none
LYNC 2010 - Resource Forest - Single Sign On - Disabled Accounts RRS feed

  • Question

  •  

    Greetings: Looking for help or documentation on implementing  LYNC 2010 in a resource forest.

    We have previously implemented Exchange 2010 and OCS Enterprise 2007 (SQL 2005 backend) in a resource forest without problems. User account that exist in the USER forest are duplicated in the Resource forest via Exchange 2010 as a linked mailbox. The accounts are then enabled via OCS 2007. Users are able to log on in the USER forest and access both MAIL and OCS  in the Resource Forest using their USER forest account (i.e. Single Sign On / Pass Though Authentication works!)

    (To recap - Exchange 2010 Enterprise / OCS 2007 Enterprise work as expected)

    So now we are implementing a testing structure where we again have Exchange 2010 but use Lync 2010 instead of OCS 2007. Again using Exchange 2010 Enterprise SP1 with LYNC Enterprise 2010 (SQL 2005 backend). The installations went fine for both products.

    There are two issues and they may be linked.

    1) Disabled Accounts - Lync 2010 Client will not connect to any account that is disabled, including inside the Resource Forest. If the account is enabled then Lync 2010 will connect, this works both inside the Resource Forest and accessing it from a User forest. This eliminates any issues with certifications and DNS issues with both the Resource Forest and User Forests.

    2) Single Sign On (SSO) - While using the User Forest I am unable to get the Lync 2010 client to access the corresponding account in the Resource Forest.

     

    Scenarios:

    1. Account - Bill - Normal account inside the RESOURCE forest with Exchange mailbox & is SIP enabled.
    2. Account - Frank - Linked mailbox inside the RESOURCE forest bound to a user account in the USER Forest, it is also SIP enabled. Account is ENABLE.
    3. Account - Will - Linked mailbox inside the RESOURCE forest bound to a user account in the USER forest, its is also SIP enabled. Account is DISABLED

     

    Workstation attached to the RESOURCE FOREST

    • Bill's account in the RESOURCE FOREST can connect to LYNC system with the client
    • Frank's account in the RESOURCE FOREST can connect to the LYNC system with the client 
    • Will's account in the RESOURCE FOREST CAN'T connect to the LYNC system with the client (Wills account is disabled.. so he can't even log on)

    Workstation attached to the USER FOREST (using the perspective accounts to logon)

    • SSO for Bill does not work, when using his user id from the USER FOREST for the LYNC system in the RESOURCE forest. Because Bill is an enabled account rather than a linked mailbox he is not able to use SSO with his Exchange Mailbox, but can access his mail manually.
    • SSO for Frank does not work, when using his user id from the USER FOREST for the LYNC system in the RESOURCE forest. Frank is able to access his Exchange 2010 Mail via SSO as his account his linked. 
    (I almost didn't expect this to work.. as Franks password in his enabled RESOURCE forest account is different from that of his USER forest account, I'm guessing because its a LINKED MAILBOX, the account password doesn't matter).
    • SSO for Will does not work, when using his user id from the USER FOREST for the LYNC system in the RESOURCE forest. Will is able to access his Exchange 2010 Mail via SSO as his account is linked.

    So what appears to be happening is that pass though authentication isn't working from the USER Forest to the Resource Forest. There also appears to be an issue with the LYNC 2010 system allowing connections to disabled mailboxes.

     

    Microsoft states that Lync 2010 supports a Resource Topology it also states this:

    "The resource forest hosts the server applications and a synchronized representation of the active user object, but it does not contain logon-enabled user accounts. "

    "When you deploy Lync Server in this type of topology, you create one disabled user object in the resource forest for every user account in the user forests. "

    Resource: http://technet.microsoft.com/en-us/library/gg398173.aspx

     

    Again I implemented this with success with OCS 2007 SP1 and Exchange 2010 SP1. I've searched quite a bit around the forms and have seen very little on this subject matter.

    http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/b7e7d5b4-affb-475a-a63d-79b0e1a2a275

    http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/3efc0c6e-c00a-413b-82d7-d519d9404dca

     

    I plan on opening a support call. I thought I would post here as well as there seems to be very little on the subject of Resource Forest implementations.

