Answered by:
Lync Control Panel will not start

Question
-
Hi, after completeing the full Lync Server installation, I tried to start up the Lync Control Panel. This presents me with the following error :
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
Any idea what is going wrong ? Thanks for your help !!!!!!!!
Answers
-
How are you attempting to connect to the control panel?
Try
https://Server.domain.com/cscp
Did you configure a simple URL for the control panel?
Is the DNS set up to point that url to the appropriate server?
Did it prompt for a login? Was the login you used a member of the CSAdministrator group?
- Proposed as answer by iTommyClarke Tuesday, September 21, 2010 5:20 PM
- Marked as answer by TOKN Tuesday, September 21, 2010 5:40 PM
All replies
-
Hi,
I just finished installing Lync server. After the ninstallation I try to start up the CP but I get this error :
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
Any idea what is going wrong here ? Many thanks for your help !!!!!!
- Merged by Ben-Shun Zhu Wednesday, September 22, 2010 6:28 AM Questions are same
-
How are you attempting to connect to the control panel?
Try
https://Server.domain.com/cscp
Did you configure a simple URL for the control panel?
Is the DNS set up to point that url to the appropriate server?
Did it prompt for a login? Was the login you used a member of the CSAdministrator group?
-
How are you attempting to connect to the control panel?
Try
https://Server.domain.com/cscp
Did you configure a simple URL for the control panel?
Is the DNS set up to point that url to the appropriate server?
Did it prompt for a login? Was the login you used a member of the CSAdministrator group?
- Proposed as answer by iTommyClarke Tuesday, September 21, 2010 5:20 PM
- Marked as answer by TOKN Tuesday, September 21, 2010 5:40 PM
-
You are a genius my friend !!!! The
https://Server.domain.com/cscp works ! And yes it asks me for a Login.
Thx (again) Mac !!!!!!!!
-
You are a genius my friend !!!!
No, but I did stay in a Holiday Inn Express last night :)To make life easier, in the Topology builder, Define an "Administrative access url" such as https://Admin or https://admin.domain.com then point a dns record for that address to your Lync server. Re-run step2 and 3 in the deployment wizard and then you'll not have to remember the long url again.
-
Duplicate thread.
Problem solved here: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/2bb584b7-ae5f-4eb0-a992-4175a3a9b5d9
- Proposed as answer by PilotManW Wednesday, June 8, 2011 11:09 AM
-
I had a similar issue and found I can access the Control Panel using IE and https://.../cscp URL, but the standard tool AdminUIHost.exe still cannot connect and gives "Navigation to the web page was cancelled". Debugger shows the tool tries to connect to admin.domain.com and server.domain.com but never uses /cscp at the end, I guess this is a cause of the issue.
Does anybody has an idea how to force the tool to use the correct suffix?
Thanks,
-Alex
-
I had a similar issue and found I can access the Control Panel using IE and https://.../cscp URL, but the standard tool AdminUIHost.exe still cannot connect and gives "Navigation to the web page was cancelled". Debugger shows the tool tries to connect to admin.domain.com and server.domain.com but never uses /cscp at the end, I guess this is a cause of the issue.
Does anybody has an idea how to force the tool to use the correct suffix?
Thanks,
-Alex
-
Sorry but again a (small ?) problem when I try to enable users in the CP, I get the following message : Active Directory Operation failed on "dc.tkdomain.be". You cannot retry this operation. Insufficient access rights to perform the operation.
The user loggon while doing this is a member of all "cs" groups ...
Any clue here ? Mac ? :-)
-
-
-
-
-
You shouldn't need this, but give it a try given that it's AD memberships and I've seen stranger.
1. Be sure the new memberhips are replicated
2. Close out your IE session (you ARE using IE AREN'T you?)
3. Log off of the machine and log back in so that new memberships are registered
4. When you log back in, run "whoami /groups" from a command promt to be sure that the membership is correct
5. Try again
Post back here
-
Mac,
1 - How can I check this (Users in the Lync Server compared to those on the DC server ?) Checked this and looks ok ...
2 - Yes .. it isn IE, closed and restarted
3 - Done
4 - These are the groups that show :
Group Name Type SID Attributes
=============================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\Domain Admins Group S-1-5-21-2672593231-2759328678-3845507176-512 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSUserAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1208 Group used for deny only
TKDOMAIN\CSVoiceAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1207 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSServerAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1212 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSLocationAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1210 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSResponseGroupAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1209 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSArchivingAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1211 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\Enterprise Admins Group S-1-5-21-2672593231-2759328678-3845507176-519 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSHelpDesk Group S-1-5-21-2672593231-2759328678-3845507176-1214 Group used for deny only
TKDOMAIN\Schema Admins Group S-1-5-21-2672593231-2759328678-3845507176-518 Mandatory group, Enabled by default, Enabled group
TKDOMAIN\CSAdministrator Group S-1-5-21-2672593231-2759328678-3845507176-1206 Group used for deny only
TKDOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-2672593231-2759328678-3845507176-572 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group, Local Group5 - Done, same problem ...
