Lync 2013 federation failing for a specific domain

Similar Messages

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 standard server for 3000

  Planning to deploy Lync 2013 standard server for 3000 users, IM/presence, Audio/video, persistence chat, monitoring/archive. external access required so 1 edge server in DC and 1 in DR. No enterprise voice. DC and DR are corrected with dark fiber
  one lync 2013 standard server in DC and 1 in DR. 1 edge server in DC and  1 Edge server in D R.have couple of queries. 
  1. can i get HA while doing server pairing in DC and DR?
  2. how much time will it take for frontend failover if my frontend server is down in DC.
  3. how much time will take for external access failover in DC and DR?
  4. are there any potential risks if using standard version instead of enterprise? 
  Basically client  need cost effective solution  as lync is not critical for him, does not want to use 3 FE servers in DC and 3 FE in DR to achive HA.  want to achieve the solution with standard servers.

  1) HA typically refers to automatic failover, so not with Standard edition, but you can get manual failover with this with nearly full functionality.
  2) Again, this is manual, but once invoked less than 20 minutes I'd think, possibly faster, only testing invoke-failover will tell you for sure but it won't be too bad.
  3) This involves a topology change to change the federation route, possibly next hop for the edge, and possibly media path for a front end pool.  That can be completed and replicated in under a minute.  You may want to point your external simple
  URLs and such (lyncdiscover) at the remaining server, this may be a DNS change to point to a separate reverse proxy.  Your _sipfederationtls._tcp SRV record can have a lower matching partner as well, but I typically prefer to keep low TTLs on the external
  DNS records so they can be changed quickly.
  4) Sure, no automatic failover, your scalability is limited without building out new pools later, no SQL backend that can be mirrored for a bit more resiliency.  But again, you can manually failover without issue, you just have to be able to tolerate
  a short outage.
  Technically, you'd only need 1 FE in the DR site.  You have to match Ent/Ent or Std/Std in a pool pair, but the number of servers don't need to match.  Still, the HLB and SQL requirements can be costly so I understand this.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Bug: Customizing Convergence banner for a specific domain does not work

  Hi,
  I'm trying to customize the banner for a specific domain, I was following the steps from the documentation but I found that there is a bug relate: Bug #6749263 And I tried to find if the bug was already resolved in convergence 1.0-7.01 and the search in bugs.sun.com gets nothing.
  Does anybody knows if the bug was fixed in convergence 1.0-7.01?
  Thanks in advanced.

  ofonseca wrote:
  I'm trying to customize the banner for a specific domain, I was following the steps from the documentation but I found that there is a bug relate: Bug #6749263 And I tried to find if the bug was already resolved in convergence 1.0-7.01 and the search in bugs.sun.com gets nothing.The bug hasn't been fixed (according to the bug notes).
  Regards,
  Shane.

• Command how many mails when through the mailstore for a specific domain.

  I need to get info from the maillog to see how many mails when through the mailstore for a specific domain.
  For example all the mails send and received by example.com witch is hosted on that 2005q1 mailserver.
  Anyone know the commands to get it out.

  The data is certainly in the mail.log.
  You may want to start with the perl log parsing script, here:
  http://ims.balius.com/resources/downloads/files/imslog.pl

