Asked by:
Polycom user can not login by PIN after migrating (side by side) from Lync 2010 to SfB 2015 (internal error)

Question
-
Hello,
I got signed in problem after migrated from Lync2010 to SfB2015. If the Lync2010 front end was shutdown, all users who signed-out and signed-in again from Polycom phone will not able to signed-in if using PIN (internal server error). But users are able to signed-in if using Credential.
In fact, all the Lync 2010 users already moved to SfB 2015. Either users in SfB FE or SfB SBS, both can not signed-in.
Regards,
SinjoMonday, August 20, 2018 10:24 AM
All replies
-
Hi Sinjo,
About this issue, you could try to do the following steps to check whether fix this issue:
1. In the SFB FE server, run Get-CsWebServiceConfiguration command to verify the value of the UsePinAuth setting is ‘True’.
2. Try to reset the PIN and try again.
3. Run Test-CsPhoneBootstrap command to verify the DHCP options whether set correctly.
4. Try to restart the IIS in the SFB Server.
In addition, you could refer to the following blog to check the details about Configuring Lync Server for Phone Edition Devices:
http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/
Best Regard,
Evan- Proposed as answer by woshixiaobai Wednesday, August 22, 2018 2:08 AM
Tuesday, August 21, 2018 2:16 AM -
Hi Sinjo,
Is there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who have the similar issue.
Best Regard,
EvanWednesday, August 22, 2018 2:08 AM -
Hi Evan,
Sorry, i just want to do today since we have public holiday yesterdfay.
Thank you.
Regards,
SinjoThursday, August 23, 2018 4:06 AM -
Hi Evan,
1. The Get-CsWebServiceConfiguration result shown that UsePinAuth is TRUE
2. Alreadfy reset the PIN
3. Result of Test-CsPhoneBootstrap as attached
4. Already reset the IIS.
But the problem still remain.
Regards.
Sinjo
Thursday, August 23, 2018 4:27 AM -
Hi Evan,
This is the test-csphonebootstrap result :
��PS C:\Users\ssbadmin> Test-CsPhoneBootstrap -PhoneOrExtension 52369 -PIN 54321 -Verbose | Export-Csv c:\temp\CSPhoneBoot.txt
VERBOSE: Workflow Instance Id '8a12d9a5-acd5-454e-9f51-e7783d8a0b76', started.
VERBOSE: Command line executed is 'Test-CsPhoneBootstrap -PhoneOrExtension 52369 -PIN 54321 -Verbose | Export-Csv c:\temp\CSPhoneBoot.txt'.
VERBOSE: Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' started.
Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' completed in '4.8E-05' seconds.
Target server Fqdn or web service Url not provided. Will have to do DHCP Registrar Discovery.
An exception 'Unable to perform authentication of credentials.' occurred during Workflow Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow
execution.
Exception Call Stack: at Microsoft.Rtc.Signaling.SipAsyncResult`1.ThrowIfFailed()
at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult result)
at Microsoft.Rtc.SyntheticTransactions.Activities.RegisterActivity.InternalExecute(ActivityExecutionContext executionContext)
at Microsoft.Rtc.SyntheticTransactions.Activities.SyntheticTransactionsActivity.Execute(ActivityExecutionContext executionContext)
at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
at System.Workflow.Runtime.Scheduler.Run()
at Microsoft.Rtc.Internal.Sip.SipAuthenticationHelper.SignString(SecurityAssociationBase sa, String stringToSign, String& signatureString)
at Microsoft.Rtc.Internal.Sip.ProtocolAuth.SignStringWithSA(String signatureString, SecurityAssociation sa)
at Microsoft.Rtc.Internal.Sip.ProtocolAuth.DoProtocolOutgoingNegotiation(SecurityAssociation sa, SipMessage message, ChallengeData challengeData)
at Microsoft.Rtc.Internal.Sip.AuthenticationControlModule.NegotiateSecurityAssociation(SecurityAssociation sa, SipMessage message, NegotiateArgs
negotiateArguments)
'DHCPDiscover' activity started.
Starting DHCP registrar discovery...
Constructing a DHCP packet.
Adding DHCP option PARAMETER_REQUEST_LIST.
Successfully added DHCP option.
Adding DHCP option VENDOR_CLASS_IDENTIFIER.
Successfully added DHCP option.
Successfully constructed DHCP packet.
Trying to open an udp connection.
Remote IP : 255.255.255.255.
Local IP : xx.xx.x.xx
Creating a new UDP client.
Udp connection successfully created.
Sending packet.
Remote IP : 255.255.255.255.
Remote Port : 67.
Packet sent successfully.
DHCP discovery message send. Waiting for DHCP servers to respond.
Data received successfully.
Remote IP : xx.xx.x.xx
Remote Port : 67.
Response received for the DHCP Discovery message.
Constructing a DHCP packet from received raw data.
Extracting DHCP Options.
Successfully constructed DHCP packet.
Return value for DHCP option : SIP_SERVER.
Found registrar Fqdn : LSSFBFE.domain.com.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1 - MS-UC-Client.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2 - https.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3 - LSSFBFE.domain.com.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4 - 443.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5 - /CertProv/CertProvisioningService.svc.
