Lync 2013 Multi Tenant - SIP/2.0 401 Unauthorized

New Lync 2013 Multi Tenant install. Can provision users in the Primary OU. Users in primary OU login without error.
Users provisioned in a sub OU can not login to Lync. Provisioning process completes successfully.
Client prompts for password. Attempts login and fails with:
You didn't get signed in. It might be your sign-in address or logon credentials. (SIP address and UPN are identical)
FE logging:
SIP/2.0 401 Unauthorized
TL_INFO(TF_PROTOCOL) [0]128C.2E1C::04/15/2014-22:28:42.421.00004ea3 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[212989229] $$begin_recordTrace-Correlation-Id: 212989229
Instance-Id:
3A4
Direction:
outgoing;source="local"
Peer:
edge1.domain.corp:56094
Message-Type:
response
Start-Line:
SIP/2.0 401 Unauthorized
From:
<sip:[email protected]>;tag=57e75cd85f;epid=f7a8f50c07
To:
<sip:[email protected]>;tag=10A7EC7396D5F1EDCEA8D35A0C49F3CB
Call-ID:
8654248b0dd64d519f42617b862e75bc
CSeq:
2 REGISTER
Via:
SIP/2.0/TLS 10.200.10.210:56094;branch=z9hG4bK4B6654F6.FADCC8B2E74B96BA;branched=FALSE;ms-received-port=56094;ms-received-cid=20C00
Via:
SIP/2.0/TLS 172.16.232.59:60361;received=10.200.250.206;ms-received-port=43233;ms-received-cid=1E9D00
Content-Length:
0
Failed to validate user credentials
$$end_record
TL_ERROR(TF_SECURITY) [0]128C.2E1C::04/15/2014-22:28:42.468.0000542a (SIPStack,SIPAdminLog::WriteSecurityEvent:SIPAdminLog.cpp(319))[212989229] $$begin_recordText: Failed to validate user credentials
Result-Code:
0x8009030c SEC_E_LOGON_DENIED
Source:
edge1.domain.internal:56094
SIP-Start-Line:
REGISTER sip:domain.com SIP/2.0
SIP-Call-ID:
8654248b0dd64d519f42617b862e75bc
SIP-CSeq:
3 REGISTER
Data:
gssapi-data="NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00\xB4\x00\x00\x00D\x01D\x01\xCC\x00\x00\x00 \x00 \x00X\x00\x00\x000\x000\x00x\x00\x00\x00\x0C\x00\x0C\x00\xA8\x00\x00\x00\x10\x00\x10\x00\x10\x02\x00\x00U\x82\x90b\x06\x03\x80%\x00\x00\x00\x0FQ\xC8@\x1E\x1F\xD2\xF9w\x0C!\xF8Y\x84\x84\x06PM\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00A\x00c\x00c\x00o\x00u\x00n\x00t\x00r\x00i\x00c\x00h\x00.\x00l\x00i\x00b\x00e\x00r\x00t\x00y\x00@\x00h\x00o\x00t\x00m\x00a\x00i\x00l\x00.\x00c\x00o\x00m\x00L\x00A\x00P\x00T\x00O\x00P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00+\xD8\x1CE\xFB\\x9E7\xACbc\x17e\xDE\xAC\xFD\x01\x01\x00\x00\x00\x00\x00\x00R\n\x0E\xFAX\xCF\x01\xF2h\xA4\xBE\x8B\xC3w=\x00\x00\x00\x00\x02\x00\x06\x00P\x00P\x00C\x00\x01\x00\x1A\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00\x04\x00\x10\x00p\x00p\x00c\x00.\x00c\x00o\x00r\x00p\x00\x03\x00,\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00.\x00p\x00p\x00"
$$end_record

Hi,
Please double check the port between FE server and Edge server.
Please also check if you add the SAN of sub domain in the Edge external certificate with the help of the link below:
http://technet.microsoft.com/en-us/library/gg398409.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Similar Messages

  • Lync 2013 Multi-tenant Hosting Pack third-party solutions available for features listed as "Via Thirdparty"

    Hi,
    Who are all the third party vendors that can integrate with Lync 2013 Multi-tenant hosting pack V2  features that are supported Via 3rd party.
    1) Call park
    2) Outgoing DID manipulation
    3) E-911
    3) Dialplans & Policies
    4) Support for Analog devices (e.g. FAX)
    5) Response groups
    6) Network QoS - DSCP
    7) Phone number management
    8) IM/P & Voice with Skype. 
    9)Inteoperability with on-premises video conferencing systems
    Regards,
    SR

