none
Авторизация мобильного клиента на SfB 2019 RRS feed

  • Вопрос

  • Добрый день!

    Развёрнут SfB:

    1. FE - Edge - RevProxy

    2. Опубликованы все SRV записи и Internal - External URI (sr-sfb-main01.* - sfb.*)

    3. Connectivity Test  - зелёный

    4. Дэсктопный клиент авторизуется как изнутри , так и снаружи без проблем.

    5. PS C:\Windows\system32> Get-CsAuthConfig

    Pool                     Scenario
    ----                     --------
    Global BlockWindowsAuthExternally

    Но при подключении Android(IOS)  клиента наблюдаем (учётная запись- user@domain, в advanced - domain\user):

    401 - Unauthorized: Access is denied due to invalid credentials.

    Выхлоп с РевПрокси:

    XX.XX.XX.XX - - [07/Jun/2019:14:19:44 +0300] "POST /WebTicket/WebTicketService.svc HTTP/1.1" 401 1293 "-" "%D0%91%D0%B8%D0%B7%D0%BD%D0%B5%D1%81/6.25.3.0004 CFNetwork/978.0.7 Darwin/18.6.0" 0.018

    "Headers: host: sr-sfb-main01.km-union.ru\x0
    Aauthorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADcANwAWAAAAAAAAAAAAAAALAAsADQBAAAWABYAYAEAAAAAAAAAAAAABYIIAKOv/+WsrI8vpeiTSlmSwcYDPlRChlTC5soKSpiJTOt+XnT+SR7cMu4BAQAAAAAAAADvlOgiHdUBAz5UQoZUwuYA
    AAAAAgAQAEsATQAtAFUATgBJAE8ATgABABoAUwBSAC0AUwBGAEIALQBNAEEASQBOADAAMQAEABYAawBtAC0AdQBuAGkAbwBuAC4AcgB1AAMAMgBzAHIALQBzAGYAYgAtAG0AYQBpAG4AMAAxAC4AawBtAC0AdQBuAGkAbwBuAC4AcgB1AAUAFgBrAG0ALQB1AG4AaQBvAG4ALgByAHUABwAIAC0AjOgiHdUBAAAAAAAAA
    ABiAHUAbgB5AGEAZQB2AF8AYQB2AEAAawBtAC0AdQBuAGkAbwBuAC4AcgB1AFcATwBSAEsAUwBUAEEAVABJAE8ATgA=\x0
    Acontent-type: text/xml; charset=utf-8\x0Aconnection: keep-alive\x0
    Aaccept: text/xml, application/soap+xml, application/octet-stream\x0
    Acontent-length: 1200\x0
    Auser-agent: %D0%91%D0%B8%D0%B7%D0%BD%D0%B5%D1%81/6.25.3.0004 CFNetwork/978.0.7 Darwin/18.6.0\x0
    Asoapaction: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue\x0A"
    "
    <soap:Envelope xmlns:soap=\x22http://schemas.xmlsoap.org/soap/envelope/\x22>
    <soap:Body>
    <RequestSecurityToken xmlns=\x22http://docs.oasis-open.org/ws-sx/ws-trust/200512\x22 Context=\x22bdbbae2b-240b-4194-8bbe-b4a06e1f59b1\x22>
    <TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType>
    <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
    <AppliesTo xmlns=\x22http://schemas.xmlsoap.org/ws/2004/09/policy\x22>
    <EndpointReference xmlns=\x22http://www.w3.org/2005/08/addressing\x22>
    <Address>https://sr-sfb-main01.km-union.ru/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=km-union.ru</Address>
    </EndpointReference>
    </AppliesTo>
    <Claims Dialect=\x22urn:component:Microsoft.Rtc.WebAuthentication.2010:authclaims\x22>
    <auth:ClaimType Uri=\x22http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri\x22 Optional=\x22false\x22 xmlns:auth=\x22http://schemas.xmlsoap.org/ws/2006/12/authorization\x22>
    <auth:Value>sip:test_user@km-union.ru</auth:Value>
    </auth:ClaimType>
    </Claims>
    <Entropy>
    <BinarySecret>7Sq44gf3eZU+zgQvxtncRET3LzjfNV4VSIPq0pa4OiE=</BinarySecret>
    </Entropy>
    <KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>
    </RequestSecurityToken>
    </soap:Body>
    </soap:Envelope>">"
    <!DOCTYPE html PUBLIC \x22-//W3C//DTD XHTML 1.0 Strict//EN\x22 \x22http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\x22>\x0D\x0A<html xmlns=\x22http://www.w3.org/1999/xhtml\x22>\x0D\x0A<head>\x0D\x0A<meta http-equiv=\x22Content-Type\x
    22 content=\x22text/html; charset=iso-8859-1\x22/>\x0D\x0A<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>\x0D\x0A<style type=\x22text/css\x22>\x0D\x0A<!--\x0D\x0Abody{margin:0;font-size:.7em;font-family:Ve
    rdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\x0D\x0Afieldset{padding:0 15px 10px 15px;} \x0D\x0Ah1{font-size:2.4em;margin:0;color:#FFF;}\x0D\x0Ah2{font-size:1.7em;margin:0;color:#CC0000;} \x0D\x0Ah3{font-size:1.2em;margin:10p
    x 0 0 0;color:#000000;} \x0D\x0A#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\x22trebuchet MS\x22, Verdana, sans-serif;color:#FFF;\x0D\x0Abackground-color:#555555;}\x0D\x0A#content{margin:0 0 0 2%;;
    }\x0D\x0A.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}\x0D\x0A-->\x0D\x0A</style>\x0D\x0A</head>\x0D\x0A<body>\x0D\x0A<div id=\x22header\x22><h1>Server Error</h1></div>\x0D\x0A<div "