• Lync 2013 federation and mobile push 504 error

  Hello,
  In our company we have deployed Lync 2013 Standard with last CU
  1. Front End - External web serwis and mobile sing by wildcard certyfikate trusted in Internet, and Internal webserwis sing by our Internal CA not trusted in internet
  In Topology is registred: LyncFE.company.local
  Default SIP domain is company.com
  2. Edge Server  - All in one server sing by our Internal CA not trusted in internet with Subject Alternative Names: sip.company.local, sip.company.com, LyncEDGE.company.com
  In Topology is registred: LyncEDGE.company.local
  3. Reversed Proxyand NAT and firewall setup our firewall with Port Translating
  LyncEDGE.comapny.local have asigned by NAT public IP Adres 10.10.10.10
  LyncFE.company.local have asingned by NAT public adres IP 10.10.10.11
  Incoming traffic for 10.10.10.10 and 10.10.10.11 Lync ports TCP/UDP from documentation
  Outgoing traffic for 10.10.10.10 (LyncEDGE) on TCP 5061 need for federation
  4. DNS setup
  We have split domain and DNS like this:
  Company.local (Internal DNS) and Company.com (External DNS)
  DNS Records in our External DNS:
  LyncEDGE.company.com record A 10.10.10.10
  LyncFE.company.com record A 10.10.10.11
  sip.comapny.com TLS --> LyncEDGE.copmany.com
  _sipfederationtls._tcp.company.com -> LyncEDGE.copmany.com
  _sipinternaltls._tcp.company.com --> -> LyncEDGE.copmany.com
  lyncdiscover.company.com --> 10.10.10.10
  In this setup works for now: Lync Audio Video, Mobile access. And now we trying setup Federation and Push notyfication and when we testing we get 504 form serwer.
  Test-CsFederatedPartner -TargetFqdn lyncedge.company.local (This is the name of our LyncEDGE server in topology)-Domain microsoft.com
  Test-CsFederatedPartner : A 504 (Server time-out) response was received from
  the network and the operation failed. See the exception details for more
  information.
  At line:1 char:1
  + Test-CsFederatedPartner -TargetFqdn lyncedge.pep.local -Domain microsoft.com
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : OperationStopped: (:) [Test-CsFederatedPartner],
      FailureResponseException
      + FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
     ntheticTransactions.TestFederatedPartnerCmdlet
  My lyncedge.company.com was add by Microsoft as Federation for Skype
  telnet form Front End server to LyncEDGE.company.local on port 5061 works
  Firewall show outbond traffic form LyncEDGE.company.com (10.10.10.10) to Microsoft site
  But still i cant get working federation and push notyfication for mobile some one can advise where problem can be? I think problem is with our certyficate setup on EDGE server that is sing by our Internal CA not trusted in Internet.

  Hi, I exchanged root certyfikates with my partner. And now he can see my status, call Video, send IM to my all account but I can't do nothink I get 504, on my logs I see below:
  I tested
  telnet sip.partnerdomian.pl 5061 -- OK
  telnet sip.partnerdomian.pl 443-- ok
  nslookup _sipfederationtls._tcp.partnerdomian.pl --> sip.partnerdomian.pl port 5061
  All is ok but still timeout, where look for problem on my site or partner site. He have 3 IP LAN adreses on Edge NAT on one public
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006bc75 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B8A
  Direction: outgoing;source="internal edge";destination="external edge"
  Peer: 195.0.0.1:15224
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomain.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-network=federation;ms-source-verified-user=unverified
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006bc14 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: Response successfully routed
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: 195.0.0.1:15224
  Data: destination="[email protected]"
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b949 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B8A
  Direction: incoming;source="internal edge";destination="external edge"
  Peer: LyncFE.domain.local:5061
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.0.0.1;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomin.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b769 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531]
  $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B89
  Direction: outgoing;source="external edge";destination="internal edge"
  Peer: LyncFE.domain.local:65236
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomian.pl";PeerServer="sip.partnerdomian.pl";source="MyEdge.domain.pl"
  ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b704 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: Response successfully routed
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: LyncFE.domain.local:65236
  $$end_record
  TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b57a (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
  Severity: information
  Text: The message has an Allowed Partner Server domain
  SIP-Start-Line: SIP/2.0 504 Server time-out
  SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  SIP-CSeq: 1 SUBSCRIBE
  Peer: sip.partnerdomain.pl:5061
  Data: domain="partnerdomian.pl"
  $$end_record
  TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b35e (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
  Trace-Correlation-Id: 441892531
  Instance-Id: 2B89
  Direction: incoming;source="external edge";destination="internal edge"
  Peer: sip.opteam.pl:5061
  Message-Type: response
  Start-Line: SIP/2.0 504 Server time-out
  From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
  To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
  Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
  CSeq: 1 SUBSCRIBE
  Via: SIP/2.0/TLS 172.19.20.25:56348;branch=z9hG4bK62EA2C6E.CBA9E35BA4B1BC2F;branched=FALSE;ms-internal-info="bdfQfcjHqEGEYXjrThA5NV7b6oZKoU2jzjNeGxP_cA0_tb46nLxN-KzAAA";received=195.8.106.130;ms-received-port=56348;ms-received-cid=11AC00
  Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
  Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
  Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
  Content-Length: 0
  $$end_record

