locked
Skype for business client can't sign in outside of network RRS feed

  • Question

  • Hey, hoping someone may be able to help me out here. I know that this is tagged as Lync 2013 but they don't have Skype for Business 2015 listed yet. So, I have everything setup and running and clients can connect on the inside network and mobile devices are able to connect everywhere. The problem I have is that Windows clients (Skype for Business) are not able to connect when outside of the network. I have included the sign on telemetry below in hopes that someone can point me in the right direction. Thanks in advance!

    Tyson

    <?xml version="1.0" encoding="UTF-8"?>
    <root>
      <Login>
        <Info><![CDATA[Discovery task(000000D5E80D9100) canceled.]]></Info>
        <Info><![CDATA[Discovery task(000000D5E80D9480) canceled.]]></Info>
        <Info><![CDATA[Certificate 0x000000D5E7F9C270:
     Issuer: Communications Server
     Serial number: ed3ec91ef94b273660ad
     Valid from: Friday, July 17, 2015 12:56:53 PM
     Valid to: Wednesday, January 13, 2016 12:56:53 PM
    ]]></Info>
        <Info><![CDATA[Created CManagedCredential[CERT this=000000D5D8E5A020, PCERT_CONTEXT=000000D5E7F9C270]]]></Info>
        <Info><![CDATA[Adding new managed cred CManagedCredential[CERT this=000000D5D8E5A020, PCERT_CONTEXT=000000D5E7F9C270]]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType found a matching cred: 000000D5D8E5A020, type:certificate, userId:OCS]]></Info>
        <Info><![CDATA[Bootstrap task queued]]></Info>
        <Info><![CDATA[Starting bootstrap task: baseUrl=, pinBased=0, forceDownloadRootCert=0, deviceId=50889F2C-0884-5EC3-8285-3F4DF4D0E8FC, credType=0, cert=000000D5E7F9C270]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10006] -> [10000]]]></Info>
        <Info><![CDATA[Bootstrap task completed with hr=0x0]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType return the cred: 000000D5E5CBCBD0, type:default, userId:CER]]></Info>
        <Info><![CDATA[GetBestManagedCredentialByType found a matching cred: 000000D5D8E5A020, type:certificate, userId:OCS]]></Info>
        <Info><![CDATA[Created CManagedCredential[CERT this=000000D5D8E59C30, PCERT_CONTEXT=000000D5E7F9C270]]]></Info>
        <Info><![CDATA[Adding new managed cred CManagedCredential[CERT this=000000D5D8E59C30, PCERT_CONTEXT=000000D5E7F9C270]]]></Info>
        <Info><![CDATA[Changed CBootstrapper status [10000] -> [10006]]]></Info>
        <Info><![CDATA[
    Starting LogonSession...
       Local interfaces: count=1, allExternal=0, someInternal=0, allIdentifying=0, backend=0
       Using loaded endpoint config
    InitialEndpointConfig calculated...
       networksAvailable=1
       cacheAvailable=0
       takenFromCache=0
    Doing logon attempt with data:
       currState=10
       sipUri=skype.test2@labs.boshgs.com
       server=lyncpool.labs.boshgs.com:443, internal
       authModes=0x1000c
       with Cert Cred
       with default Cred
       proxyAuthModes=0x3f
       epFlags=c8
       withAutoRetrials=0
       credsAvailability=valid
       redirectedServersList=
       newState=14
       statusCode=0]]></Info>
        <Lync-autodiscovery>
          <Info><![CDATA[GetBestManagedCredentialByType return the cred: 0000000000000000, type:specific, userId:LAD]]></Info>
          <Info><![CDATA[Discovery request sent to URL http://lyncdiscoverinternal.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D520), task(000000D5F1425E30)]]></Info>
          <Info><![CDATA[GetBestManagedCredentialByType return the cred: 0000000000000000, type:specific, userId:LAD]]></Info>
          <Info><![CDATA[Discovery request sent to URL https://lyncdiscoverinternal.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D320), task(000000D5F14253B0)]]></Info>
          <Info><![CDATA[GetBestManagedCredentialByType return the cred: 0000000000000000, type:specific, userId:LAD]]></Info>
          <Info><![CDATA[Discovery request sent to URL https://lyncdiscover.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D3E0), task(000000D5F1425FF0)]]></Info>
          <Info><![CDATA[GetBestManagedCredentialByType return the cred: 0000000000000000, type:specific, userId:LAD]]></Info>
          <Info><![CDATA[Discovery request sent to URL http://lyncdiscover.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D660), task(000000D5F14258F0)]]></Info>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[Discovery task(000000D5F1425E30) sent to URL http://lyncdiscoverinternal.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com completed with hr=0x80f10045]]></Info>
          <Info><![CDATA[Discovery task(000000D5F14253B0) sent to URL https://lyncdiscoverinternal.labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com completed with hr=0x80f10045]]></Info>
          <Info><![CDATA[task(000000D5F1425FF0) is parsing autodiscovery response <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><Root><Link token="Domain" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=labs.boshgs.com" /><Link token="User" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=labs.boshgs.com" /><Link token="Self" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=labs.boshgs.com" /><Link token="OAuth" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=labs.boshgs.com" /><Link token="External/XFrame" href="https://lyncpool.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://srv-skype-01.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /><Link token="XFrame" href="https://lyncpool.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /></Root></AutodiscoverResponse>]]></Info>
          <Info><![CDATA[Discovery request sent to URL https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D160), task(000000D5F1425FF0)]]></Info>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[this request needs authentication, trying webticket from: https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc]]></Info>
          <Get-NewWebTicket>
            <Info><![CDATA[ExecuteWithMetadataInternal, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :3890889776
      MethodType:9
      ExecutionComplete? :0
      Callback@ :000000D5E4416138
      AsyncHResult:0
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
            <Info><![CDATA[Executing wws method with no auth auth, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :4051728896
      MethodType:0
      ExecutionComplete? :0
      Callback@ :000000D5E454D5F0
      AsyncHResult:0
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/mex