    Благодарен за помощь!

    7 июня 2019 г. 14:31

Ответы

  • Проблема оказалась на стороне revproxy (nginx) , так и не смогли пробросить ntlm авторизацию на FE: диагностика связности показала - сессия TLS v1.2 клиентом и сервером устанавливается, заголовки и данные пересылаются, но почему-то авторизация не проходит (хотя десктоп-клиент через данный revproxy работает). Есть подозрения на keep-alive cсоединения и(или) буффер...

    Решили проблему с помощью haproxy - прозрачный tcp проброс 443 порта на 4443 FE.

    Теперь все работает, спасибо!

    28 июня 2019 г. 13:29

Все ответы

  • День добрый.

    1. Покажите лог с мобильного клиента Android и iOS для этой учетной записи.

    2. Покажите лог ошибки.

    Troubleshooting Skype for Business Client sign in issues

    3. Покажите что у вас стоит в авторизации на FE

     IIS Manager - Skype Server External Web Services and find WebTicket.  Double click on Authentication. Maybe Windows Authentication was disabled.

    Skype for Business External Authentication

    SFB online Client Sign in and Authentication Deep Dive ;Part 1

    Lync Mobile iOS Client Authentication Issues

    Пока вы не представили ничего для определения ошибки авторизации. 


    MCITP, MCSE. Regards, Oleg

    7 июня 2019 г. 14:53
    Модератор
  • Здравствуйте!

    >3.Покажите что у вас стоит в авторизации на FE

    WebTicket (Internal-External )

    Выяснилось что был неверно настроен рев-прокси(External-IP: 443 <-> 443 FE, вместо 4443 FE) и SRV запись (sip.tls 443 -> 5061).

    Но теперь другие ошибки:

    1. Sfb remote connectivity test:

    Порт 5061 открыт, сертификат получен, валиден.

    Testing remote connectivity for user test@km-union.ru to the Microsoft Lync server.
    Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
    Tell me more about this issue and how to resolve it

    Additional Details

    Couldn't sign in. Error: Error Message: No common authentication method detected..
    Error Type: AuthenticationException.
    Error Code: 0.
    Realm: SIP Communications Service.
    Response Code: 401.
    Response Text: Unauthorized.
    .
    Elapsed Time: 976 ms.

