Lync 2013 federation failing for a specific domain

Hello,
We have recently migrated to Lync 2013 and noticed that one of the domains we federate with is unable to federate with us.
we are getting the following error:
Log Name:      Lync Server Source:        LS Protocol Stack  Event ID:      14428 Task Category: (1001)
Level:         Error Keywords:      Classic User:          N/A Computer:      server.fqdn.com Description: TLS outgoing connection
failures.
Over the past 28 minutes, Lync Server has experienced TLS outgoing connection failures 4 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying
to connect to the server "sip.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "Unavailable". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to
reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is
not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check
that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local
machine.
Thanks

Thanks Michael.
That worked for one of two issues I'm seeing, I did use the same steps for the second issue but it didn't seem to work, I have imported the CA of the domain we would like to federate with to the trusted root certification authorities and the intermediate
certification authorities per the certificate issuer's website guidelines. I did learn that the federated partner is also using OCS 2007 R2, not sure if this may have to do with this.
Over the past 30 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80072746 while trying to connect to
the server "ocs.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "ocs.example.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target
principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by
DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

Similar Messages

  • Lync 2013 certificate requirements for multiple SIP domains

    Hi All,
    I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
    around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
    appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
    Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
    Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
    Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
    Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
    Friendly URL option 3 from this page:
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    Client auto-configuration:
    i.     
    Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
    ii.     
    Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
    iii.     
    Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
    HTTPS.
    If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
    How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
    Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
    to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
    Many thanks,

    Many thanks for the response.
    I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
    http://technet.microsoft.com/en-gb/library/hh690030.aspx
    Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
    to an address of director.contoso.net is not supported over HTTPS.
    In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
    rule for port 80 (HTTP).
    For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
    domain.”
    I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
    As per the below article:
    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
    “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
    create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
    This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
    the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
    ===================
    1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
    2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
    fall under the XXX umbrella but are very much run as individual entities.
    Question:
    Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
    Thanks.

  • Lync 2013 standard server for 3000

    Planning to deploy Lync 2013 standard server for 3000 users, IM/presence, Audio/video, persistence chat, monitoring/archive. external access required so 1 edge server in DC and 1 in DR. No enterprise voice. DC and DR are corrected with dark fiber
    one lync 2013 standard server in DC and 1 in DR. 1 edge server in DC and  1 Edge server in D R.have couple of queries. 
    1. can i get HA while doing server pairing in DC and DR?
    2. how much time will it take for frontend failover if my frontend server is down in DC.
    3. how much time will take for external access failover in DC and DR?
    4. are there any potential risks if using standard version instead of enterprise? 
    Basically client  need cost effective solution  as lync is not critical for him, does not want to use 3 FE servers in DC and 3 FE in DR to achive HA.  want to achieve the solution with standard servers.

    1) HA typically refers to automatic failover, so not with Standard edition, but you can get manual failover with this with nearly full functionality.
    2) Again, this is manual, but once invoked less than 20 minutes I'd think, possibly faster, only testing invoke-failover will tell you for sure but it won't be too bad.
    3) This involves a topology change to change the federation route, possibly next hop for the edge, and possibly media path for a front end pool.  That can be completed and replicated in under a minute.  You may want to point your external simple
    URLs and such (lyncdiscover) at the remaining server, this may be a DNS change to point to a separate reverse proxy.  Your _sipfederationtls._tcp SRV record can have a lower matching partner as well, but I typically prefer to keep low TTLs on the external
    DNS records so they can be changed quickly.
    4) Sure, no automatic failover, your scalability is limited without building out new pools later, no SQL backend that can be mirrored for a bit more resiliency.  But again, you can manually failover without issue, you just have to be able to tolerate
    a short outage.
    Technically, you'd only need 1 FE in the DR site.  You have to match Ent/Ent or Std/Std in a pool pair, but the number of servers don't need to match.  Still, the HLB and SQL requirements can be costly so I understand this.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Bug: Customizing Convergence banner for a specific domain does not work

    Hi,
    I'm trying to customize the banner for a specific domain, I was following the steps from the documentation but I found that there is a bug relate: Bug #6749263 And I tried to find if the bug was already resolved in convergence 1.0-7.01 and the search in bugs.sun.com gets nothing.
    Does anybody knows if the bug was fixed in convergence 1.0-7.01?
    Thanks in advanced.

    ofonseca wrote:
    I'm trying to customize the banner for a specific domain, I was following the steps from the documentation but I found that there is a bug relate: Bug #6749263 And I tried to find if the bug was already resolved in convergence 1.0-7.01 and the search in bugs.sun.com gets nothing.The bug hasn't been fixed (according to the bug notes).
    Regards,
    Shane.

