Lync 2010 server, external user's Address Book does not synchronize


  • Hi,

    I have a problem with Address book on ly with external users. In more details:

    Internal users or connected from CWA, can work with address book fine. When a domain user tries to connect from the internet as external user, I cannot download address book. I deleted the galcontacts files but it doesn't synchronize to get it back. I Ctrl+Right click to the lync icon and selected "Configuration information" and it shows the attached picture's contents.

    The TMG rule accepts the 443 requests from the internet and sends it to 4443 in front end.

    I tried the reg add command to force the update but that didn't do the job either. What if a Lync remote user tries to sign in, through a non domain computer, what should be the behavior regarding ABS?

    No errors on Lync client or FE. All the other tests are successful IM, A/V, sharing etc.

    What also troubles me is that that is mentioned, is just another sip domain that ocs 2007 r2 used to exist. We still haven't decomissioned the old servers but we have stopped the services though.

    Any ideas?

    Thanks in advance,


    13. února 2012 12:47

Všechny reakce

  • Can you access from external? This will show you a webpage if your reverse proxy is working successfully. If not, go back and double check your reverse proxy configuration as this will cause the "Cannot synchronise address book" error.

    Justin Morris | Consultant | Modality Systems
    Lync Blog -
    Twitter: @jm_deluxe
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    13. února 2012 14:16
  • It opens a page that has a url to test with svcutli.exe and some code in C# and Visual Basic.

    Is this the correct behavior?


    13. února 2012 14:33
  • Hi,

    Could you try to browse & <one of Address book files> from external with Lync user credential? A file-download dialog should appear in normal. If an error message appears, it should help you to shoot the problem.

    You can confirm address book files under "\\<Share Folder>\1-WebServices-1\ABFiles\00000000-0000-0000-0000-000000000000\00000000-0000-0000-0000-000000000000" in your Lync Server infrastructure. A URL example in my lab environment is the following.



    13. února 2012 15:21
  • Yep that sounds like the correct behaviour, looks like your RP is setup ok.

    Can you confirm that this is affecting all externally connected users?

    Justin Morris | Consultant | Modality Systems
    Lync Blog -
    Twitter: @jm_deluxe
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    13. února 2012 22:56
  • Yutaka: I tried to open the file you mention and it worked. It asked me the program that I want to open the file with. I guess that this shows that everything is working just fine.

    Justin: From what I have seen, it affects all external users and as a result, address book cannot be updated if the files exist and the files cannot be downloaded if they have been erased.

    Any other ideas of what could be wrong? I have run out of mine...


    13. února 2012 23:35
  • Hi, would you run the cmdlet Test-CsAddressBookService with -external switch and see what error it indicates?
    15. února 2012 2:54
  • Hi all,

    Did you publish the all tree of IIS? For address book sync they need to use reverse proxy.


    16. února 2012 17:05
  • Hi Argiris,

    Any update?

    Here’re some tips for you.

    • Make sure you’ve created an external DNS A record for the web services URL.
    • Please confirm such URL is in external web services certificate list.
    • Go to Internet Options – Advanced, unselect the "Check for publisher's certificate revocation" and "Check for server certificate revocation".
    • It may also due to incorrect configuration of Authentication Delegation in TMG publishing rule. You should configure Authentication Delegation as "No delegation, but client may authenticate directly".

    Above, hope helps.

    Noya Lau

    TechNet Community Support

    20. února 2012 9:08
  • Hi all and sorry for the delay,

    This is the command:

    Test-CsAddressBookService -targetfqdn -UserSipAddress "" –External

    (the command was run from the Front End server)


    PS C:\Users\lyncinst> Test-CsAddressBookService -targetfqdn -UserSipAddress "" -External
            Connecting to web service :
            Using Machine certificate authentication
            Successfully created connection proxy and website bindings
            Requesting new web ticket
            Sending Web-Ticket Request: <s:Envelope xmlns:a="" xmlns:s="">
        <a:Action s:mustUnderstand="1"></a:Action>
        <RequestSecurityToken xmlns="">
          <AppliesTo xmlns="">
            ERROR communicating with GetWebTicket() service
    System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at
    that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.N
    et.WebException: The remote server returned an error: (502) Bad Gateway.
       at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
       at System.Net.HttpWebRequest.GetRequestStream()
       at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
       at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpa
    n timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message request)
       at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()

    TargetUri  :
    TargetFqdn :
    Result     : Failure
    Latency    : 00:00:00
    Error      : ERROR - No response received for Web-Ticket service.
                 Inner Exception:There was no endpoint listening at that could accept
                  the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
                 Inner Exception:The remote server returned an error: (502) Bad Gateway.

    Diagnosis  :

    21. února 2012 9:32
  • At this point, I also have to tell you that due to a mistake, three public certificates were created for meet, dialin and webcomp, so three TMG publishing rules were created.

    Could that cause any problems?

    21. února 2012 9:35
  •   Hi,

    Would you please check the event logs and Frontend iis logs to see if there are errors?



    24. února 2012 1:46
  • Hello everyone,

    So, Liza, There are no IIS errors in event logs.

    Noya, I am 100% sure that 2nd and 4th are correct. I'll check the 3rd you mention and I'll ask for the first one, since I have given all the DNS prerequisites that needs to be created but I am not sure weather if they have created it.

    I'll let you know as soon as I find out.


    • Upravený ArgiDio 24. února 2012 7:42
    24. února 2012 7:42
  • So, Noya...

    The third you mention was ok and although the DNS records were not created, even though now they are, nothing has changed... A Microsoft case has been submitted.

    2. března 2012 12:41
  • Hi,

    i am also facing the same problem i am unable to access my meet URL, Address book or any other Virtual directory from internet. i am unable to browse my External Virtual Directories on front End Server. i am using my local CA certificate. thanks in advance. please suggest.

    2. března 2012 17:17
  • Hi,

    i find a Tech Net article,here it is saying "Select the HTTPS entry, click Edit, and then verify that Lync Server WebServicesExternalCertificate is bound to this protocol" can you please explain which certificate is this.Thanks
    3. března 2012 1:06
  • Well Handa, the Engineer from Microsoft's case pointed me the same url. From what I understand there are these two sites,

    - The WebServicesInternal certificate is used to secure communication for internal clients to the web services. This certificate contains the internal web services that FQDN defined in the topology for the pool. This certificate is bound to the internal web services’ website in IIS.
    - The WebServicesExternal certificate is used to secure communication for external clients to the web services. This certificate contains the external web services FQDN defined in the topology for the pool. This certificate is bound to the external web services’ website in IIS.

    I will try this and let you know if this is the solution.

    Thanks in advance,

    • Upravený ArgiDio 13. března 2012 14:58
    13. března 2012 14:52
  • I don't know whether this is the correct solution, since noone else answered, but I tried this to our own Lync server and it did work.
    I will try it now to a customer and see if this will correct their problem, since they had the same case.
    14. března 2012 10:24