locked
Polycom CX600 cannot sign-in with PIN authentication (common area setup) RRS feed

  • Question

  • Hi,

    We are currently deploying Lync Server 2013. Before we deploy Edge and Mediation, we want Polycom CX600 phones without USB cable (thus: as common area phone, like CX500) to sign-in automatically with PIN authentication.

    So far so good, but PIN authentication on the CX600 doesn't work. And all we get is this error:
    "Cannot sign-in. Please verify your sign-in address, domain\user name, and password and then try again"

    Once again: we are NOT using USB cables. We want the phone to do the PIN authentication, root CA download and sign-in by Ethernet.

    SETUP:
    Server: DC1 (win2012)
    FQDN: mp-dc1.domain.local (internal=domain.local, external=domain.com)
    IP: 192.168.1.5
    DHCP options set, using DHCPUtil (following Jeff Schertz blog)
    003 192.168.1.254
    004 192.168.1.5
    006 192.168.1.5
    015 domain.local
    042 192.168.1.5
    043
    001
    002
    003
    004
    005
    119 domain.local
    120
    DNS records added (pin-point):
    _ntp._udp.domain.com -> SRV port 123 UDP -> hostname: mp-dc1.domain.local.
    lyncdiscoverinternal.domain.com -> A -> 192.168.1.12
    lyncdiscover.domain.com -> A -> 192.168.1.12
    _sipinternaltls._tcp.domain.com -> SRV port 5061 TCP -> hostname: mp-lync.domain.local.
    _sip._tls.domain.com -> SRV port 443 TCP -> hostname: mp-lync.domain.local.
    sipinternal.domain.com -> A -> 192.168.1.12
    sip.domain.com -> A -> 192.168.1.12

    Server: LyncFE (win2012), Lync Server 2013 Standard with CU feb 2013.
    FQDN: mp-lync.domain.local
    IP: 192.168.1.12
    Primary SIP domain: domain.com
    Certificates are issued on DC1, which has the AD CS role installed.
    Certificate details: mp-lync.domain.local, Issued by: local.domain.domain-mp-dc1-ca


    WHAT WE DID:
    - We used 2 AD accounts for testing. We enabled Enterprise Voice on the accounts, gave them a number tel:+31212121212;ext=01 and ;ext=02, and a manual PIN.
    - Verified that UsePinAuth is True (which is by default), but sign-in keeps failing.
    - The time on the phones is correct. Firmware is latest (january 2013).
    - We tried lots of phone resets bij pressing * and # when powering on. Nothing helps.
    - Lync Server had rebooted several times. Doesn't help.
    - on LyncFE: added REG_DWORD "SendTrustedIssuerList" value 0 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\, rebooted, doesn't help.
    - checked if the RootCA is in AD, by using: certutil -f -dspublish <Root CA certificate in .cer file> RootCA. Result: it's already there. We did this with the Root CA ONLY, not with the issued cert for the Lync services.
    - One more thing: when people start Lync Client on their PC for the first time, they get a certificate warning that the server is not trusted. This is correct right? Because the cert is issued by our DC (see above).


    LOGS:
    DHCPUtil -EmulateClient from another server results in: Success
    DHCP Server: 192.168.1.5
    SIP Server FQDN: mp-lync.domain.local
    Certificate prov service URL: https://mp-lync.domain.local:443/CertProv/CertProvisioningService.svc