    2.  Теперь мобильный клиент использует не NTLM как выше, а OAuth, но при этом выдаёт другую ошибку :

    Лог REV-Proxy

    176.59.67.50 - - [14/Jun/2019:16:46:51 +0300] "POST /WebTicket/WebTicketService.svc/mex HTTP/1.1" 200 15993 "-" "AndroidLync" 0.007

    "Headers: host: sfb.km-union.ru\x0Aaccept-encoding: gzip\x0Acontent-type: application/soap+xml; charset=utf-8\x0Aconnection: Keep-Alive\x0Aaccept: text/xml, application/soap+xml, application/octet-stream\x0Acontent-length: 482\x0Ax-user-identity: skidan_ts@km-union.ru\x0Auser-agent: AndroidLync\x0A"
    "<soap12:Envelope xmlns:soap12=\x22http://www.w3.org/2003/05/soap-envelope\x22 xmlns:wsa=\x22http://www.w3.org/2005/08/addressing\x22><soap12:Header><wsa:Action soap12:mustUnderstand=\x221\x22>http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action><wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo><wsa:To soap12:mustUnderstand=\x221\x22>https://sfb.km-union.ru/WebTicket/WebTicketService.svc</wsa:To></soap12:Header><soap12:Body/></soap12:Envelope>"
    >"<s:Envelope xmlns:s=\x22http://www.w3.org/2003/05/soap-envelope\x22 xmlns:a=\x22http://www.w3.org/2005/08/addressing\x22><s:Header><a:Action s:mustUnderstand=\x221\x22>http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse</a:Action></s:Header><s:Body><Metadata xmlns=\x22http://schemas.xmlsoap.org/ws/2004/09/mex\x22 xmlns:wsx=\x22http://schemas.xmlsoap.org/ws/2004/09/mex\x22><wsx:MetadataSection Dialect=\x22http://schemas.xmlsoap.org/wsdl/\x22 Identifier=\x22http://tempuri.org/\x22 xmlns=\x22\x22><wsdl:definitions name=\x22WebTicketService\x22 targetNamespace=\x22http://tempuri.org/\x22 xmlns:wsdl=\x22http://schemas.xmlsoap.org/wsdl/\x22 xmlns:wsu=\x22http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\x22 xmlns:wsp=\x22http://schemas.xmlsoap.org/ws/2004/09/policy\x22 xmlns:wsap=\x22http://schemas.xmlsoap.org/ws/2004/08/addressing/policy\x22 xmlns:msc=\x22http://schemas.microsoft.com/ws/2005/12/wsdl/contract\x22 xmlns:soap12=\x22http://schemas.xmlsoap.org/wsdl/soap12/\x22 xmlns:wsa=\x22http://schemas.xmlsoap.org/ws/2004/08/addressing\x22 xmlns:wsam=\x22h<sp:HttpsToken RequireClientCertificate=\x22false\x22/></wsp:Policy></sp:TransportToken><sp:AlgorithmSuite><wsp:Policy><sp:Basic256/></wsp:Policy></sp:AlgorithmSuite><sp:Layout><wsp:Policy><sp:Lax/></wsp:Policy></sp:Layout></wsp:Policy></sp:TransportBinding><sp:SignedSupportingTokens xmlns:sp=\x22http://schemas.xmlsoap.org/ws/2005/07/securitypolicy\x22><wsp:Policy><sp:UsernameToken sp:IncludeToken=\x22http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient\x22><wsp:Policy><sp:WssUsernameToken10/></wsp:Policy></sp:UsernameToken></wsp:Policy></sp:SignedSupportingTokens><sp:Wss10 xmlns:sp=\x22http://schemas.xmlsoap.org/ws/2005/07/securitypolicy\x22><wsp:Policy/></sp:Wss10></wsp:All></wsp:ExactlyOne></wsp:Policy><wsp:Policy