     



     

     

    Thursday, February 3, 2011 11:28 PM

Answers

  • Microsoft SR #: 111020455832826

    The following is the result of some investigation.

    It would appear that OCS 2007 SP1 w/ Exchange 2010 SP1 corrected a problem with regard to setting change to a SID mapping. This was overlooked in the current version of LYNC 2010, which appears to have the same problem as OCS 2007 did until the SP1 release.

    When using  Resource and User Forests, the SID that is created in the USER forest must be populated to the object in the Resource Forest. This happens automatically in OCS 2007 SP1 but not in LYNC 2010 (annoyingly enough).

    The following link provides information on how to do this with OCS 2007, the same applies to LYNC 2010.

    http://communicationsserverteam.com/archive/2009/10/30/655.aspx

     

    I'll provide a break down to augment the information in the link.  In the environment above we have linked-mailboxes in a resources forest where the LYNC 2010 server resides. We SIP enable the linked mailboxes, remember these linked-mailboxes are disabled, see NOTES below if you are just using disabled account with no mail.  

     

    You will need to get the LYNC 2010 Resource Kit. In a folder called LCSSync you will find a command called sidmap.swf. This utility takes the existing  SID information from the mxEXCHMasterAccountSID  and populates msRTCSIP-OrginatorSID , which is the hex SID value for a given user in a USER forest.  The mxEXCHMasterAccountSID was populated by the Exchange 2010 management console wizard while creating a linked mailbox.

     

    The utility is very basic. If you have a large OU structure and you want to enable a number of users you might want to move the linked-mailboxes all into a single OU, enable them then move them back to the appropriate containers. This will be more clear in a moment.

     

    Log onto the LYNC server where you have the resource kit installed. 

    Lauch a command prompt as administrator.

    Navigate to the resource kit and the directory LcsSync

    type: wscript //h:cscript

    type: sidmap.wsf /OU:OU=(your OU name here),......,DC=(Domain name here), DC=(Domain suffix here) /logfile:c:\sipmap.txt

     

    ex: sidmap.wsf /OU:OU=Managers,OU=HumanResource,DC=microsoft,DC=com /logfile:C:\sipmap.txt 

     

    This command will map the mxEXCHMasterAccountSID data to the the msRTCSIP-OrginatorSID field to disabled account (linked mailboxes) in that OU container. This will allow users in the User domain to now access the LYNC enbabled account within the Resource domain vis SSO.

     

    What's annoying is that this utility this targets a specific OU container at a time. If you have a large structure with lots of hierarchy (which most RBAC implementations do) this could be VERY time consuming. Moving the users into a single container maybe an option, then moving them back. However, if this isn't then you will need to dump out your structure into excel and create scripts for each container where users have been placed.

     

    I find this work around, plainly put, a pain in the ass. The fact that this problem was resolved in OCS 2007 SP1 then overlooked in LYNC 2010 release makes me think there is a disconnect within the development teams at Microsoft. I hope the future service pack release for LYNC that this is corrected.

     

     

    Notes: If you are not using linked-mailbox accounts then the mxEXCHMasterAccountSID will not be populated with the User SID information of the user from the USER forest. The sidmap.swf will be useless. Get ready for this... you will need to manually obtain each user SID information in the User Forest and populate it manually into the corresponding account in the Resource forest. The link above details out how to do this. Now if I was annoyed about how much of a pain the "automatic" method was .. this is truly irritating and hardly a solution for any large organization, but it does work.

     

    • Marked as answer by mix2this Monday, February 7, 2011 4:59 PM
    Monday, February 7, 2011 4:59 PM

All replies

  • Microsoft SR #: 111020455832826

    The following is the result of some investigation.