    Hi,
    Base on my understanding, as it is the Mutli-Tenant environment, in internal DNS server, there is no need to add the DNS A record
    lyncdiscoverinternal. However, you can try to add the DNS record in internal DNS server to test the issue as well.
    Also, please make sure you have updated both Lync Server 2013 and Exchange 2013 to the latest version. If not, update it and then test again.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Lync 2013 Front End SIP/2.0 500 Compression algorithm refused

    I've deployed a brand new Lync 2013 environment hosted on Windows Server 2012 R2 that is currently in co-existence mode with my Lync 2010 environment. 
    I have SCOM 2012 monitoring the environment and it recently started reporting that one or more of my front end servers
    was in a critical state.  Diving into it revealed the following perf counter threshold was being tripped:
    Time Sampled: 3/26/2014 2:33:30 PM
    Object Name: LS:SIP - Responses
    Counter Name: SIP - Local 500 Responses
    Instance Name: 
    First Value: 14287
    Last Value: 14340
    Delta Value: 53
    Using OCSLOGGER.exe on the front end to capture logs, i trapped the following:
    TL_INFO(TF_PROTOCOL) [11]9138.1C58::03/26/2014-19:12:39.098.0022c780 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[120713120] $$begin_record
    Trace-Correlation-Id: 120713120
    Instance-Id: 7D80EB
    Direction: outgoing;source="local"
    Peer: poolA.contoso.com:63820
    Message-Type: response
    Start-Line: SIP/2.0 500 Compression algorithm refused
    FROM: <sip:poolA.contoso.com>;ms-fe=FEserver1.contoso.com
    To: <sip:poolA.contoso.com>;tag=F8B88CAB38613EB380773027C56D94AF
    CALL-ID: 986f9f568c794ce39d33d7158376157b
    CSEQ: 1 NEGOTIATE
    Via: SIP/2.0/TLS 10.154.228.225:63820;ms-received-port=63820;ms-received-cid=C3D7C00
    Content-Length: 0
    ms-diagnostics: 2;reason="See response code and reason phrase";HRESULT="0xC3E93C0F(SIP_E_REACHED_CONFIGURED_LIMIT)";source="FEserver1.contoso.com"
    Server: RTC/5.0
    $$end_record
    The only recent change made to the front end servers was making the registry change outlined in this article: 
    http://support.microsoft.com/kb/2901554/en-us so i'm wondering if that has something to do with it.

    The MSFT support person said to re-apply CU5 to the Director servers and reboot.  Since this is impactful to the environment and I would have to do reboots anyway, I opted to go the route of installing the more recent update so....
    Last weekend I updated my Lync environment with what I think is considered CU6, the September 2014 updates for Lync 2013 Server (https://support.microsoft.com/kb/2809243) and still no luck. The front
    end servers are fine; no excess SIP 500 errors occurring there but within 30 minutes of removing the SCOM override on the Director servers the alerts started firing again.
    I reinstated the override in SCOM for the Directors and had my case with Premier support un-archived.  The MSFT support person said if the alerts didn't go away she was going to have to engage the Lync product group for help.  We'll see where it
    goes from here.
    JKuta

  • Exchange 2013 Multi-tenant contact administration

    Hi everybody!
    Searched high and low, but couldn't find an answer.
    I have deployed multi-tenancy Exchange as a service provider, and will look into self service portals later.
    I'm currently developing all the powershell scripts needed to manage the multi tenant environment.
    Question arrises:
    How do you handle contacts in a multi-tenant environment?
    Since a SMTP address can only be used once in an Exchange Organization, what if 2 tenants need the same contact?
    - Use customattributes and filter on that? Than what if I want to use the multi-tenant AD for different purposes later?
    - Use custom DACLs on the OU or contacts?
    - Any other ideas?
    Of course I started with
    http://blogs.technet.com/b/exchange/archive/2013/02/20/hosting-and-multi-tenancy-guidance-for-exchange-server-2013-now-available.aspx but there's no mention of this issue.
    Thank you for any input regarding this issue.
    There's a new blog in town: http://msfreaks.wordpress.com

    I would advise against "sharing" contacts, as each tenants requirements may be different. Meaning each may want to see different values for various attributes. You may want to stand up an ADLDS instance for each tenant which will hold their contacts independently
    of your current Active Directory Forest that houses Exchange. This way, your Exchange Organization remains pristine, no never-ending queues/NDRs for ambiguous SMTP addresses, and each tenant can manage their own contacts without interfering with each
    other. Also, I would look into Forefront Identity Manager (FIM).
    Woody Colling, MCITP Exchange 2010 --The incentive for the experts to answer posts is to get their replies marked as helpful, or as the answer to our questions, help them help us, mark posts accordingly--

  • SMTP Authentication in Exchange 2013 multi tenant

    I have configure a multi tenant environment. local domain is scurenet.local and i have host 3 different email domains like
    abcd.com efg.com and xyz.com. now how its possible to create 3 mailboxes of same login in 3 different domains like [email protected] [email protected] [email protected] also
    want to authenticate with there emailIDs and that is main issue. i can create 3 different logins like john1 john2 and john3 in AD and manually add smtp like [email protected] etc.
    but issue is how i authenticate users with SMTP IDs so john1 can login using [email protected] and
    password john2 use [email protected] as
    login id and so on. 