-
-
-
Thank you for the reply and advise. I guess that is why I put my question in this thread.
Topology manager was configured with https://access.domain.com from the very beginning and Fiddler shows the tool is trying that URL. DNS contains A record for it. Credentials are added to tghe proper group (that is why I can access it via IE I believe)
-Alex
-
-
-
-
Resolution:
1. Added an additional IP to Lync. Disabled dynamic registration IP address in DNS and put a static A records in DNS (SRV left without changes).
2. Added an HTTP redirection feature to IIS
3. Created a new web site with alias:admin and assigned it an HTTPS listener with new IP and the same certificate as the old one.
4. Conigured redirection from this new site to https://poolname.domain.com/cscp
4. In HOSTS file add a record to avoid name resolution to IPv6.
After that redirection starts and the CP tool successfully connected to the web site.
-Alex
-
Exact same problem here.
Active Directory Operation failed on "xxxxx.xxx.com". You cannot retry this operation. Insufficient access rights to perform the operation.
The status is:
1.- Fresh install
2.- Admin user as member of CSAdministrator only (Plus other groups, but is verified as Domain admin)
3.- Reboot and restart everything
4.- Take time (30 mins) to let replications and everything to finish
Result:
Active Directory Operation failed on "xxxxx.xxx.com". You cannot retry this operation. Insufficient access rights to perform the operation.
Any ideas?
Un administrador de sistemas -
Lets narrow down that it's the control panel and not Lync itself
- Launch the Lync Powershell window.
- Attempt to enable a user :
- Enable-CSUser -Identity Domain\username -RegistrarPool LyncpoolFQDN -SipAddressType SAMAccountName -SipDomain FullDomainFQDN (Domain.com)
That SHOULD work, Either way.....
Ok, well that is odd. Let's try something different. Lets make sure that all activation steps happened as they were supposed to. (We have done some other fiddling here, and it doesn't hurt)
- Open Topology builder
- Download the Topology
- Re-publish the topology
- Log off, back in
- Try again
- Open the Lync Powershell window
- Enable-CSComputer
- Log off, back in
- Try again
- Open the Lync Powershell Winodw
- Stop-CsWindowsService -Verbose ; Start-CsWindowsService -Verbose
- Log off, back in
- Try again
NONE of this beyond steps 1-5 should be required, but it doesn't hurt to make sure everything is "just right". I've deployed Lync 100s of times and not seen the error described here (now twice). It seems to be an error thrown by the DC itself.
If there is anything unique about how you installed Lync or the configuration of your topology (like you're installed on a VM running on a MAC) Please let me know.
-
Resolution:
1. Added an additional IP to Lync. Disabled dynamic registration IP address in DNS and put a static A records in DNS (SRV left without changes).
2. Added an HTTP redirection feature to IIS
3. Created a new web site with alias:admin and assigned it an HTTPS listener with new IP and the same certificate as the old one.
4. Conigured redirection from this new site to https://poolname.domain.com/cscp
4. In HOSTS file add a record to avoid name resolution to IPv6.
After that redirection starts and the CP tool successfully connected to the web site.
-Alex
Step2 is what you were missing (Should be a Lync Prereq). Everything else should have been taken care of by the deployment wizard. -
Is the target user that you are trying to enable a member of Domain Admins group? If so you will see this permission error, more discussion here: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/c90a7df8-ac4c-4297-a5a8-aa589e1d163d
- Proposed as answer by Mac McTernen Wednesday, September 22, 2010 3:00 AM
- Proposed as answer by Juan Ramon Bonell Wednesday, September 22, 2010 3:53 PM
-
Is the target user that you are trying to enable a member of Domain Admins group? If so you will see this permission error, more discussion here: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/c90a7df8-ac4c-4297-a5a8-aa589e1d163d
Yup, That appears to be it.Learn something new every day :)
-
OK, I have just tried this. My current user is member of Domain users and CSAdministrators and the user I am trying to enable is a simple domain user. When trying to enable Lync users through the CP I still get the same error : Active Directory Operation failed on "dc.tkdomain.be". You cannot retry this operation. Insufficient access rights to perform the operation.
Tony
-
-
-
-
-
-
The user to log on to Lync Control Panel ONLY needs to be member of CSAdministrator or CSUserAdministrator
The user being operated on should NOT be a member of super admins group, such as Domain Admins or Enterprise Admins.
Note that you must ensure to run "Enable-CsAdDomain"(on any domain-joined computer) and "Enable-CsComputer"(on the FE or SE) in local PowerShell for Lync Control Panel to have correct permissions.