    .]]></Info>
            <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
            <ExecuteWithWindowsOrNoAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.1</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithWindowsOrNoAuthInternal>
            <ExecuteWithMetadataInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.2</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithMetadataInternal>
            <Info><![CDATA[Discovery request sent to URL https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com, txn (000000D5F336D3A0), task(000000D5F1425FF0)]]></Info>
            <Info><![CDATA[Executing wws method with no auth auth, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :4051728896
      MethodType:0
      ExecutionComplete? :0
      Callback@ :000000D5E454D5F0
      AsyncHResult:0
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/mex

    .]]></Info>
            <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
            <ExecuteWithWindowsOrNoAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.3</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithWindowsOrNoAuthInternal>
            <Info><![CDATA[Executing wws method with no auth auth, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :4051728896
      MethodType:0
      ExecutionComplete? :1
      Callback@ :000000D5E454D5F0
      AsyncHResult:3d0000
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/mex

    .]]></Info>
            <ExecuteWithWindowsOrNoAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.4</SequenceID>
              <hr>0x0</hr>
            </ExecuteWithWindowsOrNoAuthInternal>
            <Info><![CDATA[ExecuteWithMetadataInternal, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :3890889776
      MethodType:9
      ExecutionComplete? :0
      Callback@ :000000D5E4416138
      AsyncHResult:3d0000
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
            <Info><![CDATA[GetBestManagedCredentialByType return the cred: 000000D5D8E5A020, type:certificate, userId:LAD]]></Info>
            <Info><![CDATA[Executing Token Auth method, TokenProviderType=2, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :3890889776
      MethodType:5
      ExecutionComplete? :0
      Callback@ :000000D5E4416138
      AsyncHResult:3d0000
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/cert
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
            <Info><![CDATA[GetBestManagedCredentialByType return the cred: 000000D5D8E5A020, type:certificate, userId:LAD]]></Info>
            <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
            <ExecuteWithTokenAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.5</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithTokenAuthInternal>
            <ExecuteWithMetadataInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.6</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithMetadataInternal>
            <Info><![CDATA[Executing Token Auth method, TokenProviderType=2, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :3890889776
      MethodType:5
      ExecutionComplete? :0
      Callback@ :000000D5E4416138
      AsyncHResult:3d0000
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/cert
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
            <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
            <ExecuteWithTokenAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.7</SequenceID>
              <hr>0x3d0000</hr>
            </ExecuteWithTokenAuthInternal>
            <Info><![CDATA[Executing Token Auth method, TokenProviderType=2, asyncContext=000000D5F3C47E30,
     context: WebRequest context@ :3890889776
      MethodType:5
      ExecutionComplete? :1
      Callback@ :000000D5E4416138
      AsyncHResult:3d0000
      TargetUri:https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc/cert
      OperationName:http://tempuri.org/:IWebTicketService

    .]]></Info>