    Hi,
    I think you can try creating mailboxes for the three users and assign the full access permissions to each other.
    Thanks,
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Simon Wu
    TechNet Community Support

  • SharePoint 2013 Multi-tenant Feature Packs

    I have not seen any information in regards to multi-tenancy feature packs for SharePoint 2013. Currently it seems, with the new end user licencing, when you install the Enterprise bits you can license a user for either Standard or Enterprise but not
    Foundation. In SharePoint 2010 you could use the Enterprise bits then create defined feature packs to give a site collection Foundation, Standard or Enterprise features. Do updated defined feature packs exist for 2013? 
    There is mention of them here http://www.harbar.net/articles/sp2013mt.aspx 
    "Feature Packs provide the ability to constrain the Features available for a given tenant. The fundamental capability
    isn’t changed in any way here, but of course the Features in the product have. Thus the old Feature Pack definitions for SKUs are no longer valid. A new set of feature pack definitions are required encompassing all of the new Features in SharePoint 2013."
    But nothing else anywhere on the net, anyone have any ideas?

    Hi all,
    I thought I'd give an update.  I too have worked through official channels and I believe I'm making progress but not a solution unfortunately.  When you run Get-SPFeature, you get 409 different features.  One thing I noticed, was the features
    ending with Stapler that Spence didn't add to his foundation features suggests that adding these could be erroneous.  This led me to believe that my ignorance in the above message was bliss and that my idea was not going to fly.  Take for example
    this:
    AutohostedAppLicensing
    AutohostedAppLicensingStapling
    So is AutohostedAppLicensingStapling a Standard or Enterprise Feature, or something internal that should not be added as it gives bad results?  What about the others I don't find?
    Then I posed the question - what do the ID's with EDU* in them mean?  They don't exist in product info - perhaps it's education specific SKU's?  Does that expose customers to use SharePoint for Internet Sites without the SKU as we assume Enterprise
    would be the baseline for all 409 features and we work our way back?
    Or even this - MS Access Services is a feature, yet there are 10 Feature ID's associated with it.  With Exchange, there are PS commands that refer to MS Internal only and for O365 use only.  What
    if the 209 features Microsoft sent me as a descriptor for onprem cannot correlate to the 409 Get-SPFeature ID's I have in my bag that render my farm useless?
    I've also done research around the net and it looks like everyone went the inefficient, non-multitenant way - that is, either do foundation and try to compete with O365, or offer dedicated VM farms for clients with Standard or Enterprise installs and centralise
    the SQL back-end.
    Surely noone has done true multitenant... Have they?
    Question.  If i provision a client with no -Featurepack ID, do they get nothing or the default which is Enterprise Edition?  I'd presume I will get nothing or an error for not specifying a switch but I would have to build another environment to
    test.... which brings me to my last point.  Based on the way Std and Ent can be enabled for on-prem customers on an individual basis and I installed Standard edition on its own VM then enumerated the Get-SPFeature cmdlet, surely I'd see all the features,
    not just the standard edition install features.  right?  If not then I'll build it, enumerate the list and my 2013 Feature pack is sorted.
    The biggest fear I have on this is going it alone and if I stuff up, having a non-compliant licensing solution for every user on the system and MS banging down my door for noncompliance on something they didn't provide guidance on in the first place.
    Jason. 
    Consultant | Nerd | Visionary. http://www.ethertech.com.au/ | http://www.deeperstates.com.au

  • SharePoint Foundation 2013 - Multi-tenant Install and OneDrive for Business with Yammer i

    Hello,
    After installing SP Foundation 2013 (SP1) with Partitioned service applications we have noticed that while clicking on the "yammer and oneDrive" link the below error message comes up:
    _admin/yammerconfiguration.aspx
    any ideas??
    http://technet.microsoft.com/en-us/library/dn659286%28v=office.15%29.aspx
    we have also noticed that MS mentioned "OneDrive for Business with Yammer integration doesn’t work for multi-tenancy or partitioned service applications for on-premises deployments"
    ja

    ULS
    Application error when access /_admin/cloudconfiguration.aspx, Error=Object reference not set to an instance of an object.   at Microsoft.SharePoint.WebControls.SPPinnedSiteTile.OnInit(EventArgs e)     at System.Web.UI.Control.InitRecursive(Control
    namingContainer)     at System.Web.UI.Control.InitRecursive(Control namingContainer)     at System.Web.UI.Control.InitRecursive(Control namingContainer)     at System.Web.UI.Control.InitRecursive(Control
    namingContainer)     at System.Web.UI.Control.InitRecursive(Control namingContainer)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    =====
    To me it seems SharePoint social networking features require the full SharePoint Server product AND are not available with the free SharePoint Foundation, If correct then why MS punching it here in Foundation without a friendly error message..
    ja

  • Unable to send to external email recipients - Multi Tenant Exchange 2013 - MultiRole servers in DAG

    Greetings all, I hope someone can help.
    I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
    Internal mail flow is fine (external email addresses can send to the domain).
    External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
    There are two multi-role Exchange servers that are members of the DAG.
    I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
    No SSL certificates have been purchased or installed yet.
    Exchange URLs have not been changed since default configuration at install.
    OWA and ECP works both internal and external.
    External DNS works with SPF and PTR records correctly configured
    Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
    Send Connectors are the default ones created during install. Receive connector is standard configuration with  - * - 
    When sending email to an external address, I receive a failure notice
    ServerName.test.corp.int gave this error:
    Unable to relay 
    Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
    More Info - 
    ServerName.test.corp.int
    Remote Server returned '550 5.7.1 Unable to relay'
    I have been troubleshooting this for many hours with no progress.
    I have created new Send Connectors for the server that is advising that it is unable to relay, but they have all failed.
    I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
    I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
    I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
    I am at a loss as to why I can't send out with the default configuration. I would assume that email would flow out without any changes, but this does not happen.
    Can someone please assist before I lose my sanity.
    Thanks in advance,
    Terry

    Greetings all, I hope someone can help.
    I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
    Internal mail flow is fine.
    Incoming mail from external senders is also fine. - 
    external email addresses can send to the domain).
    External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
    There are two multi-role Exchange servers that are members of the DAG.
    I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
    No SSL certificates have been purchased or installed yet.
    Exchange URLs have not been changed since default configuration at install.
    OWA and ECP works both internal and external.
    External DNS works with SPF and PTR records correctly configured
    Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
    Receive Connectors are the default ones created during install. Send connector is standard configuration with  - * - 
    When sending email to an external address, I receive a failure notice
    ServerName.test.corp.int gave this error:
    Unable to relay 
    Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
    More Info - 
    ServerName.test.corp.int
    Remote Server returned '550 5.7.1 Unable to relay'
    I have been troubleshooting this for several days with no progress.
    I have created new Receive Connectors for the server that is advising that it is unable to relay, but they have all failed.
    I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
    I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
    I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
    Even more info - Further troubleshooting -
    I found my one of my Exchange servers had an extra NIC. I have since added a second NIC to the other server, so now both Exchange servers have dual NICs. I removed the DAG cleanly and recreated the DAG from scratch, using this link -
    hxxp://careexchange.in/how-to-create-a-database-availability-group-in-exchange-2013/ 
    The issue still exists, even with a newly created DAG. I also found that the Tenant Address Books were not 'applied'. I applied them but still no resolution
    I think the issue is related to multi-tenant configuration even though the error says that it can't relay. The unable to relay message can appear when sending from a domain that the Organization does not support. Like trying to email as [email protected]
    when you domain name is apple.com - But through extensive research I still can't resolve the issue.
    Can someone please assist before I lose my sanity.
    Thanks in advance,
    Terry