wsu:Id=\x22WebTicketServiceCert_policy\x22><wsp:ExactlyOne><wsp:All><af:Binding xmlns:af=\x22urn:component:Microsoft.Rtc.WebAuthentication.2010\x22/><sp:TransportBinding xmlns:sp=\x22http://schemas.xmlsoap.org/ws/2005/07/securitypolicy\x22><wsp:Policy><sp:TransportToken><wsp:Policy><\x22literal\x22/></wsdl:input><wsdl:output><soap:body use=\x22literal\x22/></wsdl:output><wsdl:fault name=\x22OCSDiagnosticsFaultFault\x22><soap:fault name=\x22OCSDiagnosticsFaultFault\x22 use=\x22literal\x22/></wsdl:fault></wsdl:operation></wsdl:binding><wsdl:binding name=\x22OAuth\x22 type=\x22tns:IWebTicketService\x22><wsp:PolicyReference URI=\x22#OAuth_policy\x22/><soap:binding transport=\x22http://schemas.xmlsoap.org/soap/http\x22/><wsdl:operation name=\x22IssueToken\x22><soap:operation soapAction=\x22http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue\x22 style=\x22document\x22/><wsdl:input><soap:body use=\x22literal\x22/></wsdl:input><wsdl:output><soap:body use=\x22literal\x22/></wsdl:output><wsdl:fault name=\x22OCSDiagnosticsFaultFault\x22><soap:fault name=\x22OCSDiagnosticsFaultFault\x22 use=\x22literal\x22/></wsdl:fault></wsdl:operation></wsdl:binding><wsdl:binding name=\x22WebTicketServiceAnon\x22 type=\x22tns:IWebTicketService\x22><wsp:PolicyReference URI=\x22#WebTicketServiceAnon_policy\x22/><soap:binding transport=\x22http://schemas.xmlsoap.org/soap/http\x22/><wsdl:operation name=\x22IssueToname=\x22boolean\x22 nillable=\x22true\x22 type=\x22xs:boolean\x22/><xs:element name=\x22byte\x22 nillable=\x22true\x22 type=\x22xs:byte\x22/><xs:element name=\x22dateTime\x22 nillable=\x22true\x22 type=\x22xs:dateTime\x22/><xs:element name=\x22decimal\x22 nillable=\x22true\x22 type=\x22xs:decimal\x22/><xs:element name=\x22double\x22 nillable=\x22true\x22 type=\x22xs:double\x22/><xs:element name=\x22float\x22 nillable=\x22true\x22 type=\x22xs:float\x22/><xs:element name=\x22int\x22 nillable=\x22true\x22 type=\x22xs:int\x22/><xs:element name=\x22long\x22 nillable=\x22true\x22 type=\x22xs:long\x22/><xs:element name=\x22QName\x22 nillable=\x22true\x22 type=\x22xs:QName\x22/><xs:element name=\x22short\x22 nillable=\x22true\x22 type=\x22xs:short\x22/><xs:element name=\x22string\x22 nillable=\x22true\x22 type=\x22xs:string\x22/><xs:element name=\x22unsignedByte\x22 nillable=\x22true\x22 type=\x22xs:unsignedByte\x22/><xs:element name=\x22unsignedInt\x22 nillable=\x22true\x22 type=\x22xs:unsignedInt\x22/><xs:element name=\x22unsignedLong\x22 nillable=\x22true\x22 type=\x22xs:unsignedLong\x22/><xs:element name=\x22unsignedShort\x22 nillable=\x22true\x22 type=\x22xs:unsignedShort\x22/><xs:element name=\x22char\x22 nillable=\x22true\x22 type=\x22tns:char\x22/><xs:simpleType nameata></s:Body></s:Envelope>"

