none
Communicator User can not log in RRS feed

  • Question

  • Hi,  I have a single user who is unable to log into Communicator from any machine in the office.  He is receiving the error message, "Cannot sign in to Communicator.  You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program.  If your sign-in information is correct and the problem persists, please contact your system administrator."

    He is using Communicator 2007 R2 v. 3.5.6907.83   We have validated that he is using the correct SIP URI, logon and password.  The User account is enabled for OCS and is pointing to the correct pool.  Other users can log in to their Communicator accounts from his machine with no problems. 

    We are using OCS 2007 R2.  The server authentication protocol is set to "Both NTLM and Kerberos"

    When we run the Logging Tool on the Front End (we edited his Registry to point to the pool versus the Director) we see:  Start-Line:  SIP/2.0 401 Unauthorized

    We have taken the following steps with no change in results:

    1. Deleted his OCS account and let it replicate for 72 hours before re-enabling his account for OCS.

    2. Changed his Sign-in name from his email address to the <first>.<last>@domain as well as to the <sAMAccountName>@domain

    We are looking for suggestions on what else we can do to troubleshoot this account.  Again...he is the only one experiencing this problem.

    Friday, December 17, 2010 1:40 PM

Answers

  • Problem was resolved.  The issue was the Kerberos token size.  The user was a member of over 290 groups which exceeded the MaxTokenSize value.  Once the user reduced the number of groups he was able to log in to Communicator.

    Thank you for all your suggestions and assistance.


    Glenn
    • Marked as answer by gpaulino Tuesday, February 1, 2011 3:32 PM
    • Unmarked as answer by gpaulino Wednesday, February 2, 2011 2:07 PM
    • Marked as answer by gpaulino Wednesday, February 2, 2011 2:08 PM
    Tuesday, February 1, 2011 3:32 PM

All replies

  • Is there any difference in client OS? By example that user is running on Windows XP, all other users are running Windows 7?

    What OS is used on the server? Did you use Windows 2008 R2? If yes, please check this article.

     


    Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    Saturday, December 18, 2010 12:39 PM
  • He is using Vista as does a majority of other users.  He has also tried logging in on a WIN7 machine with no difference.   WIN03 on the servers.

     


    Glenn
    Saturday, December 18, 2010 10:58 PM
  • The OCS server was hardened with permissions.
    OCS-R2 Server --> CMD --> GPedit.msc --> Local security policy --> Local Policies --> User Rights Assignment --> Access this computer from the Network, check the Properties and add "Everyone" to the list have a try?
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 20, 2010 9:10 AM
  • Thank you for your suggestion.  I double checked the policy "User Rights Assignment" and it was set to "Everyone"

    Thanks


    Glenn
    Monday, December 20, 2010 10:52 AM
  • New information on the problem-

    This morning during discussions with the local account administrator I was informed that there were problems with that particular User account (not being able to connect to mailbox etc.).  The administrator told me he "copied" the account, named the account "<user first name.user last name.temp>", deleted the old account and then renamed the "copied" account "user first name.user last name>" which is the organizational naming standard.   The user was able to connect to his mailbox however began having problems with Office Communicator.

    I am researching now to see how this may factor into the problem.  Does anyone have any thoughts regarding this? 

    Thank you


    Glenn
    Monday, December 20, 2010 11:14 AM
  • Even though the copied account may have the same login name and properties, both accounts are from an active directory perspective two different accounts. At the time the administrator copied the account, a new account was created with the same properties as the original account, but with a different internal ID.

    He then removed the old account, which has the OCS 2007 R2 enabled, from AD. The new account is not enabled for OCS and therefore cannot login to communicator. You should enable it for OCS and configure it as needed.

    Please report back


    Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    Monday, December 20, 2010 1:27 PM
  • Thank you for your response.

    The user account was enabled for Communicator by the local administrator but the user was (still) unable to login. 

    From the initial post

    "  When we run the Logging Tool on the Front End (we edited his Registry to point to the pool versus the Director) we see:  Start-Line:  SIP/2.0 401 Unauthorized. 

    We have taken the following steps with no change in results:

    1. Deleted his OCS account and let it replicate for 72 hours before re-enabling his account for OCS.

    2. Changed his Sign-in name from his email address to the <first>.<last>@domain as well as to the <sAMAccountName>@domain

    We are looking for suggestions on what else we can do to troubleshoot this account.  Again...he is the only one experiencing this problem."


    Glenn
    Monday, December 20, 2010 2:35 PM
  • The reason you are seeing this is that the user in the OCS database is still associated with the old guid for the user. When you disable a user in OCS it does not remove it from the database it just marks it as disabled. When you re-enable the user it uses the same record in the OCS database. This causes a problem as the GUID for the signed in user does not match the GUID in the OCS database, thus not being able to log in. To remove the user record from the OCS database completely, do the following on the BE server (or the Standard Edition server):


    1. Disable the user for OCS.
    2. Deleted the user from SQL using the following command:
    OSQL -S (local)\SQL-INSTANCE -d rtc -E -Q "exec RtcDeleteResource N'user@domain.com'"
    *** where 'user@domain.com' is the SIP URI of the problem user.
    ***Quotes in the command are required.
    ***The SQL instance name needs to be in NetBIOS\ format and will replace (local)\SQL-INSTANCE
    ***If Standard Edition the SQL instance name will be (local)\rtc
    3. Enable the user for OCS.

     

    thanks

    • Proposed as answer by Ben-Shun Zhu Friday, December 31, 2010 3:22 AM
    • Marked as answer by Gavin-ZhangModerator Monday, January 10, 2011 3:35 AM
    • Unmarked as answer by gpaulino Wednesday, February 2, 2011 2:07 PM
    Friday, December 31, 2010 12:02 AM
  • Good Morning,

    I apologize for the delay in responding.

    I ran the command as described above and verfied that the account data was removed from the database. I enabled the User account and verified that the account is in the database.  The User then tried to log in to Communicator. 

    He received the same error message,  "Cannot sign in to Communicator.  You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program.  If your sign-in information is correct and the problem persists, please contact your system administrator."

    He is the only User experiencing this problem.

    Thanks,

    Monday, January 10, 2011 8:10 AM
  • Problem was resolved.  The issue was the Kerberos token size.  The user was a member of over 290 groups which exceeded the MaxTokenSize value.  Once the user reduced the number of groups he was able to log in to Communicator.

    Thank you for all your suggestions and assistance.


    Glenn
    • Marked as answer by gpaulino Tuesday, February 1, 2011 3:32 PM
    • Unmarked as answer by gpaulino Wednesday, February 2, 2011 2:07 PM
    • Marked as answer by gpaulino Wednesday, February 2, 2011 2:08 PM
    Tuesday, February 1, 2011 3:32 PM