  • Lync 2013 / CIMP(CUPS) 9.1.2 - RCC

    Has anyone successfully gotten RCC working between Lync 2013 and UCM(IM&P) 9.1?  I have followed the docs but cannot seem to log in.  From the traces/captures I have collected it appears CIMP is returning a 401.  I ran the RCC troubleshooter on CIMP server and everything comes back green.
    I should point out we are using different domains.  
    example.com is the Lync domain
    vc.example.com is the CUPS domain
    example.local is our internal (AD) domain
    Here is a brief snippet of the log from the CIMP side when Lync client logs on.
    INVITE sip:[email protected] SIP/2.0
    Record-Route: <sip:pdx-lync-pool-2.example.local;transport=tcp;ms-fe=pdx-lync-2.example.local;opaque=state:T;lr>;tag=C4140F78AB707EE55A3542C290EE3BDD
    Via: SIP/2.0/TCP 192.168.1.7:50752;branch=z9hG4bKCEFA4AC7.35E3FA581770D77B;branched=FALSE
    Max-Forwards: 69
    ms-application-via: SIP;ms-urc-rs-from;ms-server=pdx-lync-2.example.local;ms-pool=pdx-lync-pool-2.example.local;ms-application=ad894dc3-55e0-44bf-a07e-3c073aaa4a57
    From: "Doe, John"<sip:[email protected]>;tag=a9affac418;epid=c39ec15244
    Via: SIP/2.0/TLS 192.168.6.152:57095;ms-received-port=57095;ms-received-cid=1BF000
    To: <sip:[email protected]>
    Call-ID: 7fb389cf26a740309ac9f34eb6f5806d
    CSeq: 1 INVITE
    Contact: <sip:[email protected];opaque=user:epid:9TcRoRhNhVqj1eWYVIl_awAA;gruu>
    User-Agent: UCCAPI/15.0.4623.1000 OC/15.0.4623.1000 (Microsoft Lync)
    Supported: ms-dialog-route-set-update
    Content-Disposition: signal;handling=required
    Supported: timer
    Supported: histinfo
    Supported: ms-safe-transfer
    Supported: ms-sender
    Supported: ms-early-media
    ms-keep-alive: UAC;hop-hop=yes
    Allow: INVITE, BYE, ACK, CANCEL, INFO, UPDATE, REFER, NOTIFY, BENOTIFY, OPTIONS
    ms-subnet: 192.168.0.0
    Content-Type: application/csta+xml
    Content-Length: 329
    ms-routing-phase: from-uri-routing-done
    ms-user-data: ms-publiccloud=TRUE;ms-federation=TRUE
    <?xml version="1.0"?>
    <RequestSystemStatus xmlns="http://www.ecma-international.org/standards/ecma-323/csta/ed3"><extensions><privateData><private><lcs:line xmlns:lcs="http://schemas.microsoft.com/Lcs/2005/04/RCCExtension">tel:2373;phone-context=dialstring</lcs:line></private></privateData></extensions></RequestSystemStatus>
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_numexpand.c(891) User john.doe is IP or contains non-E164 character, no number expansion applied.
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_numexpand.c(891) User john.doe is IP or contains non-E164 character, no number expansion applied.
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_numexpand.c(788) URL host example.com doesn't point at proxy, no number expansion on user john.doe
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_numexpand.c(891) User john.doe is IP or contains non-E164 character, no number expansion applied.
    13:31:55.674 |ID(25341) sip_sm.c(1197) Sent 406 bytes TCP packet to 192.168.1.7:50752 
    SIP/2.0 100 Trying
    Via: SIP/2.0/TCP 192.168.1.7:50752;received=192.168.1.7;branch=z9hG4bKCEFA4AC7.35E3FA581770D77B;branched=FALSE, SIP/2.0/TLS 192.168.6.152:57095;ms-received-port=57095;ms-received-cid=1BF000
    Call-ID: 7fb389cf26a740309ac9f34eb6f5806d
    From: "Doe, John"<sip:[email protected]>;tag=a9affac418;epid=c39ec15244
    To: <sip:[email protected]>
    CSeq: 1 INVITE
    Content-Length: 0
    13:31:55.674 |Mon Jun 16 13:31:55 2014] [debug] mod_authz_host.c(287): [client (null)] find_allowdeny: match remotehost pdx-lync-2.example.local compare pdx-lync-2.example.local