    Лог мобильного клиента:

    06-14 14:00:19.294 26559 DEBUG SigninActivity: onStart()
    06-14 14:00:19.294 26559 DEBUG ActivityMonitor: Activity Start and mCurrentVisibleActivity': SigninActivity[0xf4ee51f]
    06-14 14:00:19.294 26559 INFO ActivityMonitor: App is in foreground now
    06-14 14:00:19.294 26559 INFO APPLICATION CUcwaDataSynchronizer.cpp:996 CUcwaDataSynchronizer now in mode 1
    06-14 14:00:19.294 26559 INFO TRANSPORT CEventChannelManager.cpp:325 Set event aggregation time to 15/15s
    06-14 14:00:19.294 26559 INFO APPLICATION CUcwaDataSynchronizer.cpp:1018 Mode 1 scheduled to timeout in 120sec
    06-14 14:00:19.295 26559 DEBUG ADALAuthenticator: App Moved To Foreground and mState: READY.
    06-14 14:00:19.295 26559 DEBUG AnalyticsEngineImp: Reporting 0 pending telemetry event(s)
    06-14 14:00:19.295 26559 DEBUG SignInTelemetry: ui_client_state_changed {DeviceId=0-0-c1976429369bfe063ed8b3409db7c7e7d87196d9, LastState=Background, SignInCorrelationId=272251e4-2dae-41fe-8348-d1beeab87778, Topology=Unknown, NewState=Foreground}
    06-14 14:00:19.296 26559 INFO APPLICATION CClientTelemetryProvider.cpp:411 Sending telemetry to ARIA for type(UITelemetryEvent) signatureName(ui_client_state_changed) errorCode(S_OK (S0-0-0)) description() [viz]
    06-14 14:00:19.296 26559 INFO APPLICATION CClientTelemetryProvider.cpp:608 Sending telemetry event<ui_client_state_changed> with parameters: (DeviceId:0-0-c1976429369bfe063ed8b3409db7c7e7d87196d9 LastState:Background NewState:Foreground SignInCorrelationId:272251e4-2dae-41fe-8348-d1beeab87778 Topology:Unknown )  [viz]
    06-14 14:00:19.304 26559 INFO JNI CAndroidAppStateQuery.cpp:70 onAppStateChanged, suspended? 0
    06-14 14:00:19.304 26559 INFO UTILITIES CBaseAppStateQuery.cpp:163 App suspension state changed to ResumeStarted [viz]
    06-14 14:00:19.308 26559 INFO UTILITIES CBasePersistableComponent.cpp:211 Storing 1 out-of-sync components took 0.003122s
    06-14 14:00:19.308 26559 INFO APPLICATION CUcwaAutoDiscoveryService.cpp:894 AutodiscoveryService::resuming. No activity to schedule.
    06-14 14:00:19.308 26559 INFO APPLICATION CUcmpMrasHelper.cpp:1044 CUcmpMrasHelper::isMRASTokenValid(), NO token, bailing
    06-14 14:00:19.314 26559 INFO UTILITIES CBasePersistableComponent.cpp:211 Storing 1 out-of-sync components took 0.005208s
    06-14 14:00:19.314 26559 INFO APPLICATION CUcmpMrasHelper.cpp:965 CUcmpMrasHelper::handleMrasOnSuspensionStateChange called. event.getType(1) m_appStateQuery->getSuspensionState(2) m_conversationsManager->getApplication().getActualState(0) (m_mrasTokenRequest == nullptr)(1) isMRASTokenValid(0) 
    06-14 14:00:19.314 26559 DEBUG SignInFragment: onMAMStart()[0xa9876ed]
    06-14 14:00:19.314 26559 INFO [SessionState] SessionStateManager: adding session state listener : SignInFragment
    06-14 14:00:19.315 26559 INFO [SessionState] SessionStateManager: adding session state listener : SigninActivity
    06-14 14:00:19.316 26559 DEBUG SigninActivity: onMAMResume()
    06-14 14:00:19.317 26559 DEBUG ActivityMonitor: Activity Resume: SigninActivity[0xf4ee51f]
    06-14 14:00:19.320 26559 DEBUG [Http] CertificateNotificationUiManager: CertificateAlertHost is being SET to com.microsoft.office.sfb.activity.signin.SigninActivity@f4ee51f
    06-14 14:00:19.321 26559 DEBUG SignInFragment: onMAMResume()[0xa9876ed]
    06-14 14:00:19.321 26559 DEBUG SSOAccountManager: SignInFragment START listening to OAuthSharedAccount Events.
    06-14 14:00:19.321 26559 DEBUG SSOAccountManager: SSO is enabled. Getting shared ADAL accounts info from Token Sharing Manager.
    06-14 14:00:19.381 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.385 26559 DEBUG CredentialsStoreManager: Getting Credentials for service[UCWA], AccountId[test@km-union.ru], Domain[null], Username[km-union.ru\test], Password Available[true], Password Content Available[true]
    06-14 14:00:19.386 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.388 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.389 26559 DEBUG CryptoUtils: decryptInternal called with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.474 26559 DEBUG CryptoUtils: ecryptInternal return[decryptedString.13] for charset[UTF-8], retry[0] with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.474 26559 DEBUG SignInFragment: Successfully got the password from mCredentialStoreManager and password isEmpty? false