• MS Lync 2013 federation with Cisco CUP 8.6

  Hi all,
  I am currently trying to federate CUPS 8.6 with MS Lync 2013.
  After a lot of certificate issues we finally got a one-way IM from CUPS to Lync. I can't get Presence in either direction or send an IM from Lync to CUPS user.
  I have followed the Cisco guide for inter-domain federation within an enterprise. so no edge server or Cisco ASA involved.
  The error message I am seeing on the Lync side is:
  ms-diagnostics:
  1010;reason="Certificate trust with another server could not be established";ErrorType="Refer to HRESULT code for specific security status";tls-target="CUP-A.cupdomain.co.uk";HRESULT="0x80090326(SEC_E_ILLEGAL_MESSAGE)";source="LCT-LYNCFE01.lyncdomain.net"
  On the CUP side I can see the TLS session being dropped with this error message:
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_verify_callback: TLS protocol error(ssl reason code=(null) [0]),lib=(null) [0],fun=(null) [0], errno=0
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(2409) SSL server accept returned SSL_ERROR_SSL
  17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_accept: TLS protocol error(ssl reason code=no certificate returned [178]),lib=SSL routines [20],fun=SSL3_GET_CLIENT_CERTIFICATE [137], errno=0
  17:22:58.945 |Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(1056) sip_tcp : Hard close/destroy of tcp connid 93 sock_fd 37 flags 0
  On the cisco side I have only set a TLS Peer as the LYNCPOOL server. do I need to set up a TLS Peer for all of the Lync Servers?
  The lyncpool server has client and server enhanced key usage - do I need to reissue the certs with this for ALL servers in the lync cluster?
  It seems like TLS will neogotiate successfully using the LYNCPOOL server but not with any of the other servers. Must be missing something simple.
  Many thanks for advice.
  Regards
  Lee.

  Hi,
  Please double check the listen port of Lync Server．
  In the Lync Server Management Shell enter the following command to verify the current system configuration: Get-CSRegistrarConfiguration
  More ports requirement for Lync server you can refer to the link below:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_6/english/integration_notes/IntegrationNote_CUP86_MicrosoftLyncServer2010_RCC.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 Logon Failing (HTTP status code 500) No valid security token

  Hello there,
  I'm in the process of deploying Lync 2013.  I have the pool deployed and everything is at least running.  I can access the control panel and provision users.  However when I try to logon to the Lync Client I get a DNS error.  The DNS
  error appears to be misleading and is a result of the earlier auto-detection methods failing.
  However using the Lync Connectivity Analyzer I get a "No valid security token." error.  This doesnt matter if I use auto-detection or manual pointing the Connectivity Analyzer to the pool servers.
  [3/2/2015 9:34:15 AM] [ERROR] Reason: Internal server error (HTTP status code 500)
  [3/2/2015 9:34:15 AM] [ERROR] Ms-Diagnostics-Fault ErrorId: 28020, Reason: No valid security token.
  [3/2/2015 9:34:15 AM] [CRITICAL] The credentials were not authorized by the server. Please verify your login credentials and try again.
  [3/2/2015 9:34:15 AM] [DEBUG] System.Exception: Exception of type 'System.Exception' was thrown.
  at Microsoft.LyncServer.WebServices.WebTicketManager.WTExceptions(String exText)
  at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireTicketAsync>d__19.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireOpaqueTicketAsync>d__14.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<AuthenticationRequired>d__2a.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<ParseResponse>d__16.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
  Im a bit stumped where to go next.
  Thanks.