    PID(25341) sip_sm.c(4788) ACL - upstream trusted - no need to authenticate
    13:31:55.674 |ID(25341) sip_sm.c(987) TCB_PROXIED_STATE_TIMER : 60 seconds.
    13:31:55.674 |ID(25341) sip_sm.c(4874) Request received from non-local SIP domain: example.com
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_ua.c(2998) sip_ua_handler: unparsed to: <sip:[email protected]>
    13:31:55.674 |ID(25341) mod_sip_ua.c(1369) find_scb(): about to acquire 7fb389cf26a740309ac9f34eb6f5806d:507aab56-e707780a-27a4bc92-3129d56d
    13:31:55.674 |ID(25341) mod_sip_ua.c(1379) find_scb(): failed to acquire scb 507aab56-e707780a-27a4bc92-3129d56d:7fb389cf26a740309ac9f34eb6f5806d
    13:31:55.674 |ID(25341) mod_sip_ua.c(3041) sip_ua_handler(): scb not found for this request
    13:31:55.674 |ID(25341) mod_sip_ua.c(1639) ua_handle_invite(): INVITE request with body: <?xml version="1.0"?>
    <RequestSystemStatus xmlns="http://www.ecma-international.org/standards/ecma-323/csta/ed3"><extensions><privateData><private><lcs:line xmlns:lcs="http://schemas.microsoft.com/Lcs/2005/04/RCCExtension">tel:2373;phone-context=dialstring</lcs:line></private></privateData></extensions></RequestSystemStatus>
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_numexpand.c(788) URL host example.com doesn't point at proxy, no number expansion on user john.doe
    13:31:55.674 |ID(25341) mod_sip_ctigw.c(6393) ctigw_csta_handler:: Session Time in config =1810
    13:31:55.674 |ID(25341) mod_sip_ctigw.c(6494) ctigw_csta_handler:: Get CSTA request: 0
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) sip_sm.c(1085) timer_ticks: id:9a39ab68 15 1810
    13:31:55.674 |ID(25341) mod_sip_ctigw.c(6544) ctigw_csta_handler:: Get CSTA request: 0-RequestSystemStatus
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_ctigw.c(6560) ctigw_csta_handler:: line=2373, device=, partition=, name=, phone-context=dialstring
    13:31:55.674 |ID(25341) mod_sip_ctigw.c(2363) Authorizing user (john.doe [email protected]) DN (2373) DEV () Partition ()
    13:31:55.674 |Mon Jun 16 13:31:55 2014] PID(25341) mod_sip_ctigw.c(1800) CTIGW DB query : execute procedure GetMOCLineAppearanceInEffect('john.doe', '[email protected]', '2373', '', '')
    13:31:55.707 |ID(25351) mod_sip_ctigw.c(2408) user  has multiple lines, but has yet selected one
    13:31:55.707 |ID(25351) mod_sip_ctigw.c(6576) ctigw_csta_handler:: FAIL AUTHORIZED userID=john.doe [email protected] line=2373, device= 
    13:31:55.707 |Mon Jun 16 13:31:55 2014] PID(25351) mod_sip_ctigw.c(922) freeQCB(): QCB -1707780688 is about to be freed
    13:31:55.707 |ID(25351) mod_sip_ua.c(221) ua_get_map_key(): SCB get failed 4125e7e6
    13:31:55.707 |Mon Jun 16 13:31:55 2014] PID(25351) mod_sip_ua.c(2674) ua_scb_destroyed(): scb 9a397758:1 key: 7d1232f0-48071418-40399a77-299640
    13:31:55.707 |ID(25351) sip_sm.c(1197) Sent 727 bytes TCP packet to 192.168.1.7:50752 
    SIP/2.0 401 Unauthorized
    Via: SIP/2.0/TCP 192.168.1.7:50752;received=192.168.1.7;branch=z9hG4bK7E5EE7B5.ECF019B6176EE77B;branched=FALSE, SIP/2.0/TLS 192.168.6.152:57095;ms-received-port=57095;ms-received-cid=1BF000
    Call-ID: ba0cd56054094212ba26145c96b39f2c
    From: "Doe, John"<sip:[email protected]>;tag=41e8aed3ab;epid=c39ec15244
    To: <sip:[email protected]>;tag=2241b56c-7230dd55
    CSeq: 1 INVITE
    Record-Route: <sip:pdx-lync-pool-2.example.local;transport=tcp;ms-fe=pdx-lync-2.example.local;opaque=state:T;lr>;tag=C4140F78AB707EE55A3542C290EE3BDD
    Contact: <sip:[email protected]:5060;transport=TCP>
    User-Agent: Cisco-Systems-Federation\8.0
    Content-Disposition: signal;handling=required
    Content-Length: 0