            <Info><![CDATA[Logon success state 1 reported by user id=LAD (adjusted=LAD) on CManagedCredential[CERT this=000000D5D8E5A020, PCERT_CONTEXT=000000D5E7F9C270]]]></Info>
            <ExecuteWithTokenAuthInternal>
              <ExecutionDuration>0</ExecutionDuration>
              <SequenceID>1.1.1.1.8</SequenceID>
              <hr>0x0</hr>
            </ExecuteWithTokenAuthInternal>
            <ExecutionDuration>890</ExecutionDuration>
            <SequenceID>1.1.1.1</SequenceID>
            <hr>0x0</hr>
          </Get-NewWebTicket>
          <Info><![CDATA[CLogonCredentialManager::GetProxyCredentials()Requesting credential user 0x000000D5E7CE0160 id=15 asking for credentials with ProxyChallengeDetails[authModes=0, firewallName=, realm=]]]></Info>
          <Info><![CDATA[task(000000D5F1425FF0) is parsing autodiscovery response <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><User><SipServerInternalAccess fqdn="srv-skype-01.labs.boshgs.com" port="5061" /><SipClientInternalAccess fqdn="srv-skype-01.labs.boshgs.com" port="5061" /><Link token="Internal/Autodiscover" href="https://srv-skype-01.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker" href="https://srv-skype-01.labs.boshgs.com/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://srv-skype-01.labs.boshgs.com/Scheduler/" /><Link token="Internal/CertProvisioning" href="https://srv-skype-01.labs.boshgs.com/CertProv/CertProvisioningService.svc" /><Link token="External/Autodiscover" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="External/AuthBroker" href="https://lyncpool.labs.boshgs.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://lyncpool.labs.boshgs.com/Scheduler/" /><Link token="External/CertProvisioning" href="https://lyncpool.labs.boshgs.com/CertProv/CertProvisioningService.svc" /><Link token="Internal/Mcx" href="https://lyncpool.labs.boshgs.com/Mcx/McxService.svc" /><Link token="External/Mcx" href="https://lyncpool.labs.boshgs.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://lyncpool.labs.boshgs.com/ucwa/v1/applications" /><Link token="Internal/Ucwa" href="https://srv-skype-01.labs.boshgs.com/ucwa/v1/applications" /><Link token="External/Ucwa" href="https://lyncpool.labs.boshgs.com/ucwa/v1/applications" /><Link token="External/XFrame" href="https://lyncpool.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://srv-skype-01.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /><Link token="XFrame" href="https://lyncpool.labs.boshgs.com/Autodiscover/XFrame/XFrame.html" /><Link token="Self" href="https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>]]></Info>
          <Info><![CDATA[Discovery task(000000D5F1425FF0) sent to URL https://lyncpool.labs.boshgs.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=labs.boshgs.com?sipuri=skype.test2@labs.boshgs.com completed with hr=0x0]]></Info>
          <Info><![CDATA[Discovery task(000000D5F14258F0) canceled.]]></Info>
          <Info><![CDATA[Lync autodiscovery completed with hr: 0X0 sipint: srv-skype-01.labs.boshgs.com:5061 sipext:  authint: https://srv-skype-01.labs.boshgs.com/Reach/sip.svc authext: https://lyncpool.labs.boshgs.com/Reach/sip.svc ucwaint: https://srv-skype-01.labs.boshgs.com/ucwa/v1/applications ucwaext: https://lyncpool.labs.boshgs.com/ucwa/v1/applications wts: https://lyncpool.labs.boshgs.com/WebTicket/WebTicketService.svc ucwaurl: https://lyncpool.labs.boshgs.com/ucwa/v1/applications telemetryurl:  isServiceInRefresh: 0 isTempError: 0]]></Info>
          <ExecutionDuration>2796</ExecutionDuration>
          <SequenceID>1.1.1</SequenceID>
          <hr>0x0</hr>
        </Lync-autodiscovery>
        <Info><![CDATA[
    Internal Server: srv-skype-01.labs.boshgs.com:5061
    External Server: 
    IsInternalAccessLocation: 0
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=0
       Login failed with permanent error or no auto-retrials]]></Info>
        <ExecutionDuration>56033</ExecutionDuration>
        <SequenceID>1.1</SequenceID>
        <hr>0x80ee0067</hr>
      </Login>
    </root>