    06-14 14:00:19.474 26559 DEBUG SignInFragment: Was passwordChanged in textbox? false
    06-14 14:00:19.474 26559 DEBUG SignInFragment: Was usernameChanged in textbox? false
    06-14 14:00:19.474 26559 DEBUG SignInFragment: bIsCredentialsEdited ? false
    06-14 14:00:19.484 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.490 26559 DEBUG SignInFragment: Username was set in textbox from ucmp. Now username is test@km-union.ru
    06-14 14:00:19.500 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.506 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.509 26559 DEBUG CredentialsStoreManager: Getting Credentials for service[UCWA], AccountId[test@km-union.ru], Domain[null], Username[km-union.ru\test], Password Available[true], Password Content Available[true]
    06-14 14:00:19.510 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.512 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.514 26559 DEBUG CryptoUtils: decryptInternal called with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.517 26559 DEBUG CryptoUtils: ecryptInternal return[decryptedString.13] for charset[UTF-8], retry[0] with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.517 26559 DEBUG SignInFragment: Successfully got the password from mCredentialStoreManager and password isEmpty? false
    06-14 14:00:19.533 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.548 26559 DEBUG SignInFragment: Password was updated in password textbox from mCredentialStoreManager
    06-14 14:00:19.548 26559 DEBUG SignInFragment: Password Status :Same when isUcwaPasswordAvailable: true
    06-14 14:00:19.549 26559 DEBUG SignInFragment: shouldDisplayAccountPicker = true because both username and password is available
    06-14 14:00:19.549 26559 DEBUG SignInFragment: Switching To Account Picker.
    06-14 14:00:19.551 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.552 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.554 26559 DEBUG SignInFragment: We got 0 accounts from OAuthStateHandler.
    06-14 14:00:19.571 26559 DEBUG SignInFragment: Switching To Credential View, because SigninContact dataSources size is zero
    06-14 14:00:19.573 26559 DEBUG AnalyticsEngineImp: Reporting 0 pending telemetry event(s)
    06-14 14:00:19.573 26559 DEBUG SignInTelemetry: ui_username_validated {UCMPErrorCode=S_OK, SignInCorrelationId=272251e4-2dae-41fe-8348-d1beeab87778, Topology=Unknown, ErrorCode=S_OK}
    06-14 14:00:19.574 26559 INFO APPLICATION CClientTelemetryProvider.cpp:411 Sending telemetry to ARIA for type(UITelemetryEvent) signatureName(ui_username_validated) errorCode(S_OK (S0-0-0)) description() [viz]
    06-14 14:00:19.574 26559 INFO APPLICATION CClientTelemetryProvider.cpp:608 Sending telemetry event<ui_username_validated> with parameters: (ErrorCode:S_OK SignInCorrelationId:272251e4-2dae-41fe-8348-d1beeab87778 Topology:Unknown UCMPErrorCode:S_OK )  [viz]
    06-14 14:00:19.578 26559 DEBUG SignInFragment: LastKnownError : S_OK
    06-14 14:00:19.579 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.591 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.591 26559 DEBUG NetworkMonitor: Notify network status to 2 listener(s) when network is 'CellularDataNetwork' and connectivity = true and Reported NetworkType CellularDataNetwork.
    06-14 14:00:19.601 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.602 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.603 26559 DEBUG NetworkMonitor: Notify network status changed to 'NativeNetworkMonitorListener' with reportNetworkType = 'CellularDataNetwork' and connectivity = true.
    06-14 14:00:19.603 26559 INFO APPLICATION CUcwaAppSession.cpp:2488 Moving suspension state to ResumeCompleted
    06-14 14:00:19.603 26559 INFO UTILITIES CBaseAppStateQuery.cpp:163 App suspension state changed to ResumeCompleted [viz]
    06-14 14:00:19.605 26559 INFO UTILITIES CBasePersistableComponent.cpp:211 Storing 1 out-of-sync components took 0.002050s
    06-14 14:00:19.605 26559 INFO APPLICATION CUcwaDataSynchronizer.cpp:1018 Mode 1 scheduled to timeout in 120sec
