locked
sfb2015 new user authentication RRS feed

  • Question

  • Recently we finish migration from Lync 2013 to SfB 2015. All updates for SfB are installed.

    But now new added users cant login to sfb client. Old users connects normally.

    In sfb client log Lync-UccApi-0.UccApilog:

    .]]></Info>
    
        <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x10FBDC30 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
    
        <ExecuteWithWindowsOrNoAuthInternal>
    
          <ExecutionDuration>0</ExecutionDuration>
    
          <SequenceID>1.1.1</SequenceID>
    
          <hr>0x3d0000</hr>
    
        </ExecuteWithWindowsOrNoAuthInternal>
    
        <Info><![CDATA[Executing wws method with windows auth auth, asyncContext=2193DCE0,
    
     context: WebRequest context@ :571768408
    
      MethodType:4
    
      ExecutionComplete? :1
    
      Callback@ :114753F4
    
      AsyncHResult:80f10041
    
      TargetUri:https://lyncpool.domain.com/WebTicket/WebTicketService.svc
    
      OperationName:http://tempuri.org/:IWebTicketService
    
     Error:
    
    There was an error communicating with the endpoint at "https://lyncpool.domain.com/WebTicket/WebTicketService.svc".
    The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
    The server understood the request, but cannot fulfill it.

    Test-CsClientAuthentication -TargetFqdn lyncpool.domain.com -UserSipAddress "sip:user@domain.com" -UserCredential $usercred command:
    Target Fqdn   : lyncpool.rw.domain.com
    Target Uri    : https://domain.com:443/CertProv/CertProvisioningService.svc
    Result        : Failure
    Latency       : 00:00:00.0225894
    Error Message : No response received for Web-Ticket service.
                    Inner Exception: The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
                    Inner Exception: The remote server returned an error: (403) Forbidden.
    
    Diagnosis     :
                    Inner Diagnosis:X-Ms-diagnostics : 28000;source="LNFE01.domain.com"
                    ;reason="User is not SIP enabled."
                    X-MS-Server-Fqdn : LNFE01.domain.com
                    X-MS-Correlation-Id : 2147484375
                    client-request-id : 3dbbb0b6-1b70-4d97-ae95-7b7e9c251144
                    Strict-Transport-Security : max-age=31536000; includeSubDomains
                    Persistent-Auth : true
                    X-Content-Type-Options : nosniff
                    Content-Length : 5992
                    Cache-Control : private
                    Content-Type : text/html; charset=utf-8
                    Date : Fri, 29 May 2020 04:43:33 GMT


    Friday, May 29, 2020 7:18 AM

Answers

  • Hi mitrich174!

    Does this issue persist all the time?

    How did you enable new users in Skype for Business 2015 Server?

    Did all attributes set for these new users on the AD attributes?

    It recommends you try to disable a new user and then run the following command “Set-CsUserReplicatorConfigurtion -Identity global -ADDomainNamingContextList  $ Null” and updated csuser database and again enabled the user to see if can be fixed.

    Also please run the following command “Get-CsAdDomain -Domain domain1.contoso.com” to verify the domain state.

    Besides, you can also check if there is any error event message of the front end server in the Event viewer.

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    • Marked as answer by mitrich174 Tuesday, June 2, 2020 8:01 AM
    Monday, June 1, 2020 2:53 AM

All replies

  • Hi mitrich174!

    Does this issue persist all the time?

    How did you enable new users in Skype for Business 2015 Server?

    Did all attributes set for these new users on the AD attributes?

    It recommends you try to disable a new user and then run the following command “Set-CsUserReplicatorConfigurtion -Identity global -ADDomainNamingContextList  $ Null” and updated csuser database and again enabled the user to see if can be fixed.

    Also please run the following command “Get-CsAdDomain -Domain domain1.contoso.com” to verify the domain state.

    Besides, you can also check if there is any error event message of the front end server in the Event viewer.

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    • Marked as answer by mitrich174 Tuesday, June 2, 2020 8:01 AM
    Monday, June 1, 2020 2:53 AM
  • Hi Jimmyy_Yang.

    I already solve my problem. In ADDomainNamingContextList was listed my AD Domain. I cleared it and all works. Thx for answer.

    get-CsUserReplicatorConfiguration
    
    
    Identity                     : Global
    ADDomainNamingContextList    : {dc=domain, dc=org}
    DomainControllerList         : {}
    ReplicationCycleInterval     : 00:01:00
    SkipFirstSyncAllowedDowntime : 02:00:00
    
    
    
    Set-CsUserReplicatorConfiguration -Identity global -ADDomainNamingContextList $Null
    
    
    get-CsUserReplicatorConfiguration
    
    
    Identity                     : Global
    ADDomainNamingContextList    : {}
    DomainControllerList         : {}
    ReplicationCycleInterval     : 00:01:00
    SkipFirstSyncAllowedDowntime : 02:00:00

    Tuesday, June 2, 2020 8:01 AM