  • Command how many mails when through the mailstore for a specific domain.

    I need to get info from the maillog to see how many mails when through the mailstore for a specific domain.
    For example all the mails send and received by example.com witch is hosted on that 2005q1 mailserver.
    Anyone know the commands to get it out.

    The data is certainly in the mail.log.
    You may want to start with the perl log parsing script, here:
    http://ims.balius.com/resources/downloads/files/imslog.pl

  • Lync 2013 federation and mobile push 504 error

    Hello,
    In our company we have deployed Lync 2013 Standard with last CU
    1. Front End - External web serwis and mobile sing by wildcard certyfikate trusted in Internet, and Internal webserwis sing by our Internal CA not trusted in internet
    In Topology is registred: LyncFE.company.local
    Default SIP domain is company.com
    2. Edge Server  - All in one server sing by our Internal CA not trusted in internet with Subject Alternative Names: sip.company.local, sip.company.com, LyncEDGE.company.com
    In Topology is registred: LyncEDGE.company.local
    3. Reversed Proxyand NAT and firewall setup our firewall with Port Translating
    LyncEDGE.comapny.local have asigned by NAT public IP Adres 10.10.10.10
    LyncFE.company.local have asingned by NAT public adres IP 10.10.10.11
    Incoming traffic for 10.10.10.10 and 10.10.10.11 Lync ports TCP/UDP from documentation
    Outgoing traffic for 10.10.10.10 (LyncEDGE) on TCP 5061 need for federation
    4. DNS setup
    We have split domain and DNS like this:
    Company.local (Internal DNS) and Company.com (External DNS)
    DNS Records in our External DNS:
    LyncEDGE.company.com record A 10.10.10.10
    LyncFE.company.com record A 10.10.10.11
    sip.comapny.com TLS --> LyncEDGE.copmany.com
    _sipfederationtls._tcp.company.com -> LyncEDGE.copmany.com
    _sipinternaltls._tcp.company.com --> -> LyncEDGE.copmany.com
    lyncdiscover.company.com --> 10.10.10.10
    In this setup works for now: Lync Audio Video, Mobile access. And now we trying setup Federation and Push notyfication and when we testing we get 504 form serwer.
    Test-CsFederatedPartner -TargetFqdn lyncedge.company.local (This is the name of our LyncEDGE server in topology)-Domain microsoft.com
    Test-CsFederatedPartner : A 504 (Server time-out) response was received from
    the network and the operation failed. See the exception details for more
    information.
    At line:1 char:1
    + Test-CsFederatedPartner -TargetFqdn lyncedge.pep.local -Domain microsoft.com
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OperationStopped: (:) [Test-CsFederatedPartner],
        FailureResponseException
        + FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
       ntheticTransactions.TestFederatedPartnerCmdlet
    My lyncedge.company.com was add by Microsoft as Federation for Skype
    telnet form Front End server to LyncEDGE.company.local on port 5061 works
    Firewall show outbond traffic form LyncEDGE.company.com (10.10.10.10) to Microsoft site
    But still i cant get working federation and push notyfication for mobile some one can advise where problem can be? I think problem is with our certyficate setup on EDGE server that is sing by our Internal CA not trusted in Internet.

