Can't sign into Lync from non domain computer

Hi, I have configured Lync Standard Server and Edge Server.  Everything is working except a domain user can't log into Lync from a non domain computer.  The user will get a message saying incorrect login credentials.  I ran the OCS Connectivity Test and it passed.  Do I have to import the root certificate issued by the internal CA to the non domain computer?  I have these certificates:

Edge: public SAN (sip.mydomain.com, webcon.mydomain.com, av.mydomain.com)

Lync Standard: internal SAN (sip.mydomain.com, lync.mydomain.com, meet.mydomain.com, dialin.mydomain.com, lyncadmin.mydomain.com)

 

Shawn

October 17th, 2011 6:37am

Hi,

Please check below are OK.

1. Lync Server FE FQDN should be resolvable from the none domain PC

2. Self signed Certificate of the Enterprise Root CA should be installed in that PC (Same CA that issued the Certificate to all LYNC Servers)

3. Local Time of the none domain PC should be same as the Domain Controller or LYNC FE Server

As long as the LYNC FE server and the none domain PC is in the same LAN/Subnet, there's nothing to do with Edge.

Thamara.

Free Windows Admin Tool Kit Click here and download it now
October 17th, 2011 6:49am

I just want to add to Thamara's post - looks like we have a slight change form OCS when it comes to non-domain machines OR untrusted certificates. While on OCS client, when the certificate was not trusted, the error clearly stated "Cannot trust the certificate" or so, Lync client will return more cryptic "Invalid credentials" while the real problem is non-domain machines (on LAN) will try to sign to the home server (and not the Edge, where most probably we have Public certificate) and if the Domain Root certificate is not present on the non-domain computer, the above behavior is observed.

 

Drago

October 17th, 2011 1:42pm

 

Can you confirm if this is users of non-domain PC's can't sign in over edge, or can't sign in internally?

Over edge should be fine if you have a trusted public cert in place. internally (or possibly on vpn?) they will need to have the root cert of the CA that issued internal certs for lync (usually the windows internal CA)

Hope that helps, let me know if you need anything more

Tom

 

Free Windows Admin Tool Kit Click here and download it now
October 17th, 2011 2:58pm

Hi Tom,

The domain user was trying to sign into Lync from non domain computer outside of corporate network.  He ran a test from https://www.testocsconnectivity.com/ and passed it.  But he just keep getting a message saying incorrect logon credentials.  A public SAN is on the Edge server, and sip.mydomain.com is resolved to the correct public IP.  He shouldn't need to import the root certificate of our internal CA, right?  Any idea?  Thanks.

 

Shawn

October 17th, 2011 4:39pm

In That case, he don't need to have the Internal Root CA installd in his PC. Please check the port 5061 and 443 is opened for the access edge interface from the firewall. And also check the _sip._tcp.domain.com SRV record is externally accessible which resolve the access Edge FQDN.

Thamara.

Free Windows Admin Tool Kit Click here and download it now
October 17th, 2011 4:58pm

If the test via https://www.testocsconnectivity.com passes, firewall is less likely to be the issue. Perhaps now is the time to do some logging on both edge and front end while trying to sign-in from Public internet and examine for obvious errors.

 

Drago

October 17th, 2011 5:14pm

What type of OS is the non domain computer using? You might need to change the NTLM Security settings.

 

http://allunifiedcom.wordpress.com/2011/01/20/resolving-login-problems-for-remote-access-lync-clients-running-windows-xp-sp3/

 

http://uctalks.com/?p=1111

 

http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx

Free Windows Admin Tool Kit Click here and download it now
October 17th, 2011 9:47pm

create a new user profile, and i can sign in my Lync client...anyone know what's happen?..@.@

October 18th, 2011 1:49am

In that case, can you try removing the previous user from LYNC and re add the account? is this happening to all the previously created user logins or just one?

Thamara. 

Free Windows Admin Tool Kit Click here and download it now
October 18th, 2011 1:59am

Hi,Shawn,

Have you enabled NTLM authentication on Lync server?If not I recommend that you enable both Kerberos and NTLM when a server supports authentication for both remote and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to remote clients. If only Kerberos is enabled on these servers, they cannot authenticate remote users.Details you can find http://technet.microsoft.com/en-us/library/gg182601.aspx

Also please verify that you have enabled remote access for the user http://technet.microsoft.com/en-us/library/gg182549.aspx

If this problem only happened to XP clients there must be the NTLM authentication failed,you can check the followng link for more details

http://lyncing.wordpress.com/2010/11/28/user-authentication-with-ntlm-protocol-failed/

Regards,

Sharon

  • Marked as answer by sonicfish Tuesday, October 18, 2011 11:32 PM
October 18th, 2011 7:14am

Hi,

Please check below are OK.

1. Lync Server FE FQDN should be resolvable from the none domain PC

2. Self signed Certificate of the Enterprise Root CA should be installed in that PC (Same CA that issued the Certificate to all LYNC Servers)

3. Local Time of the none domain PC should be same as the Domain Controller or LYNC FE Server

As long as the LYNC FE server and the none domain PC is in the same LAN/Subnet, there's nothing to do with Edge.

Thamara.

Thamara

thanks for your reply, it completely resolved the problem

Regards

Shawn

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 3:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics