ccolonbackslash

Just another WordPress.com site

Category Archives: Irritating Problems

Lync 2010 Standard – 33060 events – PSTN dial in fails, SIP/2.0 503 Service unavailable, dial-in caller joins then immediately disconnected

Audio error message on PSTN dial-in of: “sorry i can’t seem to connect you to your meeting right now”…..

And in the event log:

User failed to join the conference.

Microsoft.Rtc.Collaboration.ConferenceFailureException:The operation failed due to a response from the server. For more information, examine the properties on the exception and inner exception.

Fought with this for three days then initiated a Microsoft support call, they spent another two days on it and finally the engineer hit on the right area….. surprise….. certificates.

Symptoms were: following loss of a Lync 2010 front end server we rebuilt it over a weekend, got all services working then noticed that although dial-out through our PSTN worked, dial-in didn’t.

Participants would dial into the server, hear the greeting, enter the conference, Lync client participants would see them join for a moment then get bounced out (they would show as anonymous) with the audio message: “sorry i can’t seem to connect you to your meeting right now, please try again later” etc.

We did traces, reinstalled conferencing service, the conference attendants, published and republished the topology etc etc, eventually some kind of timer tripped at Microsoft support in India and they brought out the big guns did a 25mb trace on the call join and went through it line by line.

At this point the engineer told me that the issue was with the certificate on the FE server, he showed me the certificate that we had (just) issued to our freshly minted Lync 2010 server and the certificate signing algorithm was RSASAA-PSS, apparently Lync ONLY works with certificates issued with the sha1RSA algorithm.

Since last issuing Lync certificates we have upgraded our enterprise PKI to 2012 R2 which it seems by default issues certs signed with RSASAA-PSS. Yes – this also affects Lync 2013 according to the support team.

Lync 2013 is also affected by this problem, and i believe it may also impact OSX’s use of windows issued certificates (our 802.1x wireless has not worked with certificate auth for some time).

At this point i was escalated to the directory services team but while i waited i did some googling and found this:

https://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

It seems i’m not the only one to find this, I have requested MS refund me my support token as this is clearly an issue with their documentation.

Anyway as mentioned in the link above the resolution is to change a value in the registry on issuing PKI servers, restart cert services then reissue the FE cert, as stated by Rufat Aliyev in the technet forums:

https://social.technet.microsoft.com/profile/rufat%20aliyev/?type=forum&referrer=http://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

You do this:

The problem is solved. There is a huge Microsoft mistake in documentation for MS Lync. I don’t know why but I can’t find any information about exact PKI requiments for MS Lync. In my case all my certificates use RSASSA-PSS algorythm instead of RSAsha1. I changed the registry key on my Enterprise CA server.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSP

value AlternateSignatureAlgorithm from 1 to 0 and restart CA service.

After this request a new certificate from Lync deployment withard and everything become OK.

It take me about 3 month to find out this!!!!”

Once the cert is installed, bounce the box and your conferences will function normally again. I hope this helps someone else.

ISP Redundancy on Checkpoint R75.45 Gaia – does not work

I installed R75.45 Gaia on a UTM-1 270 appliance recently, installation from USB went fine and performance was adequate with a low load, VPN, default IPS and a short QOS rule set.

In order to support a degree of resilience we’re using ISP Redundancy at all sites with multiple internet connections, despite configuring this site identically I was not able to get the failover to work. Usually, the script cp_isp_update runs and updates the gateways default route to match that of the secondary ISP, however when i tested this on R75.45 the route was not updated when primary was disconnected.

I contacted Checkpoint support and was informed that ISP Redundancy does not work in either version of Gaia, R75.45 or R75.40 – however there is a patch available for R75.40 if you contact them and reference this sk. I applied this patch on 75.40 but still didn’t see the solution work as expected so instead deployed R75.30 as I have at other ISP redundant sites.

I should also mention that my in no way scientific, cursory observations indicated that load on the CPU was much lower (15-20pc lower) on SPLAT (with 75.30) than on either version of GAIA. Something to bear in mind for older appliances like the UTM-1 270.