    06-14 14:00:19.606 26559 INFO APPLICATION CUcmpMrasHelper.cpp:1044 CUcmpMrasHelper::isMRASTokenValid(), NO token, bailing
    06-14 14:00:19.617 26559 INFO UTILITIES CBasePersistableComponent.cpp:211 Storing 1 out-of-sync components took 0.011283s
    06-14 14:00:19.617 26559 INFO APPLICATION CUcmpMrasHelper.cpp:965 CUcmpMrasHelper::handleMrasOnSuspensionStateChange called. event.getType(1) m_appStateQuery->getSuspensionState(3) m_conversationsManager->getApplication().getActualState(0) (m_mrasTokenRequest == nullptr)(1) isMRASTokenValid(0) 
    06-14 14:00:19.702 26559 DEBUG SSOAccountManager: We got 4 accounts from token share lib via Callback.
    06-14 14:00:19.702 26559 DEBUG SSOAccountManager: We processed 0 unique accounts from token share.
    06-14 14:00:19.702 26559 DEBUG SSOAccountManager: Notifying Shared Account listeners.
    06-14 14:00:19.702 26559 DEBUG SignInFragment: Received ADAL accounts to Sign In of size 0
    06-14 14:00:19.704 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.708 26559 DEBUG CredentialsStoreManager: Getting Credentials for service[UCWA], AccountId[test@km-union.ru], Domain[null], Username[km-union.ru\test], Password Available[true], Password Content Available[true]
    06-14 14:00:19.709 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.710 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.711 26559 DEBUG CryptoUtils: decryptInternal called with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.714 26559 DEBUG CryptoUtils: ecryptInternal return[decryptedString.13] for charset[UTF-8], retry[0] with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.719 26559 DEBUG SignInFragment: Successfully got the password from mCredentialStoreManager and password isEmpty? false
    06-14 14:00:19.719 26559 DEBUG SignInFragment: Was passwordChanged in textbox? false
    06-14 14:00:19.719 26559 DEBUG SignInFragment: Was usernameChanged in textbox? false
    06-14 14:00:19.719 26559 DEBUG SignInFragment: bIsCredentialsEdited ? false
    06-14 14:00:19.723 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.724 26559 DEBUG SignInFragment: Username was set in textbox from ucmp. Now username is test@km-union.ru
    06-14 14:00:19.729 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.730 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.733 26559 DEBUG CredentialsStoreManager: Getting Credentials for service[UCWA], AccountId[test@km-union.ru], Domain[null], Username[km-union.ru\test], Password Available[true], Password Content Available[true]
    06-14 14:00:19.734 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.735 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.736 26559 DEBUG CryptoUtils: decryptInternal called with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.739 26559 DEBUG CryptoUtils: ecryptInternal return[decryptedString.13] for charset[UTF-8], retry[0] with [seed.length: 36], [data.length: 45], [salt.length: 16], [isNewSalt: false], [isNewSeed: false], [why: CredentialsStoreManager::getPlainText_Password]
    06-14 14:00:19.739 26559 DEBUG SignInFragment: Successfully got the password from mCredentialStoreManager and password isEmpty? false
    06-14 14:00:19.747 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:19.750 26559 DEBUG SignInFragment: Password was updated in password textbox from mCredentialStoreManager
    06-14 14:00:19.750 26559 DEBUG SignInFragment: Password Status :Same when isUcwaPasswordAvailable: true
    06-14 14:00:19.750 26559 DEBUG SignInFragment: shouldDisplayAccountPicker = true because both username and password is available
    06-14 14:00:19.750 26559 DEBUG SignInFragment: Switching To Account Picker.
    06-14 14:00:19.751 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.752 26559 DEBUG CredentialsStoreManager: com.microsoft.android.enterprise15 has 1 accounts.
    06-14 14:00:19.753 26559 DEBUG SignInFragment: We got 0 accounts from OAuthStateHandler.
    06-14 14:00:19.754 26559 DEBUG SignInFragment: Switching To Credential View, because SigninContact dataSources size is zero
    06-14 14:00:19.757 26559 DEBUG AnalyticsEngineImp: Reporting 0 pending telemetry event(s)
    06-14 14:00:19.757 26559 DEBUG SignInTelemetry: ui_username_validated {UCMPErrorCode=S_OK, SignInCorrelationId=272251e4-2dae-41fe-8348-d1beeab87778, Topology=Unknown, ErrorCode=S_OK}