If all the above are met, could you please try below:
1. Open ADSI tool
2. View properties for that user you are trying to enable
3. Open advanced dialog from permissions tab
4. Verify that "Include Inheritable Permissions ..." is checked- Proposed as answer by Juan Ramon Bonell Wednesday, September 22, 2010 4:04 PM
-
-
OK, with the help of some of the posts here, I've been able to narrow down and reproduce the causes of this error in my lab. I'll try and summarize:
Causes of "Active Directory Operation failed on "<DOMAIN CONTROLLER NAME>". You cannot retry this operation. Insufficient access rights to perform the operation."
- The user to be enabled has greater rights than the user trying to do the enabling. Such as the enabled user is in the domain admins group and the control panel user is not.
- The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited. Open Active Directory Users and Computers, View -> Advanced Features. Then right click on the OU, go to the security tab, and be sure that the "Include Inheritable permissions from this object's parent" is checked.
Essentially what it boils down to, is that the user doing the enabling does not have rights to modify the active directory attributes of the particular user.
Hope this helps.
-Mac
-
Mac, just reading this last post ... I am sorry if I ask a very stupid question but where do I find rhis OU ? When I open Active Directory UJsers & Computers, View - Advanced Features then I can see my domain (tkdomain.be) Is this my OU ? When I right click on it - then Security tab - I do not see the "Include Inheritable permissions from this object's parent" option ?
-
The OUs are the "sub folders" in Active Directory that contain all of your user objects. By default you will see "builtin", "Computers", "Domain Controllers", etc. You'll want to find the OU that your user is homed in.
OH and I missed a step. When looking at the security tab, you'll click the Advanced button to see the inherited permissions checkbox
To figure out what OU the user you are trying to enable is in. Right click on your domain, click find, type in the user name you are looking for and click find now.
Click the Object tab, the Canonical (say that 3 times fast) name of the object is a representation of where the user is in active directory.
<domain name>/<OU>/<User>
-
-
-
-
Ok, another guy asked about that issue in another unrelated thread and I asked him to start a new topic. Seems like there'll be a few of these. Can you start a new thread with the question "Lync cannot sign in because the server is temporarally unavailable" ?
Try and keep the topics easy to search for the others that will come along
-
I'm having the same issue
I cannot access it through https://server fqdn/cscp
What step creates this site? it doesn't appear in iis?
-
I had an issue where https://fqdn/cscp was not working but i could access with the simple URL i created (http://cp.domainname/cscp)... the only problem was the AdminUI.exe was getting the "Navigation to web page has been cancelled" becuase it was still trying to use that dead link just like Alenat was getting above. I found a config file in Profgrams Files\Lync 2010\Web Components\Internal Website named "web", found that the dead link was still in there and no mention of the simple url so i updated and saved (restarted IIS just to be safe) and the AdminUI worked first try.
-
-
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
<fieldset><legend>Detailed Error Information</legend>Do you have any idea???Module WindowsAuthenticationModule Notification AuthenticateRequest Handler StaticFile Error Code 0x8009030e Requested URL https://srvgtocs01.grupocatel.local:443/Cscp Physical Path C:\Program Files\Microsoft Lync Server 2010\Web Components\AdminUI Logon Method Not yet determined Logon User Not yet determined -
I had an issue where https://fqdn/cscp was not working but i could access with the simple URL i created (http://cp.domainname/cscp )... the only problem was the AdminUI.exe was getting the "Navigation to web page has been cancelled" becuase it was still trying to use that dead link just like Alenat was getting above. I found a config file in Profgrams Files\Lync 2010\Web Components\Internal Website named "web", found that the dead link was still in there and no mention of the simple url so i updated and saved (restarted IIS just to be safe) and the AdminUI worked first try.
Bumping this thread because I am having the same issue except I can access it from https://fqdn/cscp but not using the admin simple url that I configured. DNS record is in place.
I tried what was quoted above because there was no mention of control panel (CSCP) in my web.config file, i then restarted IIS. That broke my https://fqdn/cscp too.
I also tried adding HTTP Redirect to IIS.What else can I try?
-
-
I've defined an "Administrative access url" as:
https://admin.pstocs.com
(or should it be https://admin.pstocs.com/cscp ??)
How do I point a dns record for admin.pstocs.com to my Lync server? Can't I just change the hosts file on the PC that will be doing the Lync Server Control Panel?
It wouldn't let me user ocshost1.pstocs.com/cscp, is that because the ocshost1.pstocs.com is the exact name of the Lync Server? (which it is)
Thanks,
Scott
-
If you are getting:
Navigation to the webpage was canceled
when you attempt to start the Lync Control Panel locally, but you can connect to the control panel using the FQDN/cscp, then take a look at the Lync internal site web.config.