    It would appear that OCS 2007 SP1 w/ Exchange 2010 SP1 corrected a problem with regard to setting change to a SID mapping. This was overlooked in the current version of LYNC 2010, which appears to have the same problem as OCS 2007 did until the SP1 release.

    When using  Resource and User Forests, the SID that is created in the USER forest must be populated to the object in the Resource Forest. This happens automatically in OCS 2007 SP1 but not in LYNC 2010 (annoyingly enough).

    The following link provides information on how to do this with OCS 2007, the same applies to LYNC 2010.

    http://communicationsserverteam.com/archive/2009/10/30/655.aspx

     

    I'll provide a break down to augment the information in the link.  In the environment above we have linked-mailboxes in a resources forest where the LYNC 2010 server resides. We SIP enable the linked mailboxes, remember these linked-mailboxes are disabled, see NOTES below if you are just using disabled account with no mail.  

     

    You will need to get the LYNC 2010 Resource Kit. In a folder called LCSSync you will find a command called sidmap.swf. This utility takes the existing  SID information from the mxEXCHMasterAccountSID  and populates msRTCSIP-OrginatorSID , which is the hex SID value for a given user in a USER forest.  The mxEXCHMasterAccountSID was populated by the Exchange 2010 management console wizard while creating a linked mailbox.

     

    The utility is very basic. If you have a large OU structure and you want to enable a number of users you might want to move the linked-mailboxes all into a single OU, enable them then move them back to the appropriate containers. This will be more clear in a moment.

     

    Log onto the LYNC server where you have the resource kit installed. 

    Lauch a command prompt as administrator.

    Navigate to the resource kit and the directory LcsSync

    type: wscript //h:cscript

    type: sidmap.wsf /OU:OU=(your OU name here),......,DC=(Domain name here), DC=(Domain suffix here) /logfile:c:\sipmap.txt

     

    ex: sidmap.wsf /OU:OU=Managers,OU=HumanResource,DC=microsoft,DC=com /logfile:C:\sipmap.txt 

     

    This command will map the mxEXCHMasterAccountSID data to the the msRTCSIP-OrginatorSID field to disabled account (linked mailboxes) in that OU container. This will allow users in the User domain to now access the LYNC enbabled account within the Resource domain vis SSO.

     

    What's annoying is that this utility this targets a specific OU container at a time. If you have a large structure with lots of hierarchy (which most RBAC implementations do) this could be VERY time consuming. Moving the users into a single container maybe an option, then moving them back. However, if this isn't then you will need to dump out your structure into excel and create scripts for each container where users have been placed.

     

    I find this work around, plainly put, a pain in the ass. The fact that this problem was resolved in OCS 2007 SP1 then overlooked in LYNC 2010 release makes me think there is a disconnect within the development teams at Microsoft. I hope the future service pack release for LYNC that this is corrected.

     

     

    Notes: If you are not using linked-mailbox accounts then the mxEXCHMasterAccountSID will not be populated with the User SID information of the user from the USER forest. The sidmap.swf will be useless. Get ready for this... you will need to manually obtain each user SID information in the User Forest and populate it manually into the corresponding account in the Resource forest. The link above details out how to do this. Now if I was annoyed about how much of a pain the "automatic" method was .. this is truly irritating and hardly a solution for any large organization, but it does work.

     

    • Marked as answer by mix2this Monday, February 7, 2011 4:59 PM
    Monday, February 7, 2011 4:59 PM
  • Thank you for this post.

    However, When applying the script, the log results in the following error:

    Failed to set msRTCSIP-OriginatorSid attribute 424

    When you copy-paste the mxEXCHMasterAccountSID to the msRTCSIP-OrginatorSID it does work.

    Any thoughts ? (permissions, schema, ... )

    Thanks

    MP

    Friday, December 14, 2012 9:44 AM
  • Ok, Figured it out.

    If you have a Single Forest, multiple Domain situation and your Lync server resides in a different domain then your users, you should do the following:

    - create domain admin account in the same domain where the users exist.