    Hi, I exchanged root certyfikates with my partner. And now he can see my status, call Video, send IM to my all account but I can't do nothink I get 504, on my logs I see below:
    I tested
    telnet sip.partnerdomian.pl 5061 -- OK
    telnet sip.partnerdomian.pl 443-- ok
    nslookup _sipfederationtls._tcp.partnerdomian.pl --> sip.partnerdomian.pl port 5061
    All is ok but still timeout, where look for problem on my site or partner site. He have 3 IP LAN adreses on Edge NAT on one public
    TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006bc75 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
    Trace-Correlation-Id: 441892531
    Instance-Id: 2B8A
    Direction: outgoing;source="internal edge";destination="external edge"
    Peer: 195.0.0.1:15224
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
    To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
    Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    CSeq: 1 SUBSCRIBE
    Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
    Content-Length: 0
    ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomain.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
    ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-network=federation;ms-source-verified-user=unverified
    $$end_record
    TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006bc14 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
    Severity: information
    Text: Response successfully routed
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    SIP-CSeq: 1 SUBSCRIBE
    Peer: 195.0.0.1:15224
    Data: destination="[email protected]"
    $$end_record
    TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b949 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
    Trace-Correlation-Id: 441892531
    Instance-Id: 2B8A
    Direction: incoming;source="internal edge";destination="external edge"
    Peer: LyncFE.domain.local:5061
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
    To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
    Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    CSeq: 1 SUBSCRIBE
    Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
    Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.0.0.1;ms-received-port=15224;ms-received-cid=11600
    Content-Length: 0
    ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomin.pl";PeerServer="sip.partnerdomain.pl";source="MyEdge.domain.pl"
    ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
    $$end_record
    TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b769 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531]
    $$begin_record
    Trace-Correlation-Id: 441892531
    Instance-Id: 2B89
    Direction: outgoing;source="external edge";destination="internal edge"
    Peer: LyncFE.domain.local:65236
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
    To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
    Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    CSeq: 1 SUBSCRIBE
    Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
    Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
    Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
    Content-Length: 0
    ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="partnerdomian.pl";PeerServer="sip.partnerdomian.pl";source="MyEdge.domain.pl"
    ms-edge-proxy-message-trust: ms-source-type=DirectPartner;ms-ep-fqdn=LyncEDGE.domain.local;ms-source-verified-user=unverified;ms-source-network=federation;ms-local-fcp=yes
    $$end_record
    TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b704 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
    Severity: information
    Text: Response successfully routed
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    SIP-CSeq: 1 SUBSCRIBE
    Peer: LyncFE.domain.local:65236
    $$end_record
    TL_INFO(TF_DIAG) [0]0548.1970::12/30/2014-20:51:59.558.0006b57a (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[441892531] $$begin_record
    Severity: information
    Text: The message has an Allowed Partner Server domain
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    SIP-CSeq: 1 SUBSCRIBE
    Peer: sip.partnerdomain.pl:5061
    Data: domain="partnerdomian.pl"
    $$end_record
    TL_INFO(TF_PROTOCOL) [0]0548.1970::12/30/2014-20:51:59.558.0006b35e (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[441892531] $$begin_record
    Trace-Correlation-Id: 441892531
    Instance-Id: 2B89
    Direction: incoming;source="external edge";destination="internal edge"
    Peer: sip.opteam.pl:5061
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michał Machniak"<sip:[email protected]>;tag=2f81462440;epid=2ca2532739
    To: <sip:[email protected]>;tag=FA942E991CA5A3E9E440BCB9A3FDDF44
    Call-ID: 3a1f78a7ab334baea7c31819fcbbb197
    CSeq: 1 SUBSCRIBE
    Via: SIP/2.0/TLS 172.19.20.25:56348;branch=z9hG4bK62EA2C6E.CBA9E35BA4B1BC2F;branched=FALSE;ms-internal-info="bdfQfcjHqEGEYXjrThA5NV7b6oZKoU2jzjNeGxP_cA0_tb46nLxN-KzAAA";received=195.8.106.130;ms-received-port=56348;ms-received-cid=11AC00
    Via: SIP/2.0/TLS 172.19.23.75:65236;branch=z9hG4bK9FFA2BA6.757019415D97CC30;branched=FALSE;ms-received-port=65236;ms-received-cid=1400
    Via: SIP/2.0/TLS 172.19.23.80:49973;branch=z9hG4bKC86F300B.DA568731A4B1BC2F;branched=FALSE;ms-received-port=49973;ms-received-cid=894D00
    Via: SIP/2.0/TLS 172.19.19.23:59211;received=195.8.106.114;ms-received-port=15224;ms-received-cid=11600
    Content-Length: 0
    $$end_record