Server 2012 on Vmware ESXi – “Your computer ran into a problem and needs to restart”

Trying to migrate a 2012 VM from VMWare Workstation 9 to an ESXi host i found i saw the ‘sad face’, as below.

“Your computer ran into a problem and needs to restart”

A little research led me to this: http://kb.vmware.com/selfservice/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=2006859&sliceId=2&docTypeID=DT_KB_1_1 but actually patching ESX was not something I’d done for some time, and before i think i used update manager.

A little digging led me here which is much clearer than the vmware instructions for patching. Many thanks Chris! Simply upload the patch to a datastore, enable ssh (or do from console), put server in maintenance mode, run the patch as Chris’ link shows, reboot, and your 2012 and Windows 8 VM’s will now boot just fine.

Cannot install Server 2012 – The file may be corrupt or missing. Error code:0x80070570

For disclosure – No such issues on VMWare Workstation 9 and i got the ISO to eventually install on the old desktop by burning it at 4x…… I could not however get it to install on Workstation 8 without enabling the VT extensions.

_____________________________

While trying to install Server 2012 on both VMWare Workstation 8 and an oldish desktop, I found myself repeatedly running into: “Windows cannot install required files. The file may be corrupt or missing. Make sure all files required for installation are available, and restart the installation. Error code: 0x80070570”.

Image

Various online resources blamed ISO’s, bad memory etc. But seemed odd that i saw the same message on old desktop and VM and listed out what these two machines were missing that the server i had installed it on successfully did have…. Then i realised, VT extensions.

So i went into the VM properties (see picture below), enabled virtualisatin of VT extensions and lo and behold a successful install in VMWare Workstation.

Image

Server 2008 R2 VSS – volsnap error: “The shadow copies of volume C: were aborted because of a failed free space computation.”

While trying to get a DPM backup of a server we were seeing volsnap errors every time we tried to sync the target, and the same error if we tried to configure shadow copies directly.

The volsnap errors referenced an inability to calculate free space on volume in question, specifically: “The shadow copies of volume C: were aborted because of a failed free space computation.”. There are lots of articles referencing this issue on 2003 but nothing at all on 2008 or 2008 R2.

All VSS providers were showing healthy, so looked at more general VSS troubleshooting and came across this:

Specifically, following these steps as detailed by Shaon Shan:
As always ensure you backup the registry before making any changes.

1. Stop the Following services:

Volume Shadow Copy Service.
MS Software Shadow Copy Provider — keep it stopped
“COM+ event system”
“COM+ System Application”

2. Take the backup of the “Subscriptions” key

HKLM\Software\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions

3. Delete the “Subscriptions” key

4. Restart/Start the following services

“COM+ event system”
“COM+ System Application”
“Microsoft Software Shadow Copy Provider”
“Volume Shadow Copy”

5. Reboot the machine.

Fix: Lync password prompts when connecting over Edge server : “Type your user name and password to connect for retrieving calendar data from outlook.”

Although we are no longer witnessing exchange password prompts, upon migration to Lync from communicator, we now see command prompts from Lync when both Outlook and Lync are started OUTSIDE the network, so over the edge and outlook anywhere WITHOUT vpn. Although yet to widely deploy we are seeing this behaviour consistently in our pilot and I’ve been unable to resolve the issue. Unlike the other post referring to this, these prompts are dismissable and do not return (you just get the red bangs)

I have just opened an MS case on this and although awaiting further info, they seem fairly convinced it is our use of Kerberos-Constrained Delegation on the outlook anywhere site that Lync is trying to use that causes the recurring issue. This particular set of authorisation prompts crops up when Lync attempts to get calendar information from. If you disable windows integrated authentication in IE, it goes away. This problem is utterly unrelated to the Lync infrastructure.