    Friday, August 21, 2015 5:42 PM

Answers

  • It looks like you're getting autodiscover, and your reverse proxy settings are set up properly, but I'm curious about your edge.  What is your access edge FQDN?  I noticed externally that your sip record points at your reverse proxy and it should be pointed at your access edge.  Your _sip._tls. record also points at your reverse proxy.

    Also, what are you using for a reverse proxy in your environment?


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Eason Huang Monday, August 24, 2015 5:47 AM
    • Marked as answer by Eason Huang Monday, September 7, 2015 3:23 AM
    Friday, August 21, 2015 6:12 PM
  • Hi,

    Would you please elaborate your Lync Server environment ( especially for the Edge Server)?

    From your description above, it seems that there is something wrong with Edge Server.

    Please check how you deployed the Edge Server, from the log above, it seems that the Edge Server access service used port 5061, so i guess you deployed Edge Server using single IP and FQDN. If it is the case, please make sure you enter the correct port, DNS record and certificate SAN entries for Edge Server.

    Best Regards,

    Eason Huang 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Eason Huang Monday, September 7, 2015 3:23 AM
    Monday, August 24, 2015 5:56 AM

All replies

  • It looks like you're getting autodiscover, and your reverse proxy settings are set up properly, but I'm curious about your edge.  What is your access edge FQDN?  I noticed externally that your sip record points at your reverse proxy and it should be pointed at your access edge.  Your _sip._tls. record also points at your reverse proxy.

    Also, what are you using for a reverse proxy in your environment?


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Eason Huang Monday, August 24, 2015 5:47 AM
    • Marked as answer by Eason Huang Monday, September 7, 2015 3:23 AM
    Friday, August 21, 2015 6:12 PM
  • Hi,

    Would you please elaborate your Lync Server environment ( especially for the Edge Server)?

    From your description above, it seems that there is something wrong with Edge Server.

    Please check how you deployed the Edge Server, from the log above, it seems that the Edge Server access service used port 5061, so i guess you deployed Edge Server using single IP and FQDN. If it is the case, please make sure you enter the correct port, DNS record and certificate SAN entries for Edge Server.

    Best Regards,

    Eason Huang 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Eason Huang Monday, September 7, 2015 3:23 AM
    Monday, August 24, 2015 5:56 AM