    Test-CSPhoneBootStrap with ext=01 and correct PIN results in:
    Target Fqdn: mp-lync.domain.local
    Target URL: https://mp-lync.domain.local:443/CertProv/CertProvisioningService.svc
    Result: Success
    VERBOSE: Workflow
    'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow'
    started.
    Workflow
    'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow'
    completed in '7.46E-05' seconds.
    Target server Fqdn or web service Url not provided. Will have to do DHCP
    Registrar Discovery.
    Workflow
    'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow',
    succeeded.
    'DHCPDiscover' activity started.
    Starting DHCP registrar discovery...
    Constructing a DHCP packet.
    Adding DHCP option PARAMETER_REQUEST_LIST.
    Successfully added DHCP option.
    Adding DHCP option VENDOR_CLASS_IDENTIFIER.
    Successfully added DHCP option.
    Successfully constructed DHCP packet.
    Trying to open an udp connection.
    Remote IP : 255.255.255.255.
    Local IP : 192.168.1.12.
    \tCreating a new UDP client.
    Udp connection successfully created.
    Sending packet.
    Remote IP : 255.255.255.255.
    Remote Port : 67.
    Packet sent successfully.
    DHCP discovery message send. Waiting for DHCP servers to respond.
    Data received successfully.
    Remote IP : 192.168.1.5.
    Remote Port : 67.
    Response received for the DHCP Discovery message.
    Constructing a DHCP packet from received raw data.
    Extracting DHCP Options.
    Successfully constructed DHCP packet.
    Return value for DHCP option : SIP_SERVER.
    Found registrar Fqdn : mp-lync.domain.local.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1 - MS-UC-Client.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2 - https.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3 -
    mp-lync.domain.local.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4 - 443.
    Successfully extracted sub option value.
    Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5.
    Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
    Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5 -
    /CertProv/CertProvisioningService.svc.
    Successfully extracted sub option value.
    Found web service Url :
    https://mp-lync.domain.local:443/CertProv/CertProvisioningService.svc.
    Disconnecting.
    DHCP registrar discovery activity completed successfully.
    'DHCPDiscover' activity completed in '1.0392867' seconds.
    'GetRootCertChains' activity started.
    Trying to download a certificate chain from web service.
    Web Service Url :
    http://mp-lync.domain.local/CertProv/CertProvisioningService.svc
    Certificate chain downloaded successfully.
    'GetRootCertChains' activity completed in '0.0174726' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url :
    https://mp-lync.domain.local:443/WebTicket/WebTicketService.svc
    Using PIN authentication with Phone\Ext : 01 Pin : 1470
    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.1313912' seconds.
    'ResolveUser' activity started.
    Starting ResolveUser activity using Web Ticket.
    Web Service Url :
    https://mp-lync.domain.local:443/CertProv/CertProvisioningService.svc
    Found user : sip:Administrator@domain.com
    Setting sip uri 'sip:Administrator@domain.com' back to parent workflow.
    ResolveUser activity completed.
    'ResolveUser' activity completed in '0.0655857' seconds.
    'GetWebTicket' activity started.
    Trying to get web ticket.
    Web Service Url :
    https://mp-lync.domain.local:443/WebTicket/WebTicketService.svc
    Using PIN authentication with Phone\Ext : 01 Pin : 1470
    GetWebTicketActivity completed.
    'GetWebTicket' activity completed in '0.0949635' seconds.
    'GetCSCertificate' activity started.
    Trying to download a CS certificate for User : Administrator@domain.com
    endpoint : STEpid
    Web Service Url :
    https://mp-lync.domain.local:443/CertProv/CertProvisioningService.svc
    GetCSCertificate activity completed.
    'GetCSCertificate' activity completed in '0.0774223' seconds.
    'Register' activity started.
    Sending Registration request:
     Target Fqdn      = mp-lync.domain.local
     User Sip Address = sip:Administrator@domain.com
     Registrar Port = No Port is provided..
    Authentication Type 'Certificate' is selected.
    Registration Request hit against mp-Lync.domain.local.
    'Register' activity completed in '0.1528287' seconds.
    'UnRegister' activity started.
    'UnRegister' activity completed in '0.0194672' seconds.
    VERBOSE: Workflow Instance ID '65dd273d-bdd6-48c6-a671-952104f283bc' completed.
    VERBOSE: Workflow run-time (sec): 1.7027358.