    I still haven't gotten confirmation, but I was able to work with my Lync admin and we found that if a user has multiple devices, you have to put the specific device in the Line URI field that it is supposed to control.  Still working through testing to confirm it will do what we need though...from what I've seen so far, I don't think it will...and Microsoft has said they're going to sunset RCC in the next version of Lync anyway, so...

  • Lync 2013 and Macbook Pro (can not complete the call ) on audio and video call

    hi everyone ,
    we installed lync2013 server on windows 2012 server .Windows client working perfectly without any problems but we have some MacBook pro (maverick) with lync 2011 installed (14.0.8) .Mac clients can log in , make Instant messaging but can not make audio and
    video calls at the moment.When  I had done some logging on lync server , I ifigured out the following error message  which is
    "Start-Line: SIP/2.0 401 Unauthorized"
    TL_INFO(TF_PROTOCOL) [LYNCFE\LYNCFE]15EC.26C8::05/30/2014-13:08:46.224.00000BF4 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [3440658878]
    Trace-Correlation-Id: 3440658878
    Instance-Id: 10DF1
    Direction: outgoing;source="local"
    Peer: 10.45.40.22:54285
    Message-Type: response
    Start-Line: SIP/2.0 401 Unauthorized
    From: <sip:[email protected]>;tag=118c2f6503;epid=1dac663933
    To: <sip:[email protected]>;tag=59BF4D7B62264F8A815140BEC75A72BC
    Call-ID: b50d1d78ea20324eb00dbe3ed316c4b6
    CSeq: 2 INVITE
    Via: SIP/2.0/TLS 10.45.40.22:3540;received=10.45.40.22;ms-received-port=54285;ms-received-cid=243800
    Content-Length: 0
    $$end_record
    any ideas related with this error  ???
    1-I had tried 3 different mac book with 4 different user account
    2-Fresh installed lync 2011 on each MacBook ,

    Hi,
    Please try to clear all preferences for Mac Lync.
    You can do as following steps in the link:
    http://www.unicom.iu.edu/kb.php?docid=bave :
    1.  Quit Lync for Mac.
    2..In your Home folder, open the Library folder. Note that Mac OS X 10.7 and later hides your Library folder. To access it:
           1. Press Command-Shift-g, or from the Go menu, select Go to Folder... .
           2. In the Go to Folder drop-down window, enter ~/Library, and click Go.
    3.  Remove the following files from your Library folder:
              /Users/username/Library/Preferences/com.microsoft.Lync.plist
              /Users/username/Library/Preferences/ByHost/MicrosoftLyncRegistrationDB.xxxx.plist
              /Users/username/Library/Logs/Microsoft-Lync-x.log (This file is present only if you turned on Lync Logging.)
              /Users/username/Library/Logs/Microsoft-Lync.log
    4.  In your Documents folder, remove the following:
              /Users/username/Documents/Microsoft User Data/Microsoft Lync Data
    5.  Optionally, also remove Microsoft Lync History:
              Users/username/Documents/Microsoft User Data/Microsoft Lync History
              Note: This optional step will delete saved conversations. For Mac users, the conversation history is not saved to the Exchange account, but instead is saved locally
    to the Mac.
    6.  Open Keychain Access from the /Applications/Utilities folder:
         1. Delete any keychains on the left that look like the following, where emailaddress is your email address: 
    OC__KeyContainer__emailaddress
         2. In your Login keychain, delete the following, where emailaddress is your email address: 
    emailaddress.cer
    7.  In the /Users/username/Library/Keychains folder, delete all files that look like the following, where emailaddress is your email address: 
    OC__KeyContainer__emailaddress  
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information
    found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Nortel CS 1000 v7.5 with Lync 2013 using AudioCodes Mediant 1000 E-SBC

    Hi,
    I am trying to setup CS 1K to Mediant 1000 E-SBC using SIP trunks. The Mediant will connect to Lync 2013 again using SIP.
    I am trying to add Mediant 1000 as a static SIP end point in NRS. Does anyone know of any specific setting that needs to be configured on both NRS as well as Mediant 1000 for it to be registered as an end point.
    Also when I try to register the Mediant, SIP 403 forbidden error appears in the syslog of Mediant.
    Any inputs will be much appreciated...                                           

    Hi,
    You can refer to the part of “Configuring the ‘Route’ on the Lync Server 2010” in the link below, the document is for Lync server 2010 but similar for Lync server 2013:
    http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCUQFjAA&url=http%3A%2F%2Fwww.audiocodes.com%2Ffilehandler.ashx%3Ffileid%3D1623578&ei=ERn7Upn0F9SJqQGpooGoCg&usg=AFQjCNGFePk4Lcx3MxMrriiXDqfYrDqS4w&bvm=bv.61190604,d.aWM
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
    sure that you completely understand the risk before retrieving any suggestions from the above link.
    You also need to do the following configuration in Lync, you can check if there any mistake configuration in Lync server caused the error:
    SIP trunking connectivity options
    Edit Mediation Server Pool
    Associate PSTN Gateway
    Choose PSTN Gateway object
    New trunk configuration
    New translation rule
    You can refer to the link below of “Configuring Lync 2010 Server to Work with Level 3 SIP Trunking Services”, the document is for Lync server 2010 but similar for Lync server 2013:
    http://blogs.technet.com/b/nexthop/archive/2013/04/10/configuring-lync-2010-server-to-work-with-level-3-sip-trunking-services.aspx
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Lync 2013 Edge Certificates

    We are planning to deploy 2 lync 2013 edge servers with F5 HLB. Can we deploy internal Certificates on LYNC 2013 Edge servers ( SIP, WebConf, and AV) and deploy external wild card certificate (Public CA) on F5 external interface, so the external users
    can be validated on F5 with public certificate and F5 can trust Edge servers in DMZ?
    Is this solution works or do we need only public certificates on Edge servers?
    Tek-Nerd

