none
Mac Client Authenticates - Windows Client Fails to Authenticate RRS feed

  • Question

  • I continue to be amazed at the suttle nuances i find in deploying Lync :-)

     

    That said, i've been struggling with my second lab environment of Lync, this one EE, and beginning to try and deploy HLB's too.  In my current setup, I -think- i have everything right, and internally, users can hit a pool of 2 FE servers and authenticate just fine and communicate with IM.  I configured a director and Edge server along with a reverse proxy... all looks good, services start, no notable errors, everything can hit each others DNS --- But...

    A windows client authenticating remotely takes the SIP address and then asks for the AD credentials.  these fail as if the password is wrong (its not, the same user can login locally).

    on a wim, this morning i tried the same user on a mac client, and it worked - its authenticated externally and can IM to other users.

     

    can  i get some help finding the place to look?  i did confirm the director is working ok, per technet, i repointed a client to the director url and logged in.  so my suspicion is an issue between the edge and director.  FW is wide open between the two ip's for them at the moment (to avoid issues) -- but whats really baffled me is why one client worked, and one didn't.

    Tuesday, May 10, 2011 12:17 PM

Answers

  • turned out to be related to the NTLM security settings on the access edge, once i lowered them from the defaul t-- all worked fine.
    • Marked as answer by John B Tokash Friday, August 5, 2011 3:57 PM
    Friday, August 5, 2011 3:57 PM

All replies

  • Running the topology validator tool in the resource kit, against the edge server i found the following results.  it failed to register my test users -- this is the error during the registration portion.  Highlighted in bold is what jumps out at me....  any thoughts?

     

    TargetFqdn:  [l-dev1-edge1.dev.cslab.ext]
    Result:  [Failure]
    Latency:  [00:00:00]
    Error:  [Unknown  error  (0x80131500)
    Inner  Exception:Peer  disconnected  while  outbound  capabilities  negotiation  was  in  progress
    Inner  Exception:An  existing  connection  was  forcibly  closed  by  the  remote  host
    ]
    Diagnosis:  []
    Workflow  Instance  Id  b43800f8-a00e-47dc-af3a-9b9b1894d24a,  started.
    'Register'  activity  started.
    Sending  Registration  request:
        Target  Fqdn            =  l-dev1-edge1.dev.cslab.ext  
        User  Sip  Address  =  sip:test.user@cslab.us  
        Registrar  Port  =  0.
    Auth  Type  'IWA'  is  selected.
    An  exception  'Unknown  error  (0x80131500)'  occurred  during  Workflow  Microsoft.Rtc.SyntheticTransactions.Workflows.STRegisterWorkflow  execution.
    Exception  Call  Stack:        at  Microsoft.Rtc.Signaling.SipAsyncResult`1.ThrowIfFailed()
          at  Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object  owner,  IAsyncResult  result)
          at  Microsoft.Rtc.Collaboration.LocalEndpoint.EndEstablish(IAsyncResult  result)
          at  Microsoft.Rtc.SyntheticTransactions.Activities.RegisterActivity.InternalExecute(ActivityExecutionContext  executionContext)
          at  Microsoft.Rtc.SyntheticTransactions.Activities.STActivity.Execute(ActivityExecutionContext  executionContext)
          at  System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T  activity,  ActivityExecutionContext  executionContext)
          at  System.Workflow.ComponentModel.CompositeActivityExecutor`1.Execute(T  activity,  ActivityExecutionContext  executionContext)
          at  System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity  activity,  ActivityExecutionContext  executionContext)
          at  System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime  workflowCoreRuntime)
          at  System.Workflow.Runtime.Scheduler.Run()

    'UnRegisterActivity'  activity  started.
    'UnRegisterActivity'  activity  completed  in  '0.2857005'  secs.

    Workflow  Instance  Id  b43800f8-a00e-47dc-af3a-9b9b1894d24a,  completed.
    Workflow  Execution  Time  (sec):  7.69576 
     


    Tuesday, May 10, 2011 2:22 PM
  • Hi,John,

    First,let's clarify your question.Your runtime enviroment is: one EE pool with 2 FE servers,one director and edge server along with proxy server.You intend to deploy HLB but haven't,right?

    Everything works well for internal users,except a remote windows user from external couldn't log in the lync.It prompt the Active Directory credential to sign in, but whatever you input the right password it still failed.So you repoint the login destination to director and it sign in successfully.

    So there are some questions for you

    1)Did all windows user failed to sign in Lync form external or just only one?What's the OS version of your windows client?

    2)Did you specify the next hop to the FQDN of your director?

    3)Would you please check the certificates are assigned properly on Edge server, and remote client?

    4)Also please check you have requested and assigned a certificate for reverse proxy with the following link. 

    http://technet.microsoft.com/en-us/library/gg429704.aspx

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, May 14, 2011 9:59 AM
    Moderator
  • All windows users fail to authenticate, with exception of 1 client.

    - that one client started logging in only after installing the resource kit tools.  i created a quick new workstation and repeated the steps, no change.

    - i specified the director as the next help, and tried removing it (hoping it would remove any issue with the director specifically) - no luck

    - I suspect a certificate issue, but am not 100% certain how to nail down which one it might be.  an area where we had curiosity, was setting the Director pool external services FQDN.  wouldn't this be the same as the Edge external services FQDN? 

    - Reverse proxy is in place with certificate, but if i don't have the director external fqdn defined properly, i won't have the right SAN defined in the proxy cert.

     

    correct me if i'm wrong though, will the reverse proxy not configured properly interfere with authentication for regular clients?

     

    To confirm, the environment is 2x EE FE Servers, DNS LB'd for now (intend to insert an HLB later), 1x Director, 1x Edge, 1x Reverse Proxy

    Monday, May 16, 2011 6:29 PM
  • turned out to be related to the NTLM security settings on the access edge, once i lowered them from the defaul t-- all worked fine.
    • Marked as answer by John B Tokash Friday, August 5, 2011 3:57 PM
    Friday, August 5, 2011 3:57 PM
  • Can you explain what exactly you did and where with the NTLM security settings?  I am getting the same exact error.  any help will be appreciated.
    Wednesday, December 7, 2011 3:11 PM