    The IIS Logs are showing these patterns after every PIN authentication (which fails):
    2013-04-16 12:35:45 192.168.1.12 POST /CertProv/CertProvisioningService.svc/mex - 80 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 2351
    2013-04-16 12:35:45 192.168.1.12 POST /CertProv/CertProvisioningService.svc/anon - 80 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 218
    2013-04-16 12:35:47 192.168.1.12 POST /WebTicket/WebTicketService.svc/mex - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 667
    2013-04-16 12:35:47 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 401 0 0 65
    2013-04-16 12:35:51 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 Administrator@domain.com 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 3535
    2013-04-16 12:35:52 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 895
    2013-04-16 12:35:58 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 646

    2013-04-16 12:37:12 192.168.1.12 POST /CertProv/CertProvisioningService.svc/mex - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 13
    2013-04-16 12:37:12 192.168.1.12 POST /CertProv/CertProvisioningService.svc/anon - 80 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 4
    2013-04-16 12:37:12 192.168.1.12 POST /WebTicket/WebTicketService.svc/mex - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 8
    2013-04-16 12:37:12 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 401 0 0 3
    2013-04-16 12:37:13 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 Administrator@domain.com 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 247
    2013-04-16 12:37:13 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 112
    2013-04-16 12:37:13 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 136

    2013-04-16 12:40:08 192.168.1.12 POST /CertProv/CertProvisioningService.svc/mex - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 12
    2013-04-16 12:40:08 192.168.1.12 POST /CertProv/CertProvisioningService.svc/anon - 80 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 3
    2013-04-16 12:40:08 192.168.1.12 POST /WebTicket/WebTicketService.svc/mex - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 7
    2013-04-16 12:40:08 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 401 0 0 2
    2013-04-16 12:40:09 192.168.1.12 POST /WebTicket/WebTicketService.svc/pin - 443 Administrator@domain.com 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 232
    2013-04-16 12:40:09 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 192
    2013-04-16 12:40:09 192.168.1.12 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1 - 443 - 192.168.1.154 OCPhone/4.0.7577.4372+(Microsoft+Lync+Phone+Edition) - 200 0 0 140
    ...

    Please, can somebody explain why the CX600 won't sign-in using PIN?
    Thank you.
    • Edited by MpDay Wednesday, April 17, 2013 3:48 PM
    Wednesday, April 17, 2013 10:08 AM

Answers

  • We fixed the problem, finally.

    Solution: the Front End internal certificate didn't have the sip.domain.com SAN. After adding sip.domain.com as SAN, it still didn't work, but it felt we were getting really close. We tried adding *.domain.com as SAN, and finally the phone was able to sign-in!

    However, we don't know why it only works when we add *.domain.com as SAN.
    Before adding *.domain.com, we had these SAN names:

    sip.domain.com
    mp-lync.domain.com
    dailin.domain.com
    meet.domain.com
    lyncdiscover.domain.com
    lyncdiscoverinternal.domain.com
    sip.domain.local
    mp-lync.domain.local
    dailin.domain.local
    meet.domain.local
    lyncdiscover.domain.local
    lyncdiscoverinternal.domain.local

    With all the above SANs in the internal certificate, the CX600 was unable to sign-in with PIN and/or USB. After adding *.domain.com and *.domain.local the sign-in works!

    Question: which SAN is the phone actually looking for?

    • Marked as answer by Lisa.zheng Monday, May 6, 2013 11:38 AM
    Wednesday, April 17, 2013 7:45 PM

All replies

  • We fixed the problem, finally.

    Solution: the Front End internal certificate didn't have the sip.domain.com SAN. After adding sip.domain.com as SAN, it still didn't work, but it felt we were getting really close. We tried adding *.domain.com as SAN, and finally the phone was able to sign-in!

    However, we don't know why it only works when we add *.domain.com as SAN.
    Before adding *.domain.com, we had these SAN names:

    sip.domain.com
    mp-lync.domain.com
    dailin.domain.com
    meet.domain.com
    lyncdiscover.domain.com
    lyncdiscoverinternal.domain.com
    sip.domain.local
    mp-lync.domain.local
    dailin.domain.local
    meet.domain.local
    lyncdiscover.domain.local
    lyncdiscoverinternal.domain.local

    With all the above SANs in the internal certificate, the CX600 was unable to sign-in with PIN and/or USB. After adding *.domain.com and *.domain.local the sign-in works!

    Question: which SAN is the phone actually looking for?

    • Marked as answer by Lisa.zheng Monday, May 6, 2013 11:38 AM
    Wednesday, April 17, 2013 7:45 PM
  • For the test information, Lync Frond End server is found. According the message “Registrar Port = No Port is provided”, it seems the problem is related with port.

    Check the following blog for more information.

    http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, April 18, 2013 11:02 AM