    06-14 14:00:19.757 26559 INFO APPLICATION CClientTelemetryProvider.cpp:411 Sending telemetry to ARIA for type(UITelemetryEvent) signatureName(ui_username_validated) errorCode(S_OK (S0-0-0)) description() [viz]
    06-14 14:00:19.757 26559 INFO APPLICATION CClientTelemetryProvider.cpp:608 Sending telemetry event<ui_username_validated> with parameters: (ErrorCode:S_OK SignInCorrelationId:272251e4-2dae-41fe-8348-d1beeab87778 Topology:Unknown UCMPErrorCode:S_OK )  [viz]
    06-14 14:00:19.761 26559 DEBUG SignInFragment: LastKnownError : S_OK
    06-14 14:00:19.764 26559 DEBUG NetworkMonitor: isNetworkAvailable ? Yes
    06-14 14:00:21.861 26559 DEBUG SigninActivity: onMAMPause()
    06-14 14:00:21.862 26559 DEBUG [Http] CertificateNotificationUiManager: CertificateAlertHost is being RESET by com.microsoft.office.sfb.activity.signin.SigninActivity@f4ee51f
    06-14 14:00:21.862 26559 DEBUG ActivityMonitor: Activity Pause: SigninActivity[0xf4ee51f]
    06-14 14:00:21.862 26559 DEBUG SignInFragment: onMAMPause()[0xa9876ed]
    06-14 14:00:21.863 26559 DEBUG SSOAccountManager: SignInFragment STOP listening to OAuthSharedAccount Events.
    06-14 14:00:21.935 26559 DEBUG AdvancedSigningInActivity: onMAMCreate()
    06-14 14:00:21.951 26559 DEBUG ActivityMonitor: Activity Create: AdvancedSigningInActivity[0x33c35f0], launchReason[null]
    06-14 14:00:21.969 26559 DEBUG AdvancedSignInFragment: onMAMAttach()[0xb0cd308]
    06-14 14:00:21.970 26559 DEBUG AdvancedSignInFragment: onMAMCreate()[0xb0cd308]
    06-14 14:00:22.021 26559 DEBUG CircularProfileWithPresenceView: All or some properties are set to 0
    06-14 14:00:22.117 26559 INFO PreferencesStore: commit is called on 
    06-14 14:00:22.124 26559 INFO Trace: TracingEnabled is set to true: SignInFragment.
    06-14 14:00:22.124 26559 DEBUG AdvancedSigningInActivity: finishAfterOnCreate
    06-14 14:00:22.130 26559 DEBUG BreakpadDumpReporter: found breakpad dumpfile count (0)
    06-14 14:00:22.130 26559 DEBUG BreakpadDumpReporter: No minidumps found
    06-14 14:00:22.131 26559 DEBUG AdvancedSigningInActivity: onStart()
    06-14 14:00:22.131 26559 DEBUG ActivityMonitor: Activity Start and mCurrentVisibleActivity': AdvancedSigningInActivity[0x33c35f0]
    06-14 14:00:22.131 26559 DEBUG AdvancedSignInFragment: onMAMStart()[0xb0cd308]
    06-14 14:00:22.131 26559 INFO [SessionState] SessionStateManager: adding session state listener : AdvancedSignInFragment
    06-14 14:00:22.163 26559 DEBUG AdvancedSigningInActivity: onMAMResume()
    06-14 14:00:22.164 26559 DEBUG ActivityMonitor: Activity Resume: AdvancedSigningInActivity[0x33c35f0]
    06-14 14:00:22.164 26559 DEBUG [Http] CertificateNotificationUiManager: CertificateAlertHost is being SET to com.microsoft.office.sfb.activity.signin.AdvancedSigningInActivity@33c35f0
    06-14 14:00:22.164 26559 DEBUG AdvancedSignInFragment: onMAMResume()[0xb0cd308]
    06-14 14:00:22.472 26559 DEBUG SigninActivity: onStop()
    06-14 14:00:22.473 26559 DEBUG ActivityMonitor: Activity Stop: SigninActivity[0xf4ee51f]
    06-14 14:00:22.474 26559 DEBUG SignInFragment: onMAMStop()[0xa9876ed]
    06-14 14:00:22.474 26559 INFO [SessionState] SessionStateManager: removing session state listener : SignInFragment
    06-14 14:00:22.474 26559 INFO [SessionState] SessionStateManager: removing session state listener : SigninActivity
    06-14 14:00:23.283 27105 INFO LogAttachmentProvider: No minidump files, NOT creating minidump container file

    14 июня 2019 г. 14:05
  • Проверьте все внутренние и внешние DNS записи, очень похоже на вот эту ошибку у вас.

    Skype for Business App not connecting


    MCITP, MCSE. Regards, Oleg

    14 июня 2019 г. 14:55
    Модератор
  • Проблема оказалась на стороне revproxy (nginx) , так и не смогли пробросить ntlm авторизацию на FE: диагностика связности показала - сессия TLS v1.2 клиентом и сервером устанавливается, заголовки и данные пересылаются, но почему-то авторизация не проходит (хотя десктоп-клиент через данный revproxy работает). Есть подозрения на keep-alive cсоединения и(или) буффер...

    Решили проблему с помощью haproxy - прозрачный tcp проброс 443 порта на 4443 FE.

    Теперь все работает, спасибо!

    28 июня 2019 г. 13:29