ccolonbackslash

Just another WordPress.com site

Tag Archives: certificate authentication

Lync 2010 Standard – 33060 events – PSTN dial in fails, SIP/2.0 503 Service unavailable, dial-in caller joins then immediately disconnected

Audio error message on PSTN dial-in of: “sorry i can’t seem to connect you to your meeting right now”…..

And in the event log:

User failed to join the conference.

Microsoft.Rtc.Collaboration.ConferenceFailureException:The operation failed due to a response from the server. For more information, examine the properties on the exception and inner exception.

Fought with this for three days then initiated a Microsoft support call, they spent another two days on it and finally the engineer hit on the right area….. surprise….. certificates.

Symptoms were: following loss of a Lync 2010 front end server we rebuilt it over a weekend, got all services working then noticed that although dial-out through our PSTN worked, dial-in didn’t.

Participants would dial into the server, hear the greeting, enter the conference, Lync client participants would see them join for a moment then get bounced out (they would show as anonymous) with the audio message: “sorry i can’t seem to connect you to your meeting right now, please try again later” etc.

We did traces, reinstalled conferencing service, the conference attendants, published and republished the topology etc etc, eventually some kind of timer tripped at Microsoft support in India and they brought out the big guns did a 25mb trace on the call join and went through it line by line.

At this point the engineer told me that the issue was with the certificate on the FE server, he showed me the certificate that we had (just) issued to our freshly minted Lync 2010 server and the certificate signing algorithm was RSASAA-PSS, apparently Lync ONLY works with certificates issued with the sha1RSA algorithm.

Since last issuing Lync certificates we have upgraded our enterprise PKI to 2012 R2 which it seems by default issues certs signed with RSASAA-PSS. Yes – this also affects Lync 2013 according to the support team.

Lync 2013 is also affected by this problem, and i believe it may also impact OSX’s use of windows issued certificates (our 802.1x wireless has not worked with certificate auth for some time).

At this point i was escalated to the directory services team but while i waited i did some googling and found this:

https://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

It seems i’m not the only one to find this, I have requested MS refund me my support token as this is clearly an issue with their documentation.

Anyway as mentioned in the link above the resolution is to change a value in the registry on issuing PKI servers, restart cert services then reissue the FE cert, as stated by Rufat Aliyev in the technet forums:

https://social.technet.microsoft.com/profile/rufat%20aliyev/?type=forum&referrer=http://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

You do this:

The problem is solved. There is a huge Microsoft mistake in documentation for MS Lync. I don’t know why but I can’t find any information about exact PKI requiments for MS Lync. In my case all my certificates use RSASSA-PSS algorythm instead of RSAsha1. I changed the registry key on my Enterprise CA server.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSP

value AlternateSignatureAlgorithm from 1 to 0 and restart CA service.

After this request a new certificate from Lync deployment withard and everything become OK.

It take me about 3 month to find out this!!!!”

Once the cert is installed, bounce the box and your conferences will function normally again. I hope this helps someone else.

Advertisements

Self Signed Certificates Issued to Polycom Lync Phone Devices – causes additional certificate authentication pop-ups for other certificate dependent services

Woohoo – this is fixed, go here for the hotfix: http://support.microsoft.com/kb/2710995 

_____________________

Posted this, here: http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/340c2fe9-a9bb-449b-8498-0f9c5699d566 a while back, anyone else having same problem? Off the back of another support call I spoke with an escalation engineer and he agreed that it was a significant issue, but couldnt confirm when it would be resolved. Do let me know if you’ve found a way for these polycom devices and 802.1x eap authentication to work without irritating popups.

________

Hi there,

I’ve just configured a pilot Lync2010 pool with the eventual intention of deploying lync handsets across the organisation.

Everything seems to work great, delighted with the polycom hardware (cx600).

However, when i sign into Lync, and my device retrieves a certificate (that seems to be deposited in my personal cert store as well), this certificate causes problems with:

-EAP wireless

-EAP authentication to the vpn

What happens is when i connect to wireless i now have to choose between my lync cert and the company cert, the lync cert is not trusted as is not issued by a trusted authority (clearly). This isnt a big deal to me but extra prompts are a major deployment blocker for my users!

Is there no way to get Lync to use certificates issued from our enterprise CA as opposed to it’s own, then we’d have a single personal certificate for all these services?

Using DHCPUtil.exe i have pointed my device at my ent CA, but it still gathers a self-signed cert from the lync server.

I dont believe i’m the only person to run into this issue: http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/8358d4b1-9d55-40bf-bb7e-c09e0cb90327/.

Thanks,
Jim.