ccolonbackslash

Just another WordPress.com site

Category Archives: Lync/OCS

Lync 2010 Standard – 33060 events – PSTN dial in fails, SIP/2.0 503 Service unavailable, dial-in caller joins then immediately disconnected

Audio error message on PSTN dial-in of: “sorry i can’t seem to connect you to your meeting right now”…..

And in the event log:

User failed to join the conference.

Microsoft.Rtc.Collaboration.ConferenceFailureException:The operation failed due to a response from the server. For more information, examine the properties on the exception and inner exception.

Fought with this for three days then initiated a Microsoft support call, they spent another two days on it and finally the engineer hit on the right area….. surprise….. certificates.

Symptoms were: following loss of a Lync 2010 front end server we rebuilt it over a weekend, got all services working then noticed that although dial-out through our PSTN worked, dial-in didn’t.

Participants would dial into the server, hear the greeting, enter the conference, Lync client participants would see them join for a moment then get bounced out (they would show as anonymous) with the audio message: “sorry i can’t seem to connect you to your meeting right now, please try again later” etc.

We did traces, reinstalled conferencing service, the conference attendants, published and republished the topology etc etc, eventually some kind of timer tripped at Microsoft support in India and they brought out the big guns did a 25mb trace on the call join and went through it line by line.

At this point the engineer told me that the issue was with the certificate on the FE server, he showed me the certificate that we had (just) issued to our freshly minted Lync 2010 server and the certificate signing algorithm was RSASAA-PSS, apparently Lync ONLY works with certificates issued with the sha1RSA algorithm.

Since last issuing Lync certificates we have upgraded our enterprise PKI to 2012 R2 which it seems by default issues certs signed with RSASAA-PSS. Yes – this also affects Lync 2013 according to the support team.

Lync 2013 is also affected by this problem, and i believe it may also impact OSX’s use of windows issued certificates (our 802.1x wireless has not worked with certificate auth for some time).

At this point i was escalated to the directory services team but while i waited i did some googling and found this:

https://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

It seems i’m not the only one to find this, I have requested MS refund me my support token as this is clearly an issue with their documentation.

Anyway as mentioned in the link above the resolution is to change a value in the registry on issuing PKI servers, restart cert services then reissue the FE cert, as stated by Rufat Aliyev in the technet forums:

https://social.technet.microsoft.com/profile/rufat%20aliyev/?type=forum&referrer=http://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

You do this:

The problem is solved. There is a huge Microsoft mistake in documentation for MS Lync. I don’t know why but I can’t find any information about exact PKI requiments for MS Lync. In my case all my certificates use RSASSA-PSS algorythm instead of RSAsha1. I changed the registry key on my Enterprise CA server.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSP

value AlternateSignatureAlgorithm from 1 to 0 and restart CA service.

After this request a new certificate from Lync deployment withard and everything become OK.

It take me about 3 month to find out this!!!!”

Once the cert is installed, bounce the box and your conferences will function normally again. I hope this helps someone else.

Advertisements

Fix: Lync password prompts when connecting over Edge server : “Type your user name and password to connect for retrieving calendar data from outlook.”

Although we are no longer witnessing exchange password prompts, upon migration to Lync from communicator, we now see command prompts from Lync when both Outlook and Lync are started OUTSIDE the network, so over the edge and outlook anywhere WITHOUT vpn. Although yet to widely deploy we are seeing this behaviour consistently in our pilot and I’ve been unable to resolve the issue. Unlike the other post referring to this, these prompts are dismissable and do not return (you just get the red bangs)

I have just opened an MS case on this and although awaiting further info, they seem fairly convinced it is our use of Kerberos-Constrained Delegation on the outlook anywhere site that Lync is trying to use that causes the recurring issue. This particular set of authorisation prompts crops up when Lync attempts to get calendar information from. If you disable windows integrated authentication in IE, it goes away. This problem is utterly unrelated to the Lync infrastructure.

When I have more clarity from the engineers  I will post back though it seems that they want to change our authentication method for EWS/outlookanywhere on our TMG listener for the exchange CAS so we no longer use KCD. I’ve tried all manner of solutions, the only thing that gets rid of the prompts in the meantime is disabling integrated authentication in IE as per a number of technet articles, this isn’t a great solution however as may cause problems for other apps and will require touching every machine or deploying by gpo.

If you aren’t using KCD you may have some luck with this http://msexchangeanywhere.wordpress.com/2011/12/29/how-to-fix-lync-services-signin-type-your-user-name-and-password-to-connect-for-retrieving-calendar-data-from-outlook/.

____________________

MS tech got back to me – it seems Lync definitely doesn’t like KCD on OutlookAnywhere. Microsoft’s engineers recommendation is to allow exchange to do direct authentication rather than allowing TMG to proxy/pre authorise, for us this involved two changes:

  1. Change authentication method on your outlook anywhere rule in TMG from ‘Kerberos Constrained Delegation’ to ‘No delegation, but client may authenticate directly’.
  2. Add ‘All Users’ to the allowed user sets on the rule.
Once this was applied, no more authentication requests.

No changes needed to the listener providing it is set up as MS ask.

I will update after speaking to the engineer with any further explanation.

Having been round in circles for months on this, please don’t hesitate to contact me if you are having similar issues.

Self Signed Certificates Issued to Polycom Lync Phone Devices – causes additional certificate authentication pop-ups for other certificate dependent services

Woohoo – this is fixed, go here for the hotfix: http://support.microsoft.com/kb/2710995 

_____________________

Posted this, here: http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/340c2fe9-a9bb-449b-8498-0f9c5699d566 a while back, anyone else having same problem? Off the back of another support call I spoke with an escalation engineer and he agreed that it was a significant issue, but couldnt confirm when it would be resolved. Do let me know if you’ve found a way for these polycom devices and 802.1x eap authentication to work without irritating popups.

________

Hi there,

I’ve just configured a pilot Lync2010 pool with the eventual intention of deploying lync handsets across the organisation.

Everything seems to work great, delighted with the polycom hardware (cx600).

However, when i sign into Lync, and my device retrieves a certificate (that seems to be deposited in my personal cert store as well), this certificate causes problems with:

-EAP wireless

-EAP authentication to the vpn

What happens is when i connect to wireless i now have to choose between my lync cert and the company cert, the lync cert is not trusted as is not issued by a trusted authority (clearly). This isnt a big deal to me but extra prompts are a major deployment blocker for my users!

Is there no way to get Lync to use certificates issued from our enterprise CA as opposed to it’s own, then we’d have a single personal certificate for all these services?

Using DHCPUtil.exe i have pointed my device at my ent CA, but it still gathers a self-signed cert from the lync server.

I dont believe i’m the only person to run into this issue: http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/8358d4b1-9d55-40bf-bb7e-c09e0cb90327/.

Thanks,
Jim.

Lync Server with Polycom phones VM Lab.

We got a couple of Polycom phones for Lync for review, set them up off the back of a lab in VMWare Workstation. Struggled to figure how to configure it physically given i needed it to be portable and all run off my laptop whilst i was also connected to my network, to get round this i used a usb ethernet adaptor bridged to one of the vmnet nics to connect a switch to the sandbox network and then the phones into that.

The voice quality seems superb, and the automation/integration with the Lync desktop client works lovely.