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="lync1.domain.com"

    Server: RTC/4.0

    Content-Length: 0

    Message-Body: –

    $$end_record

     


    Palwinder Singh
    Tuesday, August 16, 2011 6:55 PM
  • Hi,

    you can look at this blog

    http://blog.schertz.name/category/ocs/

    maybe you have problems wit the 128bit encryption on the Lync Server.


    regards Holger Technical Specialist UC
    Wednesday, August 17, 2011 9:28 PM
  • Hi Holger,

     

    I have already changed both the client and server settings to "No Minimum" on Front and EDGE but still no go. I am going to review TMG logs next and see if I see something there as it looks like something to do with the web services.

     

    Thanks,


    Palwinder Singh
    Thursday, August 18, 2011 1:07 PM
  • Ok I was finally able to resolve this.

    It was more carelessness on my part than anything else. After reviewing the TMG warnings for Lync rule, I noticed that the authentication on TMG rule for Lync was set  “No Authentication. Do not let the client authenticate directly” where as it should have been “No Authentication. Let the client handle the authentication directly”. 

     

    And I have set the 128 bit encryption back to be required. Everything is working smoothly.

     

    Sometimes I wish I had ZEN level focus and mental clarity :) 

    Actually all the time.....

     

    Thanks everyone.


    Palwinder Singh


    • Marked as answer by SinghPalwinder Thursday, August 18, 2011 2:16 PM
    Thursday, August 18, 2011 2:16 PM
  • Hi palwinder,

    We are not using any TMG i have added one More IP in FE and Using web services any suggestion ?

    I have also Same problem.

    Thanks:

    Amit Sharma

    Friday, June 8, 2012 6:21 AM