Successfully extracted sub option value.
Found web service Url : https://LSSFBFE.domain.com:443/CertProv/CertProvisioningService.svc.
Disconnecting.
DHCP registrar discovery activity completed successfully.
'DHCPDiscover' activity completed in '1.0366536' seconds.
'GetRootCertChains' activity started.
Trying to download a certificate chain from web service.
Web Service Url : http://LSSFBFE.domain.com/CertProv/CertProvisioningService.svc
Certificate chain downloaded successfully.
'GetRootCertChains' activity completed in '0.0131718' seconds.
'GetWebTicket' activity started.
Trying to get web ticket.
Web Service Url : https://LSSFBFE.domain.com:443/WebTicket/WebTicketService.svc
Using PIN authentication with Phone\Ext : 52369 Pin : 54321
Webticket response headers:
Content-Encoding:
Vary:Accept-Encoding
X-MS-Server-Fqdn:LSSFBFE.domain.com
X-MS-Correlation-Id:2147484526
client-request-id:48540d20-2026-4f97-b327-3c3aea791185
Strict-Transport-Security:max-age=31536000; includeSubDomains
X-Content-Type-Options:nosniff
Content-Length:2230
Cache-Control:private
Content-Type:text/xml; charset=utf-8
Date:Thu, 23 Aug 2018 04:43:32 GMT
GetWebTicketActivity completed.
'GetWebTicket' activity completed in '0.1160851' seconds.
'ResolveUser' activity started.
Starting ResolveUser activity using Web Ticket.
Web Service Url : https://LSSFBFE.domain.com:443/CertProv/CertProvisioningService.svc
Found user : sip:sundiono@domain.com
Setting sip uri 'sip:sundiono@domain.com' back to parent workflow.
ResolveUser activity completed.
'ResolveUser' activity completed in '0.0180021' seconds.
'GetWebTicket' activity started.
Trying to get web ticket.
Web Service Url : https://LSSFBFE.domain.com:443/WebTicket/WebTicketService.svc
Using PIN authentication with Phone\Ext : 52369 Pin : 54321
Webticket response headers:
Content-Encoding:
Vary:Accept-Encoding
X-MS-Server-Fqdn:LSSFBFE.domain.com
X-MS-Correlation-Id:2147484528
client-request-id:8dee38a5-81b8-4cf0-a867-c8ad5d52236d
Strict-Transport-Security:max-age=31536000; includeSubDomains
X-Content-Type-Options:nosniff
Content-Length:2211
Cache-Control:private
Content-Type:text/xml; charset=utf-8
Date:Thu, 23 Aug 2018 04:43:32 GMT
GetWebTicketActivity completed.
'GetWebTicket' activity completed in '0.0732893' seconds.
'GetCSCertificate' activity started.
Trying to download a CS certificate for User : sundiono@domain.com endpoint : STEpid
Web Service Url : https://LSSFBFE.domain.com:443/CertProv/CertProvisioningService.svc
Cert Provisioning response headers:
Content-Encoding:
Vary:Accept-Encoding
X-MS-Server-Fqdn:LSSFBFE.domain.com
X-MS-Correlation-Id:2147484529
client-request-id:ebbd70b9-546b-4163-8a6a-b6ad3b863117
Strict-Transport-Security:max-age=31536000; includeSubDomains
Content-Length:3238
Cache-Control:private
Content-Type:text/xml; charset=utf-8
Date:Thu, 23 Aug 2018 04:43:32 GMT
GetCSCertificate activity completed.
'GetCSCertificate' activity completed in '0.0916826' seconds.
'Register' activity started.
Sending Registration request:
Target Fqdn = LSSFBFE.domain.com
User Sip Address = sip:sundiono@domain.com
Registrar Port = No Port is provided..
Authentication Type 'Certificate' is selected.
'UnRegister' activity started.
'UnRegister' activity completed in '0.0003825' seconds.
VERBOSE: Workflow Instance ID '8a12d9a5-acd5-454e-9f51-e7783d8a0b76' completed.
VERBOSE: Workflow run-time (sec): 1.4582115.
PS C:\Users\ssbadmin>Regards,
SinjoThursday, August 23, 2018 5:09 AM -
Hi Sinjo,
According to the information you provided, I found it shows 'Unable to perform authentication of credentials.'
Based on my research, you could try to check the following settings:
1. Make sure that the phones are able to reach the Lync FE Server on HTTP 80 in addition to HTTPS 443 as Lync Phone Edition device use TCP 80 initially to connect to the Lync web services to download the root certificate chain.
2. Check if you set AlternateSignatureAlgorithm=1 in the file CAPolicy.inf, if yes, try to change the registry key on your Enterprise CA server. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSPvalue AlternateSignatureAlgorithm from 1 to 0 and restart CA service
Best Regard,
EvanMonday, August 27, 2018 8:41 AM -
Hi Evan,
Ok. I will check those items. But this is not at Lync 2010 but at Sfb 2015. Supposed when Lync 2010 shutdown to uninstall, users can login at SfB 2015.
Regards,
SinjoMonday, August 27, 2018 5:04 PM