?
Solved

Lync 2010 Mobile Client Fails to Login From Outside the Network

Posted on 2013-06-05
7
Medium Priority
?
1,055 Views
Last Modified: 2015-01-20
Hi,

I have a Lync 2010 setup deployed, Linux Reverse Proxy for web services.  All of it seems to work outside of the iPhones, logging into Lync from OUTSIDE the network.

Android devices are able to connect inside and outside the network, the MS Lync Connectivity Analyzer reports positive outside the network as does the remoteconnectivity online tool.  

If I connect an iPhone while on the inside LAN, and disconnect or leave the office while logged in the client will remain connected normally.  If I disconnect, or try to login from outside the network it will fail.  "Failed to process the server response.  Please try again.  If the problem persists, contact your support team"

The Client log reports from the iPhone
</style></head><body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div>
</div>
</body></html>

 /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/applicationLayer/_buildIos/../infrastructure/private/CLogonSession.cpp/1079:Auto-discovery failed, aborting sign-in!

Lync[107:907]  is not a valid email address.

On the reverse Proxy I can see access denied errors.

/webticket/webticketservice.svc HTTP/1.1" 401 1165
/groupexpansion/service.svc/mex HTTP/1.1" 400 312

I had this working with an older ISA server, wildcard certificate on the outside interface and an internal certificate on the Lync Server.  This was for testing.  When I replaced the internal certificate with the Public SAN certificate I could not longer use the ISA server because the SAN certificate has the TLD name as its subject and did not match the FQDN.  

The linux reverse proxy has the same SAN certificate as the Lync Front End server and includes both Lyncdiscover, and the FQDN of the front end.  

This strikes me as a certificate problem because it worked before.  I am not sure why only the iPhone cant login from the outside.  I have adjusted the timeout values, rechecked the keys and the certificate chain.  If I use the manual server entry option on the mobile client, it will not login or error.  It just hangs.

Thoughts?  

Thank You
0
Comment
Question by:larspanky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Bembi earned 2000 total points
ID: 39226478
I guess the point is, that ISA in front of LYNC made the authentication. Then ISA authenticates against the Lync.
If your proxy do not make the same, either the proxy can not authenticate against the LYNC (what would have the effect, that nobody can access from outside), or the authentication is directly against LYNC and this fails...

As it is SSL, the iPhone has to be able to resolve the certificate, which is send by the endpoint (so either your reverse proxy or by LYNC). If it is a public cert, even the iPhone should be able to resolve it over the public network. For private certs you have to import the root cert to the device.

If other devices are working, I would assume that this is a dedicated problem of the iPhone.
You may also try to play around with the logon names, so either NetBIOSDomain\username or username@FQDN.  

A good tool for testing external access is this tool.
It also shows the certs, presented to the clients.
http://www.insideocs.com/Tools/RUCT/RUCT.htm
0
 

Author Comment

by:larspanky
ID: 39226706
Thanks, that gives me some direction on where to look.   I did not think to use the RUCT tool for the mobile service.  

Ill get back.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39230570
Try the RUCT Tool, it shows more than the LYNC test web site.
If you have results, just come back :-)
0
 

Author Comment

by:larspanky
ID: 39235475
The tool is showing the certificates properly, its inline with what I was expecting to see.  You mentioned that there may be a trust problem between the proxy and the FE server so I will look at that closely next.  

I feel like the FQDN not being the subject of the certificate on the FE servers contributing to this problem but I have read that others have used a similar setup and it worked.

Ill get back, thanks
0
 

Author Comment

by:larspanky
ID: 39246093
Still working on this.  Ill keep you posted.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question