none
Certificate web services cannot be found

    Question

  • I don't post this without having done a lot of troubleshooting first. I've successfully set this up in the past too.

    Polycom CX500
    Lync 2010

    Lync FE servers are in a data centre. The CX500 is on an office LAN but fully routable and no ports blocked between them etc. DHCP server is running in the data centre but the required DHCP options are setup on a Windows server.

    Everything except this works fine; inside and outside the LAN.

    I've read this http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/8571bfe8-f64a-4ed1-bf3f-7c74e2743558

    And have following this blog posting to the letter - http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/

    The Bootstrap emulator and dhcputil -emulateclient (on the correct LAN) work fine with the required output.

    But the CX500 still throws the error, "Certificate web services cannot be found."

    We only have 1 CX500 to setup. All the rest are CX600 via USB so all is OK with them. The CX600 does throw the same error when trying to use the extension and PIN to log in though.

    Thanks in advance,

    Pete

     


    Thursday, October 13, 2011 12:46 PM

All replies

  • Hi Peter,

    Well, I can see that. You’ve made some troubleshooting yourself.

    Here’re some tips for you.

    1.        The Test-CsPhoneBootstrap cmdlet enables administrators to verify that a given user -- using the phone number and PIN assigned to him or her -- is able to log on to the system from a Lync 2010 Phone Edition-compatible device.

    2.        To enable phones to discover Lync Server and to connect, ensure that the options (43, 120, 42) are set up on the organization’s DHCP servers. For details, see Configuring DHCP Options to Enable Sign-in for IP Phones.

    3.        Please confirm that your Lync Phone Edition can download the certificate successfully. You can review the document Certificates for Lync 2010 Phone Edition.

    Above all, hope useful. If any, please feedback.

    Friday, October 14, 2011 9:16 AM
    Moderator
  • If the CX600 is connecting when tethered then the CA certificate is already on the device.

    Tryin running the Test-CsPhoneBootstrap cmdlet from a computer on the same network segment as the devices as it typically works from the Lync server but that doesn't validate the traffic path that the devices use, only that the authentication process is working.

    Also, how are you forwarding DHCP requests in the remote office to the Windows server in the data center?


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    Friday, October 14, 2011 11:21 AM
    Moderator
  • 1. Bootstrap looks good.

    2. DHCP options are set and look correct.

    3. I've had a good look through there and all looks to be OK. The certificate is published OK.

     

    It would be good to know exactly what, "Certificate web services cannot be found" means. At what point is it failing it. Is it unable to download the root CA? I'm running an internal root CA for the internal site BTW.


    P

    Friday, October 14, 2011 12:06 PM
  • OK. Installed the tools on a machine on the same LAN as the phones. Ran the Test-CsPhoneBootstrap and went through each section as described here - http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/ and everything was successful.

    The machine was on the domain and so had trust with the root CA, removed this CA cert and tried again. This time it failed, error below.

        ERROR communicating with GetWebTicket() service
    System.ServiceModel.Security.SecurityNegotiationException: Could not establish t
    rust relationship for the SSL/TLS secure channel with authority 'pool01.mas.loca
    l'. ---> System.Net.WebException: The underlying connection was closed: Could no
    t establish trust relationship for the SSL/TLS secure channel. ---> System.Secur
    ity.Authentication.AuthenticationException: The remote certificate is invalid ac
    cording to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken messag
    e, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
    t, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
    Request asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
    t, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
    Request asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
    t, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
    Request asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byt
    e[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyRes
    ult)
       at System.Threading.ExecutionContext.runTryCode(Object userData)
       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCl
    eanup(TryCode code, CleanupCode backoutCode, Object userData)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C
    ontextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpCha
    nnelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebExc
    eption(WebException webException, HttpWebRequest request, HttpAbortReason abortR
    eason)
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpCha
    nnelRequest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeS
    pan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message messag
    e, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean on
    eway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan tim
    eout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCall
    Message methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage req
    Msg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgDa
    ta, Int32 type)
       at IWebTicketService.IssueToken(Message request)
       at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()

    Pete

    Friday, October 14, 2011 12:33 PM
  • OK. So I changed the certificate to a 3rd party supplied certificate (Go Daddy). Tested the bootstrap and works fine now. But STILL doesn't work on Lync Phone. I've factory reset the phones, got them new IPs from DHCP etc.

    Suggestions?

    P



    Friday, October 14, 2011 2:33 PM
  • If the CX600 is connecting when tethered then the CA certificate is already on the device.

    Tryin running the Test-CsPhoneBootstrap cmdlet from a computer on the same network segment as the devices as it typically works from the Lync server but that doesn't validate the traffic path that the devices use, only that the authentication process is working.

    Also, how are you forwarding DHCP requests in the remote office to the Windows server in the data center?


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP


    Hey ,

    i think he missed some step ..ask him to try by using your blog steps - http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/ 

    i think C:>DHCPUtil.exe -SipServer lync.contoso.com -webserver ca.contoso.com –RunConfigScript and  set-CsRegistrarConfiguration –EnableDHCPServer $true and Restart the DHCP Server i think better to get answer from Jeff, he is the expert about this.


    Madushka Dias : MCITP(Lync Server 2010 Administrator) & MCTS - Active Directory) - http://uctechi.blogspot.com/ | Live - madushka@live.com | If got your answer don't forget to Rate as an Answer
    Sunday, October 16, 2011 3:08 AM
  • Tried with the DHCP option enabled to no avail. It's my understanding this is only required if the Lync server is on the same subnet as the phones. I've tried DHCPUtil without webserver, with webserver and using -certprovurl. All to no avail. If someone can point me in the direction of some associated logs I'm happy to investigate further but unsure where to start here.

    Any ideas Jeff?

    Thanks,

    P

    Sunday, October 16, 2011 4:06 PM
  • Any further ideas guys?
    Tuesday, October 18, 2011 7:46 AM
  • We have a proxy in place on the LAN so the Lync phones won't be able to ge to the Internet. Is this a requirement?
    Tuesday, October 18, 2011 8:23 AM
  •  

    Peter,

     

    Please do following to test if  auto discovery Cert Provisioning uri from DHCP is working or not.

    $cred = get-credential
    test-CsClientAuth -UserSipAddress <sip address> -UserCredential $cred

     

    -Santosh

    Saturday, October 22, 2011 10:35 AM
  • I have the same problem however our Lync phones are all external to the domain. In this case we cant use DHCP options so how do we get this to work?

    Thanks,

    Andrew

    Wednesday, December 21, 2011 2:13 AM