When I have more clarity from the engineers  I will post back though it seems that they want to change our authentication method for EWS/outlookanywhere on our TMG listener for the exchange CAS so we no longer use KCD. I’ve tried all manner of solutions, the only thing that gets rid of the prompts in the meantime is disabling integrated authentication in IE as per a number of technet articles, this isn’t a great solution however as may cause problems for other apps and will require touching every machine or deploying by gpo.

If you aren’t using KCD you may have some luck with this http://msexchangeanywhere.wordpress.com/2011/12/29/how-to-fix-lync-services-signin-type-your-user-name-and-password-to-connect-for-retrieving-calendar-data-from-outlook/.

____________________

MS tech got back to me – it seems Lync definitely doesn’t like KCD on OutlookAnywhere. Microsoft’s engineers recommendation is to allow exchange to do direct authentication rather than allowing TMG to proxy/pre authorise, for us this involved two changes:

  1. Change authentication method on your outlook anywhere rule in TMG from ‘Kerberos Constrained Delegation’ to ‘No delegation, but client may authenticate directly’.
  2. Add ‘All Users’ to the allowed user sets on the rule.
Once this was applied, no more authentication requests.

No changes needed to the listener providing it is set up as MS ask.

I will update after speaking to the engineer with any further explanation.

Having been round in circles for months on this, please don’t hesitate to contact me if you are having similar issues.

Self Signed Certificates Issued to Polycom Lync Phone Devices – causes additional certificate authentication pop-ups for other certificate dependent services

Woohoo – this is fixed, go here for the hotfix: http://support.microsoft.com/kb/2710995 

_____________________

Posted this, here: http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/340c2fe9-a9bb-449b-8498-0f9c5699d566 a while back, anyone else having same problem? Off the back of another support call I spoke with an escalation engineer and he agreed that it was a significant issue, but couldnt confirm when it would be resolved. Do let me know if you’ve found a way for these polycom devices and 802.1x eap authentication to work without irritating popups.

________

Hi there,

I’ve just configured a pilot Lync2010 pool with the eventual intention of deploying lync handsets across the organisation.

Everything seems to work great, delighted with the polycom hardware (cx600).

However, when i sign into Lync, and my device retrieves a certificate (that seems to be deposited in my personal cert store as well), this certificate causes problems with:

-EAP wireless

-EAP authentication to the vpn

What happens is when i connect to wireless i now have to choose between my lync cert and the company cert, the lync cert is not trusted as is not issued by a trusted authority (clearly). This isnt a big deal to me but extra prompts are a major deployment blocker for my users!

Is there no way to get Lync to use certificates issued from our enterprise CA as opposed to it’s own, then we’d have a single personal certificate for all these services?

Using DHCPUtil.exe i have pointed my device at my ent CA, but it still gathers a self-signed cert from the lync server.

I dont believe i’m the only person to run into this issue: http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/8358d4b1-9d55-40bf-bb7e-c09e0cb90327/.

Thanks,
Jim.

Error 1335 and/or Browse For Folder during Office 2010 install, Missing OfficeLR.Cab etc

A colleague spent a day banging his head against a wall doing a windows install yesterday, as our image kept failing during installing office 2010 with a  pop up”Browse For Folder” explorer box claiming “setup cannot find office.en-us\officelr.cab”, “The cabinet file ‘proof.cab’ required”  amongst others. Manual installs of office on the same machine failed in the same place.

We moved the hdd to another identical machine, install worked fine, decided to try a BIOS runin/memory test on the original laptop where everything failed – lo and behold a faulty DIMM.Replaced DIMM and all is fine.

There are countless, countless posts on this topic, so before you waste your time on anything else, run a memory test.

Windows Update Error 8007EE2

If you find an otherwise fine machine will not connect to WU with an 8007EE2 error and have probably already tried the microsoft fixit solution with no success, do try the following:

  • Open regedit
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  • In here if use WUServer entry is 1, change it to 0, if you drill further down you’ll probably see reference to a non-existent WU server, in my case this was from reusing a lab machine from an SCCM test.
  • Restart the WindowsUpdate Service from services.msc
  • WU should work fine again.

Hope this helps someone else.