    Hi Tek-Nerd,
    Agree with others.
    I’m afraid that if you use wild card certificate on F5, the external users might not be able to access the Lync Server.
    From
    https://technet.microsoft.com/en-us/library/gg398692.aspx
    “Microsoft Lync Server 2013 uses certificates to mutually authenticate other servers and to encrypt data from server
    to server and server to client. Certificates require name matching of the domain name system (DNS) records associated with the servers and the subject name (SN) and subject alternative name (SAN) on the certificate. To successfully map servers, DNS records
    and certificate entries, you must carefully plan your intended server fully qualified domain names as registered in DNS and the SN and SAN entries on the certificate.”
    Best regards,
    Eric
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How to achieve Multi-Tenant in Lync Server 2013 Enterprise Edition

    Hi,
      As LHPv2 is discontinued, is anyone has idea how to achieve Multi-Tenant in Lync Server 2013 Enterprise Edition?
    e.g users from different tenants should not be able to communicate unless it is allowed either by federation or any other form.
    J.B.Patnaik

    once a Topology has been published you can not change the FQDN.
    Also you can refer shah-Khan answer, it will be helpful for you
    http://social.technet.microsoft.com/Forums/lync/en-US/47d4e101-4f7b-4115-8f44-897eb5410acb/need-to-change-a-published-fqdn-lync-pool-for-lync-enterprise-2010?forum=ocsplanningdeployment
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
    Mai Ali | My blog: Technical | Twitter:
    Mai Ali

  • Lync 2013 DNS requirements in a multi tenant deployment

    Hi All,
    We are planning to deploy lync 2013 enterprise in a two site (pool) deployment. Both the sites are separated by a WAN link.
    Our primary SIP domain is xyz.com
    For site A, we have
    1) A pool name siteApool.xyz.com
    2) 2 FEs name siteAfe001.xyz.net and siteAfe002.xyz.net
    3) A edge for external access siteAedge
    For site B, we have
    1) A pool name siteBpool.xyz.com
    2) A FE name siteBfe001.xyz.net
    Site B users will use the edge at site A for external access.
    As per the r&d we know that following records are required for external access 
    Access/webcon/av.xyz.com
    _sip_tls.xyz.com
    Apart from that we also need following service URL records as well
    dialin.xyz.com
    meet.xyz.com
    admin.xyz.com
    sip.xyz.com
    Our problem starts here and because we only manage xyz.net dns not the xyz.com dns (its is our public dns), which rises two questions -
    1) As both the internal and external users are going to use same service url records (dailin/meet/admin/sip.xyz.com), how can we make sure that when a user uses lync on office LAN the service urls will be resolved by xyz.net dns and will not get routed to
    xyz.com (public dns) for dns resolution.
    2) As i told we have a two site deployment and we need common service url records (dailin/meet/admin/sip.xyz.com) to be used by user at both site , how can i make sure that when a user at site A ask for dailin/meet/admin/sip.xyz.com it gets routed to
    siteApool.xyz.com and when a user at site B ask for dailin/meet.xyz.com it gets routed to siteBpool.xyz.com. We need such functionality to save unnecessary WAN traffic.
    Please help me to figure out the most suitable design.
    Thanks,
    Mohit Taneja

    Hi Mohit Taneja,
    Some additional information.
    About the DNS requirements, you could refer to the following article.
    http://technet.microsoft.com/en-us/library/gg398082.aspx
    About the network traffic, it depends on where exactly the user is hosted. Central site does not decide the media traffic . If user is hosted in site-B and organize the meeting , media has
    to travel via WAN if you don’t have edge server in site-B.
    Best regards,
    Eric

  • Lync 2013 certificate requirements for multiple SIP domains

    Hi All,
    I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
    around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
    appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
    Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
    Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
    Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
    Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
    Friendly URL option 3 from this page:
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    Client auto-configuration:
    i.     
    Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
    ii.     
    Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
    iii.     
    Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
    HTTPS.
    If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
    How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
    Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
    to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
    Many thanks,

    Many thanks for the response.
    I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
    http://technet.microsoft.com/en-gb/library/hh690030.aspx
    Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
    to an address of director.contoso.net is not supported over HTTPS.
    In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
    rule for port 80 (HTTP).
    For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
    domain.”
    I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
    As per the below article:
    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
    “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
    create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
    This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
    the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
    ===================
    1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
    2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
    fall under the XXX umbrella but are very much run as individual entities.
    Question:
    Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
    Thanks.

Maybe you are looking for