    - create a member server in the same domain and install the Lync resource kit

    - before that install the vcredist_64.exe from the lync server install iso (because you can't find the correct version online)

    - run the script and it now tells you it completes without the error.

    Cheers !

    Monday, December 17, 2012 8:09 AM
  • Here is the article that describes the required attributes for the user account in a resource forest: https://docs.microsoft.com/en-us/previous-versions/office/skype-server-2010/gg670901(v=ocs.14). I've also written a script to automate this process. This is NOT elegant but it does the required. You will definitely want to modify for your environment:

    # ==============================================================================================

    # Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2007

    # NAME: Lync Enable/Synchronization for Resource Forest
    # DATE  : 1/15/2015

    # COMMENT: This script will grab newly created user objects from a target forest 
    # then will create a corresponding user object in the resource forest with Lync 
    # and will enable the user for Lync then link the two user objects by MSRTCSIP-OriginatorSid
    #
    # *****Note ********
    # This MUST be run from the Quest ActiveRoles Management Shell

    # Script Version 1.2
    # ==============================================================================================
    #
    #Load logging function script
    . "d:\Scripts\Functions\Logging_Functions.ps1"
    #
    # ================================
    # Export users from source domain

    #Connect to a source domain and find new user accounts
    $currDate = get-date -uformat "%m-%d-%Y"
    $conn = connect-QADService -service 'sourcedomain.local' #-credential $cred
    $date = (Get-Date).adddays(-10)
    $newusers = Get-QADUser -IncludeAllProperties -createdafter $date -connection $conn
    Log-start -LogName "LyncEnable.log" -LogPath "d:\Autoenable\Logs" -ScriptVersion "1.2"
    $Logfile = "d:\Autoenable\Logs\LyncEnable.log"

    Log-Write -LogPath $Logfile -LineValue "User Export from sourcedomain.local"
    foreach ($user in $newusers)
    {
    if ($user.employeeID -ne $null)
    {
    Log-Write -LogPath $Logfile -LineValue "Real user found $user"
    Select-Object -InputObject $user -property Name, SAMAccountName, PhoneNumber, DisplayName, FirstName, LastName, Office, City, StateOrProvince, Title, Email, Company, Department, Description, Sid, employeeID |
     Export-Csv -Delimiter "," -NoTypeInformation -path "d:\Autoenable\Logs\lyncusers_attributes$currdate.txt" -append}
          }

    # ====================================
    # Import users in Lync enabled domain and enable for Lync

    #Setup the environment 
    Import-Module Lync
    import-module ActiveDirectory
    $dc = "DCW02LAX01US.corp.auction.local"
    $conn = connect-qadservice -service 'DCW02LAX01US.corp.auction.local'

    #Get the input file
    $users = import-csv "d:\autoenable\Logs\lyncusers_attributes$currdate.txt"
    Log-Write -LogPath $Logfile -LineValue "*************************************"
    Log-Write -LogPath $Logfile -LineValue "User Import from file successful"
    #Check for user creation in the domain and create if necessary
    Log-Write -LogPath $Logfile -LineValue "*************************************"
    Log-Write -LogPath $Logfile -LineValue "Check for user creation in the domain and create if necessary"
    foreach ($Lync in $users)
    {
    $usercheck = $null
    # check if username exists already in AD
    $usercheck = Get-QADUser $Lync.SamAccountname -connection $conn

    # Check search result to see if it's Null
    If ($usercheck -ne $null)
    {
    Log-Write -LogPath $Logfile -LineValue $Lync.Name
    Log-Write -LogPath $Logfile -LineValue "User: already exists in Corp.auction.local!" 
    }
    # If it's null, create the user account
    Else 
    {
    $userprincename = $Lync.Samaccountname + "@corp.auction.local"
    New-ADUser -Name $Lync.Name -SamAccountName $Lync.SamAccountName -userprincipalname $userprincename -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd!" -Force) -Enabled $true -Path 'OU=Auction,OU=Accounts,DC=corp,DC=auction,DC=local' -Server $dc
    Log-Write -LogPath $Logfile -LineValue $Lync.Name
    Log-Write -LogPath $Logfile -LineValue "User: has been created in corp.auction.local."
    }
    }