  Manually entering the server also fails and does not provide much to help "We're having trouble connecting to the server. If this continues, please contact your support team."
  I found that each time I try to logon it generates a Schannel Error on the server.  "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51.
  The Windows SChannel error state is 1106."
  There seems to be a lot more information on that than the previous "Internal Error" message I was trying to deal with.
  https://social.technet.microsoft.com/Forums/office/en-US/41718327-203f-445f-8657-87b0a8545ead/lync-2013-client-signin-issue-with-lync-2013-server?forum=lyncprofile
  Actually I just found the Lync Server Front-End is stuck "starting" so that would explain why I cannot login.  However I re-issued my certificate to make sure the primary CN matched "lync.domain.tld" and it still wont start.
  https://expertslab.wordpress.com/2014/04/23/lync-server-2013-front-end-service-stuck-on-starting/
  I think my problem is the certificate.  I have been trying to use selfSSL7 to generate the certificate for testing but it does not support creating SAN entries so I have entered all the FQDNs as CN entries.
  Im going to get another method to generate the self-signed certificate for testing.

• Lync 2013 federation with Skype error: 'Reference error id 504 (Source ID 239)

  I have setup lync 2013, configured skype federation (http://www.techtroubleshoot.com/federate-lync-server-with-skype/) and also done Lync provisioning. Skype federation worked for a few days (2weeks) and then stopped. Currently I am getting the following
  error 'Reference error id 504 (Source ID 239)'.
  Ports are open on the firewall. I however still get the error.
  KimaniBob

  Verify from following:
  you can telnet to your sip domain on port 5061 and 443 from external and resolve of nslookup to srv record of sipfederation is correct.
  Certificate on Edge Server not expire or damaged.
  This link had similar issue, you can check it.
  http://terenceluk.blogspot.com/2013/04/unable-to-send-instant-messages-or-view.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Lync 2013 Federation

  Hi,
  We are planning to Deploy Lync Server 2013 Federation with client domain.
  We have a separate domain at client location onsite (They have their own Lync environment) and Separate domain in Our offshore ODC. The Point-to-Point (Dedicated link ) enabled. So there is no DMZ. We are planning to enable lync federation with client domain.
  Can We place Edge Server in the same network where Front end Server installed? How do we go about this requirement? Please suggest.

  For configure Lync Edge, you need to have two network adapters for each Edge Server, one for the internal-facing interface and one for the external-facing interface.
  Yes, you can put internal NIC with Lync Front End
  For more details about Network interface of Lync Edge, you can check below link
  http://technet.microsoft.com/en-us/library/gg412847.aspx
  For Deploy and Configure Lync Edge
  http://technet.microsoft.com/en-us/library/gg398147.aspx
  Configuring SIP federation, XMPP federation and public instant messaging in Lync Server 2013
  http://technet.microsoft.com/en-us/library/jj205134.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Is it possible Lync 2013 to be installed on a Domain Controller?

  I run a small infrastructure with two servers only,
  Both Domain Controllers with Windows 2008 R2 and the one is a file server too. I would like to know if I can install Lync 2013 Standard Server to any of them? I have not found a clear answer anywhere as I found for 2010.
  Thank You in advance
  Alexios

  Hi,
  Agree with Michael,
  You can't install Lync server on DC. You should use another server.
  Here is a similar may help you, it is for Lync server 2010 but similar for Lync server 2013:
  http://social.technet.microsoft.com/Forums/lync/en-US/0fa9f538-c076-4fdf-9c84-bd00499136ec/why-cant-lync-server-2010-be-installed-on-a-dc?forum=ocsplanningdeployment
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 on a single lable root domain

  Hello All
  my enviroemnt is in a child root let say its "contoso.local" the root is .local and the child is contoso.local , with this configuration can I install lync 2013? if not is there any workaround other than rename my domain? your help is much
  appreciated.
  THX

  Hi Mado,
  Unfortunately, installing Lync in a Forest with a single label root domain is not supported;
  "Lync Server does not support single-labeled domains. For example, a forest with a root domain named
  contoso.local is supported, but a root domain named
  local is not supported. For details, see Microsoft Knowledge Base article 300684, “Information about configuring Windows for domains with single-label DNS names,” at
  http://go.microsoft.com/fwlink/p/?linkId=143752."
  This is not to say it would not work, but I would never put this into a production environment based on Microsofts stance on this.
  Kind regards
  Ben