Diocletion made reference to it above.
Profgrams Files\Lync 2010\Web Components\Internal Website\
In the web.config file do a search for the simple admin url you entered in the topo wizard.
Look at the FQDN of the redirect. In my case, I had changed the internal pool fqdn for dns load balacing but did not have it's dns record entered in my dns.
- Proposed as answer by ASHRAFUL HODA Sunday, March 25, 2012 1:43 PM
-
Same problem here.
Simply URLs configured in Topology Builder
Published in the DNS
Get-CsSimpleUrlConfiguration shows the correct configurationYet the simple URLs don't work, instead returning a 403 (https://servername.domain/cscp works).
It seems the deployment wizard fails at configuring the IIS automatically. I could probably go in and configure IIS manually, but that's a bit of a hassle and if the wizard keeps failing to configure it properly, a change in the topology would require more manual labor.
So how to make the Deployment Wizard do what it is supposed to do in the first place?
-
-
Same problem here.
Simply URLs configured in Topology Builder
Published in the DNS
Get-CsSimpleUrlConfiguration shows the correct configurationYet the simple URLs don't work, instead returning a 403 (https://servername.domain/cscp works).
It seems the deployment wizard fails at configuring the IIS automatically. I could probably go in and configure IIS manually, but that's a bit of a hassle and if the wizard keeps failing to configure it properly, a change in the topology would require more manual labor.
So how to make the Deployment Wizard do what it is supposed to do in the first place?
I have the same problem as Jimmi, I'm running Front End on Server 2008 R2, I reinstalled URL Rewrite Module 2.0 but the issue remains, also I have the same 403 - Forbidden: Access is denied error on sites like:I don't try this solution yet:
http://sysisundefined.blogspot.com/2009/12/http-error-4011-unauthorized-access-is.html
Do you recommend it?
Edilberto Martinez- Edited by Edil Martínez Wednesday, June 8, 2011 4:11 PM add info
-
Hi all,
It looks like there are a number of different possible causes for this issue ("Navigation to the Web page was cancelled" when opening Lync Control Panel). For me, adding a HOSTS file entry on my Lync Std Edition server for the FQDN of the local server fixed the problem.
Thanks to Alenat above for stating:
4. In HOSTS file add a record to avoid name resolution to IPv6.
... which made me try this.
Interestingly, before adding the HOSTS file entry, if I opened NSLOOKUP and ran queries for:
<local server name>
and
<FQDN of local server>
... they both returned the correct IPv4 address. But it seems that IPv6 was taking precedence. Disabling IPv6 would probably also have fixed this for me. However, the Lync setup guide does not instruct us to do that. I also have 2 x Ent Edition front-end servers in my environment and they did not exhibit this issue so I never disabled IPv6 on them or had any need to add a HOSTS file entry.
Before I fixed this issue, I also found that of all the synthetic tests you can run on a Lync server, only one would fail:
Test-CsGroupExpansion –GroupEmailAddress <address> -TargetFQDN <server FQDN>
This complained there was no response from the Web Ticket service. After adding the local HOSTS file entry, this issue was also fixed.
Cheers,
Garry
- Proposed as answer by Mike Mackie Sunday, September 25, 2011 11:40 AM
-
-
-
The following worked for me when I had "Navigation to the webpage was cancelled" in CSCP:
1. "Start" "Administrative Tools" "Internet Information Services (IIS) Manager"
2. Expand the node containing your Lync server in the tree on the left
3. Click on "Sites" below your server name in the tree.
4. In the middle panel, right click on "Lync Server External Website" and select "Binding"
5. Select the https line and click "Edit"
6. Make sure the right certificate is assigned (in my case no certificate was assigned)
7. In the middle panel, right click on "Lync Server Internal Website" and select "Binding"
8. Repeat the steps 5. and 6. for the internal website.
Other things I did previously but have no idea if they were useful: (that was to fix
Error 404 when trying to access cscp):
from the ISO image of Lync installation DVD: removed and reinstalled some Lync components:
webcomponents, mgmtserver, admintools. However, use this with caution: it is purely empirical and
was done on a SE lab server. -
How are you attempting to connect to the control panel?
Try
https://Server.domain.com/cscp
Did you configure a simple URL for the control panel?
Is the DNS set up to point that url to the appropriate server?
Did it prompt for a login? Was the login you used a member of the CSAdministrator group?
Mac---it's Fantastic. it's worked for me. I was strugelling for 2 days. now I've got the solution. thank you very much.
/YellowSnake
-
Thanks Dear
it worked for me , i flowed these steps
Profgrams Files\Lync 2010\Web Components\Internal Website\In the web.config file do a search for the simple admin url you entered in the topo wizard.
and created two DNS record , which was missing in DNS , meet.XXXXX,COM and POOL01.XXXXXX.COM and it worked