    #Set the required user attribute values from data in the file
    Log-Write -LogPath $Logfile -LineValue "*************************************"
    Log-Write -LogPath $Logfile -LineValue "Set the required user attribute values from data in the file"
    foreach ($Lync in $users)
    {
    Log-Write -LogPath $Logfile -LineValue $Lync.name
    Set-QADuser $Lync.SamAccountName -PhoneNumber $Lync.PhoneNumber -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "PhoneNumber attribute updated"
    Set-QADuser $Lync.SamAccountName -DisplayName $Lync.DisplayName -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "DisplayName attribute updated"
    Set-QADuser $Lync.SamAccountName -FirstName $Lync.FirstName -Service $dc
    Log-Write -LogPath $Logfile -LineValue "FirstName attribute updated" 
    Set-QADuser $Lync.SamAccountName -LastName $Lync.LastName -Service $dc
    Log-Write -LogPath $Logfile -LineValue "LastName attribute updated" 
    Set-QADuser $Lync.SamAccountName -Office $Lync.Office -Service $dc
    Log-Write -LogPath $Logfile -LineValue "Office attribute updated" 
    Set-QADuser $Lync.SamAccountName -City $Lync.City -Service $dc
    Log-Write -LogPath $Logfile -LineValue "City attribute updated" 
    Set-QADuser $Lync.SamAccountName -StateorProvince $Lync.StateorProvince -Service $dc
    Log-Write -LogPath $Logfile -LineValue "StateorProvince attribute updated" 
    Set-QADuser $Lync.SamAccountName -Title $Lync.Title -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "Title attribute updated"
    Set-QADuser $Lync.SamAccountName -Email $Lync.Email -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "Email attribute updated"
    Set-QADuser $Lync.SamAccountName -Company $Lync.Company -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "Company attribute updated"
    Set-QADuser $Lync.SamAccountName -Department $Lync.Department -Service $dc 
    Log-Write -LogPath $Logfile -LineValue "Department attribute updated"
    Set-QADuser $Lync.SamAccountName -Description $Lync.Description -Service $dc
    Log-Write -LogPath $Logfile -LineValue "Description attribute updated"
    Set-QADuser $Lync.SamAccountName -ObjectAttributes @{employeeid=$Lync.employeeID} -Service $dc
    Log-Write -LogPath $Logfile -LineValue "Employee ID attribute updated"  
    Log-Write -LogPath $Logfile -LineValue "Object - All user account attributes updated."
    }

    # Enable user for Lync
    Log-Write -LogPath $Logfile -LineValue "*************************************"
    Log-Write -LogPath $Logfile -LineValue "Enabling user objects for Lync"
    foreach ($Lync in $users)
    {
    $siplogonuri = "sip:" + $Lync.Email
    $userprincename = $Lync.Samaccountname + "@corp.auction.local"
    enable-csuser -identity $userprincename -sipaddress $siplogonuri -registrarpool "uspool1.corp.auction.local" -domaincontroller $dc
    Log-Write -LogPath $Logfile -LineValue $Lync.name
    Log-Write -LogPath $Logfile -LineValue "Object - user account enabled for Lync."
    }

    # Copy SID value into MSRTCSIP-OriginatorSid
    Log-Write -LogPath $Logfile -LineValue "*************************************"
     Log-Write -LogPath $Logfile -LineValue "Enabling user objects for Lync"
    foreach ($Lync in $users)
    {
    Set-QADuser $Lync.SamAccountName -ObjectAttributes @{'msRTCSIP-OriginatorSID'=$Lync.Sid} -Service $dc
    Log-Write -LogPath $Logfile -LineValue $Lync.name
    Log-Write -LogPath $Logfile -LineValue "Object - OriginatorSid value copied"
    }
    Log-Finish -LogPath $Logfile


    Wednesday, September 19, 2018 6:18 PM