• Lync 2013 Mobility - Works for Android, not iOS

  Here's the situation I am facing right now.
  I have installed Lync 2013 for a client and have everything working finally but have hit a roadblock that I just can't seem to overcome.
  The environment is this:
  1 Lync 2013 Standard Edition Server (Front End)
  1 Lync 2013 Persistent Chat Server
  1 Lync 2013 Edge Server
  1 Reverse Proxy Server
  Like I said everything looks like it's working, save one thing. Clients using iPhones can't connect to the service but Android devices can. That's the only thing.
  Here is a log snippet from my test device:
  POST https://lync.mydomain.org/webticket/webticketservice.svc
  Request Id: 0x70b5f68
  HttpHeader:Content-Length 1293
  HttpHeader:Content-Type text/html
  HttpHeader:Date Wed, 18 Dec 2013 17:40:32 GMT
  HttpHeader:Server Microsoft-IIS/7.5
  HttpHeader:StatusCode 401
  HttpHeader:Www-Authenticate Negotiate, NTLM, Basic realm="lync.mydomain.org"
  HttpHeader:X-Powered-By ASP.NET
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
  <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
  <style type="text/css">
  <!--
  body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
  fieldset{padding:0 15px 10px 15px;}
  h1{font-size:2.4em;margin:0;color:#FFF;}
  h2{font-size:1.7em;margin:0;color:#CC0000;}
  h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
  #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
  background-color:#555555;}
  #content{margin:0 0 0 2%;;}
  .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
  -->
  </style>
  </head>
  <body>
  <div id="header"><h1>Server Error</h1></div>
  <div id="content">
   <div class="content-container"><fieldset>
    <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
   </fieldset></div>
  </div>
  </body>
  </html>
  </ReceivedResponse>
  Everything looks like it's going good until it gets there and then at the bottom of the log I see this:
  2013-12-18 11:40:47.602 Lync[7237:907]  is not a valid email address.
  This user has no problems signing on to his computer or Lync there. Also, I can sign on to an Android device with his account.
  If anyone has an idea on this I welcome it. Please help.

  Hi Okrobpr,
  Did you solved the issue with the help of Michael provided?
  Basically the IOS clients do not support the basic NTLM Authentication method while Windows Phone and Android clients do. So you can check the UseWindowsAuth option is true running the command in Lync Server Management Shell:
  Get-CsWebServiceConfiguration
  If it shows NTLM you can run the command:
  Set-CsWebServiceConfiguration –UseWindowsAuth Negotiate
  Get-CsWebServiceConfiguration to make it to be Negotiate.
  Please also make sure you have updated to the latest version for Lync Server and clients.
  You can check if there are any errors in event viewer of FE server.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Not all contacts showing in lync 2013 client search for most of the users

  Dears
  i have an issue in searching for contacts in Lync client 2013.
  i already set the Global client policy to websearchonly and still not able to see all the contacts.
  what should i do else? 
  we are using:
  - windows 7 ent 64bit
  - microsoft office 2010 plus 32bit
  - microsoft lync basic 32bit
  and on the server side:
  - windows server 2012 64bit
  - lync server 2013
  appreciate your swift response
  Moayad Sewar

  Ok Moayad, thank you for these info.
  It looks ok, I cannot find strange settings.
  Did you do this check?
  %userprofile%\appdata\Local\Microsoft\Office\15.0\Lync
  enter the sip_<usersipuri> folder
  you will find two files
  GalContacts.db
  GalContacts.db.idx
  open the GalContacts.db with notepad, you can find every AD Users and Contacts that Lync consider eligible
  for the GAL.
  Try to find in this file some Contacts that lync users cannot find. If you cannot find here we've to investigate
  more deeply into AD Attributes.
  Regards
  Luca
  Luca Vitali | MCITP Lync/Exchange | snom Certified Engineer | Sonus SBC1000 Engineer

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton