locked
SfB Server - PIN auth errors with "no response received for getting root certificate chain" RRS feed

  • Question

  • Hi guys,

    We have migrated / upgraded a client from Lync 2013 Std to SfB 2015 EE pool. Previously there was no load balancer as there was a single FE server. With the new SfB 2015 platform we are using EE so have ARR in use as a load Balancer for all web traffic. ARR is also used for their Exchange environment and appears to be working fine.

    The 2013 platform supported PIN auth on the Polycom CX and VVX phones without problems. However this no longer works on the SfB 2015 system. The handsets are running the latest firmware and work fine with the 2013 platform.

    When I run Test-CsPhoneBootstrap - PhoneOrExtension xxxx -PIN xxxx I get the following returned:

    Failure
    No response received for getting root certificate chain. Inner Exception: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. Inner Exception: The remote server returned an error: (401) Unauthorized.

    This has really confused me, as the virtual directory and URL target (which is correct) is set to anonymous authentication... so what the hell is going on?! If I set the ARR server to use just the one FE server I can see in the IIS logs of the FE that the client is talking to the correct URL: (https://sfbwebint.company.com:443/CertProv/CertProvisioningService.svc for target URI, with the DNS load balanced name (site1-sfb-fepool1.company.com) set as the Target FQDN via the UCSipServer option in DHCP).

    Is it really as simple as ARR is not handing out the root certificate, hence the issue? ARR is being used for SSL proxying....

    Any advice really appreciated. The DHCPUtil.exe - EmulateClient works fine, returns what I expect and a success.

    Thanks - Steve

    Monday, May 9, 2016 8:52 AM

Answers

  • Hi,

    I have just found that with full line uri and pin it works.

    for example extn = 5300

    line uri = 1231235300.

    please use 1231235300 & pin to sign-in.

    Thanks 

    Hari

    • Marked as answer by Eason Huang Tuesday, June 7, 2016 11:13 AM
    Thursday, May 19, 2016 2:00 PM

All replies

  • Hello Steve

    If I understood your problem correctly, the problem maybe related to Load Balance, it would however be worth checking what the phones are saying here, maybe you should enable Debug Level logging on a VVX device and replicate the problem, download the log and see what was being performed and for the same time, try to get the event logs from the Servers on the Front End Pool Servers

    get-eventlog -Logname 'Lync Server' -EntryType Error -After (Time of issue) -ComputerName server1,server2,server3....

    Analyzing this log along with the errors from the eventlog will get you a pretty good idea what the problem is.


    Best Regards // Amr Morsy

    Monday, May 9, 2016 9:43 AM
  • Hi Amr,

    Thanks for your help. The log from the VVX is useless - it simply advises that it fails. Equally, there is nothing at all of relevance in the SfB / Lync log file either.

    Hence my reliance on the Test-CsPhoneBootstrap cmdlet from a client workstation on the same VLAN / subnet as the VVX devices.

    I'm about to do some tracing using centralised logging to see if that tells me anything useful, but I'm really at a loss. There's nothing at all in the VVX logs of any use, and the Test-CsPhoneBootstrap cmdlet with -verbose indicates that the issue is the load balancer not providing the root certificate chain... which I find hard to believe as we not other cert issues at all (Exchange, SfB and 3rd party stuff runs over the load balancer fine) and the intermediate certs are all installed on the node...

    Any further advice or suggestions would be really appreciated, particularly what other logs / tools I can use to obtain further information about what is happening!

    Thanks - Steve

    Monday, May 9, 2016 1:37 PM
  • After some further testing, if I disable SSH Proxying on the ARR node I do get past the certificate chain error, but then advises that there is no response from the Web-Ticket service... We're sending Basic, it's expecting NTLM/Negotiate so I get a 401...

    However SSH proxying is supported using SfB with ARR as far as I can tell. We're using a wildcard cert on the ARR load balancer, but again wildcard appears to be supported by the VVX's and the SfB infrastructure as a whole.

    At this point, using SfB centralised logging I can see that I'm getting the error "Could not find auth type match for <endp, http://~/WebTicketService.svc/pin>"

    Getting to the point where I may need to involve MS PSS... Anyone else got experience in using SfB with EE pools via ARR as a load balancer?!

    Thanks - Steve

    Monday, May 9, 2016 3:48 PM
  • I've also posted to the Polycom community which has helped confirm that the issue is the same for both the test cmdlet and the VVX themselves.

    http://community.polycom.com/t5/Skype-for-Business/Decoding-VVX500-Log-file/m-p/81347

    Getting this just before the error. Indicates that the VVX is attempting to contact the web services (via ARR) and a socket is made (HTTP 200 OK):

    0510142207|tickt|3|00|soWebTicketServersGet: WebTicketAddress is https://bur-skype-webint.domain.com/WebTicket/WebTicketService.svc
    0510142207|tickt|1|00|[soWebTicketServersGet]:[8757] getRootCertChain URL is [http://bur-skype-webint.domain.com/CertProv/CertProvisioningService.svc/anon]
    0510142207|tickt|1|00|[soWebTicketServersGet]:[8776] webticket proof service URL is [https://bur-skype-webint.domain.com/CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1]
    0510142207|tickt|1|00|[soWebTicketServersGet]:[8800] curlReturn [0] resCode[200] serErrorCode[200] pResponse[HTTP/1.1 200 OK

    Just after this step however, I get:

    0510142207|tickt|2|00|soWebTicketPinauthGetRootCertChain: SpecialInterop_Lync2010 detected
    0510142207|tickt|2|00|soWebTicketPinauthGetRootCertChain: autoProvision location is 6
    0510142207|tickt|2|00|soWebTicketPinauthGetRootCertChain: Cert is not available at 6
    0510142208|tickt|2|00|doXmlParsingForErrorCode: ErrorCode is:28100
    
    0510142208|tickt|2|00|doXmlParsingForErrorCode: stripped pResponse is:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
    <style type="text/css">
    <!--
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
    fieldset{p
    0510142208|tickt|1|00|[soRootCertGetForPinAuth]:[9302] curlReturn [0] resCode[401] serErrorCode[28100] pResponse[HTTP/1.1 401 Unauthorized

    Which to me is the same error I'm getting using the test-csphonebootstrap cmdlet. The client cannot obtain the root chain certificates - even though the URL is right and a socket can be made - as SfB/ARR is returning a HTTP 401. I think this is a bit odd, as surely this should be anonymous? The test cmdlet indicates it is expecting anon, and the IIS config has it set to anon (plus Windows auth) as well... so what the hell is going on!?!?!

    Any help greatly appreciated. If I don't get much further I'll have to speak to MS PSS I think as this is starting to hurt my head!

    Thanks - Steve

    Tuesday, May 10, 2016 3:15 PM
  • Hello,

    I am also facing the same problem.

    Changes Pool, STS Uri, DHCP Config but no lock.

    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

    <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
    <style type="text/css">
    <!--

    Any update or help will be highly appreciated.

    Regards,

    Hari

    Thursday, May 19, 2016 12:22 PM
  • Hi,

    I have just found that with full line uri and pin it works.

    for example extn = 5300

    line uri = 1231235300.

    please use 1231235300 & pin to sign-in.

    Thanks 

    Hari

    • Marked as answer by Eason Huang Tuesday, June 7, 2016 11:13 AM
    Thursday, May 19, 2016 2:00 PM
  • Hi,

    I have just found that with full line uri and pin it works.

    for example extn = 5300

    line uri = 1231235300.

    please use 1231235300 & pin to sign-in.

    Thanks 

    Hari


    Thursday, May 19, 2016 2:00 PM