  • MS Lync 2013 federation with Cisco CUP 8.6

    Hi all,
    I am currently trying to federate CUPS 8.6 with MS Lync 2013.
    After a lot of certificate issues we finally got a one-way IM from CUPS to Lync. I can't get Presence in either direction or send an IM from Lync to CUPS user.
    I have followed the Cisco guide for inter-domain federation within an enterprise. so no edge server or Cisco ASA involved.
    The error message I am seeing on the Lync side is:
    ms-diagnostics:
    1010;reason="Certificate trust with another server could not be established";ErrorType="Refer to HRESULT code for specific security status";tls-target="CUP-A.cupdomain.co.uk";HRESULT="0x80090326(SEC_E_ILLEGAL_MESSAGE)";source="LCT-LYNCFE01.lyncdomain.net"
    On the CUP side I can see the TLS session being dropped with this error message:
    17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_verify_callback: TLS protocol error(ssl reason code=(null) [0]),lib=(null) [0],fun=(null) [0], errno=0
    17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(2409) SSL server accept returned SSL_ERROR_SSL
    17:22:58.945 |[Wed Apr 23 17:22:58 2014] PID(24295) sip_tls_accept: TLS protocol error(ssl reason code=no certificate returned [178]),lib=SSL routines [20],fun=SSL3_GET_CLIENT_CERTIFICATE [137], errno=0
    17:22:58.945 |Wed Apr 23 17:22:58 2014] PID(24295) sip_tcp.c(1056) sip_tcp : Hard close/destroy of tcp connid 93 sock_fd 37 flags 0
    On the cisco side I have only set a TLS Peer as the LYNCPOOL server. do I need to set up a TLS Peer for all of the Lync Servers?
    The lyncpool server has client and server enhanced key usage - do I need to reissue the certs with this for ALL servers in the lync cluster?
    It seems like TLS will neogotiate successfully using the LYNCPOOL server but not with any of the other servers. Must be missing something simple.
    Many thanks for advice.
    Regards
    Lee.

    Hi,
    Please double check the listen port of Lync Server.
    In the Lync Server Management Shell enter the following command to verify the current system configuration: Get-CSRegistrarConfiguration
    More ports requirement for Lync server you can refer to the link below:
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cups/8_6/english/integration_notes/IntegrationNote_CUP86_MicrosoftLyncServer2010_RCC.html
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
    sure that you completely understand the risk before retrieving any suggestions from the above link.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Lync 2013 Logon Failing (HTTP status code 500) No valid security token

    Hello there,
    I'm in the process of deploying Lync 2013.  I have the pool deployed and everything is at least running.  I can access the control panel and provision users.  However when I try to logon to the Lync Client I get a DNS error.  The DNS
    error appears to be misleading and is a result of the earlier auto-detection methods failing.
    However using the Lync Connectivity Analyzer I get a "No valid security token." error.  This doesnt matter if I use auto-detection or manual pointing the Connectivity Analyzer to the pool servers.
    [3/2/2015 9:34:15 AM] [ERROR] Reason: Internal server error (HTTP status code 500)
    [3/2/2015 9:34:15 AM] [ERROR] Ms-Diagnostics-Fault ErrorId: 28020, Reason: No valid security token.
    [3/2/2015 9:34:15 AM] [CRITICAL] The credentials were not authorized by the server. Please verify your login credentials and try again.
    [3/2/2015 9:34:15 AM] [DEBUG] System.Exception: Exception of type 'System.Exception' was thrown.
    at Microsoft.LyncServer.WebServices.WebTicketManager.WTExceptions(String exText)
    at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireTicketAsync>d__19.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireOpaqueTicketAsync>d__14.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<AuthenticationRequired>d__2a.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<ParseResponse>d__16.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
    Im a bit stumped where to go next.
    Thanks.

    Manually entering the server also fails and does not provide much to help "We're having trouble connecting to the server. If this continues, please contact your support team."
    I found that each time I try to logon it generates a Schannel Error on the server.  "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51.
    The Windows SChannel error state is 1106."
    There seems to be a lot more information on that than the previous "Internal Error" message I was trying to deal with.
    https://social.technet.microsoft.com/Forums/office/en-US/41718327-203f-445f-8657-87b0a8545ead/lync-2013-client-signin-issue-with-lync-2013-server?forum=lyncprofile
    Actually I just found the Lync Server Front-End is stuck "starting" so that would explain why I cannot login.  However I re-issued my certificate to make sure the primary CN matched "lync.domain.tld" and it still wont start.
    https://expertslab.wordpress.com/2014/04/23/lync-server-2013-front-end-service-stuck-on-starting/
    I think my problem is the certificate.  I have been trying to use selfSSL7 to generate the certificate for testing but it does not support creating SAN entries so I have entered all the FQDNs as CN entries.
    Im going to get another method to generate the self-signed certificate for testing.

