locked
Clients unable to download the Address book - Unable to browse to /Abs/Handler - Error 403 after entering credentials RRS feed

  • Question

  • Hi,

    We have a Lync 2013 server that is working, however the clients are unable to download the Address Book.

    The server creates a new address book at 1.30am as it should and these files are available on the share.

    However when a client attempts to download the new address book, it fails with a message "Cannot synchronize with the corporate address book. This may be because the proxy setting in your web browser does not allow access to the address book. If the problem continues please contact your support team."

    After checking the clients, it was decided that this was a server issue.

    We attempted to browse in a web browser to https://ServerFQDN:443/Abs/Handler

    We are presented with a login box, and I enter my credentials to be met with a 403, Forbidden Access. I am able to login to the server using these credentials, just not the web page.

    When i use the connectivity analyser, i get the following error:

    The credentials were not authorized by the server. Please verify your login credentials and try again.

    When i run Test-CsAddressBookService I am receiving the following error:

    Error Message : 401, Unauthorized
                    Inner Exception:AcquireCredentialsHandle failed error:
                    -2146893044

    Any help or advice would be greatly appreciated.

    Paul

    Tuesday, April 5, 2016 10:33 AM

Answers

  • Just for clarification I wanted to let people know what the issue turned out to be.

    This issue was solved by renewing the SSL certificate!

    Lync / S4B does not like to play without valid SSL cert's and it turned out the SSL on the edge server had expired. 

    Thank you to everyone who responded and apologies for the late closure.

    Thursday, June 15, 2017 2:28 PM

All replies

  • Lets make sure that the Webservices File share for  the Address book has  the following permission 

    Principal                        Access Applies To
    NETWORK SERVICE Modify This folder, subfolders, and files
    RTCHSUniversalServices Modify This folder, subfolders, and files
    RTCComponentUniversalServices Read & Execute This folder, subfolders, and files
    RTC Server Local Group Modify This folder, subfolders, and files
    RTC Component Local Group Read & Execute This folder, subfolders, and files

    Also Pubish your topology file again, missing permissions will get sorted out automatically 

    More information here 

    http://blog.schertz.name/2013/03/breaking-down-lync-file-share/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Linus

    • Proposed as answer by Eason Huang Thursday, April 7, 2016 6:40 AM
    Wednesday, April 6, 2016 3:03 PM
  • Hi,

    Beside to solve the issue that Lync client could download the address book from the shared folder, you can also try to modify the Lync client parameter AddressBookAvailability to the value "WebSearchOnly".

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Thursday, April 7, 2016 6:47 AM
  • Hi Linus,

    Thank you for the reply.

    I have checked the NTFS ACL of the share and all correlates to what permissions you have listed.

    I have re-published the topology without any problems.

    I am still experiencing the same issue.

    I also ran:

    Test-CsAddressBookService -TargetUri https://sub.domain.co.uk/abs/handler -usersipaddress "sip:user.test@domain.co.uk" 

    And this returned:

    https://sub.domain.co.uk/abs/handler
    Result        : Failure
    Latency       : 00:00:00
    Error Message : The remote server returned an error: (401) Unauthorized.

    Diagnosis     : X-Ms-diagnostics :
                    28032;source="sub.domain.co.uk";reason="The web ticket
                    is invalid.";faultcode="wsse:InvalidSecurityToken"
                    X-MS-WebTicketURL :
                    https://sub.domain.co.uk/WebTicket/WebTicketService.svc
                    X-MS-WebTicketSupported : cwt,saml
                    X-MS-Server-Fqdn : sub.domain.co.uk
                    X-Content-Type-Options : nosniff
                    Content-Length : 4893
                    Cache-Control : private
                    Content-Type : text/html; charset=utf-8
                    Date : Thu, 07 Apr 2016 10:42:55 GMT
                    Server : Microsoft-IIS/8.5
                    X-Powered-By : ASP.NET

    Any help again appreciated.

    Paul

    Thursday, April 7, 2016 10:53 AM
  • Thank you Easong,

    I would rather get the system back to functioning the way it were than changing the AddressBookAvailability to "WebSearchOnly"

    Paul

    Thursday, April 7, 2016 11:02 AM
  • Hi,

    Beside to solve the issue that Lync client could download the address book from the shared folder, you can also try to modify the Lync client parameter AddressBookAvailability to the value "WebSearchOnly".

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Hi Eason,

    I created a new policy as per

    New-CsClientPolicy -Identity WebSearchOnly -AddressBookAvailability WebSearchOnly

    I then

    Grant-CsClientPolicy -Identity username -PolicyName WebSearchOnly

    I logged the user off and back on, unfortunately I just got "there is a problem with the address book"

    Seems like it could be an IIS issue?

    Any help appreciated.

    Thursday, April 7, 2016 4:15 PM
  • Just for clarification I wanted to let people know what the issue turned out to be.

    This issue was solved by renewing the SSL certificate!

    Lync / S4B does not like to play without valid SSL cert's and it turned out the SSL on the edge server had expired. 

    Thank you to everyone who responded and apologies for the late closure.

    Thursday, June 15, 2017 2:28 PM
  • Hello Paul

    My certificates are valid, but I still get that error, presented by you above.

    Changing to web search only did not make a difference either

    Do you have any ideas what could cause this?

    Thank you

    Wednesday, October 17, 2018 11:23 AM