  • Lync 2013 federation with Skype error: 'Reference error id 504 (Source ID 239)

    I have setup lync 2013, configured skype federation (http://www.techtroubleshoot.com/federate-lync-server-with-skype/) and also done Lync provisioning. Skype federation worked for a few days (2weeks) and then stopped. Currently I am getting the following
    error 'Reference error id 504 (Source ID 239)'.
    Ports are open on the firewall. I however still get the error.
    KimaniBob

    Verify from following:
    you can telnet to your sip domain on port 5061 and 443 from external and resolve of nslookup to srv record of sipfederation is correct.
    Certificate on Edge Server not expire or damaged.
    This link had similar issue, you can check it.
    http://terenceluk.blogspot.com/2013/04/unable-to-send-instant-messages-or-view.html
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

  • Lync 2013 Federation

    Hi,
    We are planning to Deploy Lync Server 2013 Federation with client domain.
    We have a separate domain at client location onsite (They have their own Lync environment) and Separate domain in Our offshore ODC. The Point-to-Point (Dedicated link ) enabled. So there is no DMZ. We are planning to enable lync federation with client domain.
    Can We place Edge Server in the same network where Front end Server installed? How do we go about this requirement? Please suggest.

    For configure Lync Edge, you need to have two network adapters for each Edge Server, one for the internal-facing interface and one for the external-facing interface.
    Yes, you can put internal NIC with Lync Front End
    For more details about Network interface of Lync Edge, you can check below link
    http://technet.microsoft.com/en-us/library/gg412847.aspx
    For Deploy and Configure Lync Edge
    http://technet.microsoft.com/en-us/library/gg398147.aspx
    Configuring SIP federation, XMPP federation and public instant messaging in Lync Server 2013
    http://technet.microsoft.com/en-us/library/jj205134.aspx
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
    Mai Ali | My blog: Technical | Twitter:
    Mai Ali

  • Is it possible Lync 2013 to be installed on a Domain Controller?

    I run a small infrastructure with two servers only,
    Both Domain Controllers with Windows 2008 R2 and the one is a file server too. I would like to know if I can install Lync 2013 Standard Server to any of them? I have not found a clear answer anywhere as I found for 2010.
    Thank You in advance
    Alexios

    Hi,
    Agree with Michael,
    You can't install Lync server on DC. You should use another server.
    Here is a similar may help you, it is for Lync server 2010 but similar for Lync server 2013:
    http://social.technet.microsoft.com/Forums/lync/en-US/0fa9f538-c076-4fdf-9c84-bd00499136ec/why-cant-lync-server-2010-be-installed-on-a-dc?forum=ocsplanningdeployment
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Lync 2013 on a single lable root domain

    Hello All
    my enviroemnt is in a child root let say its "contoso.local" the root is .local and the child is contoso.local , with this configuration can I install lync 2013? if not is there any workaround other than rename my domain? your help is much
    appreciated.
    THX

    Hi Mado,
    Unfortunately, installing Lync in a Forest with a single label root domain is not supported;
    "Lync Server does not support single-labeled domains. For example, a forest with a root domain named
    contoso.local is supported, but a root domain named
    local is not supported. For details, see Microsoft Knowledge Base article 300684, “Information about configuring Windows for domains with single-label DNS names,” at
    http://go.microsoft.com/fwlink/p/?linkId=143752."
    This is not to say it would not work, but I would never put this into a production environment based on Microsofts stance on this.
    Kind regards
    Ben

  • Lync 2013 Mobility - Works for Android, not iOS

    Here's the situation I am facing right now.
    I have installed Lync 2013 for a client and have everything working finally but have hit a roadblock that I just can't seem to overcome.
    The environment is this:
    1 Lync 2013 Standard Edition Server (Front End)
    1 Lync 2013 Persistent Chat Server
    1 Lync 2013 Edge Server
    1 Reverse Proxy Server
    Like I said everything looks like it's working, save one thing. Clients using iPhones can't connect to the service but Android devices can. That's the only thing.
    Here is a log snippet from my test device:
    POST https://lync.mydomain.org/webticket/webticketservice.svc
    Request Id: 0x70b5f68
    HttpHeader:Content-Length 1293
    HttpHeader:Content-Type text/html
    HttpHeader:Date Wed, 18 Dec 2013 17:40:32 GMT
    HttpHeader:Server Microsoft-IIS/7.5
    HttpHeader:StatusCode 401
    HttpHeader:Www-Authenticate Negotiate, NTLM, Basic realm="lync.mydomain.org"
    HttpHeader:X-Powered-By ASP.NET
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
    <style type="text/css">
    <!--
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
    fieldset{padding:0 15px 10px 15px;}
    h1{font-size:2.4em;margin:0;color:#FFF;}
    h2{font-size:1.7em;margin:0;color:#CC0000;}
    h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
    #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
    background-color:#555555;}
    #content{margin:0 0 0 2%;;}
    .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
    -->
    </style>
    </head>
    <body>
    <div id="header"><h1>Server Error</h1></div>
    <div id="content">
     <div class="content-container"><fieldset>
      <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
      <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
     </fieldset></div>
    </div>
    </body>
    </html>
    </ReceivedResponse>
    Everything looks like it's going good until it gets there and then at the bottom of the log I see this:
    2013-12-18 11:40:47.602 Lync[7237:907]  is not a valid email address.
    This user has no problems signing on to his computer or Lync there. Also, I can sign on to an Android device with his account.
    If anyone has an idea on this I welcome it. Please help.

    Hi Okrobpr,
    Did you solved the issue with the help of Michael provided?
    Basically the IOS clients do not support the basic NTLM Authentication method while Windows Phone and Android clients do. So you can check the UseWindowsAuth option is true running the command in Lync Server Management Shell:
    Get-CsWebServiceConfiguration
    If it shows NTLM you can run the command:
    Set-CsWebServiceConfiguration –UseWindowsAuth Negotiate
    Get-CsWebServiceConfiguration to make it to be Negotiate.
    Please also make sure you have updated to the latest version for Lync Server and clients.
    You can check if there are any errors in event viewer of FE server.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Not all contacts showing in lync 2013 client search for most of the users

    Dears
    i have an issue in searching for contacts in Lync client 2013.
    i already set the Global client policy to websearchonly and still not able to see all the contacts.
    what should i do else? 
    we are using:
    - windows 7 ent 64bit
    - microsoft office 2010 plus 32bit
    - microsoft lync basic 32bit
    and on the server side:
    - windows server 2012 64bit
    - lync server 2013
    appreciate your swift response
    Moayad Sewar

    Ok Moayad, thank you for these info.
    It looks ok, I cannot find strange settings.
    Did you do this check?
    %userprofile%\appdata\Local\Microsoft\Office\15.0\Lync
    enter the sip_<usersipuri> folder
    you will find two files
    GalContacts.db
    GalContacts.db.idx
    open the GalContacts.db with notepad, you can find every AD Users and Contacts that Lync consider eligible
    for the GAL.
    Try to find in this file some Contacts that lync users cannot find. If you cannot find here we've to investigate
    more deeply into AD Attributes.
    Regards
    Luca
    Luca Vitali | MCITP Lync/Exchange | snom Certified Engineer | Sonus SBC1000 Engineer

  • ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

    We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
    Is there any requirements or configurations change needs to be done to make it success?

    Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
    If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • Pivot charts customization

    Hello, I have some questions concerning charts/pivot charts : 1- Is it possible to cusotmize the data labels of x-axis like this : on my x-axis, I have the number of the month and the name of the month (so I see 1,January 2,February ...), and I would

  • Moving a PDF from PC to android

    I just downloaded a PDF format book to my computer and I'm wondering if it is possible to now transfer it to my android phone which has Kindle on it so I can read it there? Thank You

  • TOC in IE 6

    The contents of the TOC,Glossary,search and Index are not visible when Active X is disabled in IE 6. Is there a solution to this? Kindly respond at the earliest.

  • Eudation Cess and Higher Education cess

    In Taxinj proceedure condition type JECS& JSHC appearing twice Can anyone tell me the reason? In copy control of delivery to billing I have maintained G at item level Regards Rasik

  • CS01 User Exit

    I need to calculate the total weight of the BOM Components and show it in the customer fields tab of the BOM Header in Transaction code CS01, CS02 and CS03. Whenever the user enters the quantity of the BOM components in CS01 and clicks the BOM header