Hi all,
Interestingly, I have just seen a similar issue. Last night, clients were signed out of Lync (both mobile and desktop) with similar errors. From a users iPhone, I can see in the logs messages such as:
"You've been disconnected because you're signed in to Lync in too many places"
and
"We can't sign you in. Looks like you are already signed in on too many devices"
On coming across this thread this morning, I checked the time synchronisation on the FE (SE) server. This was over 2 minuets out from the DC's, however, when I checked the "W32tm /query /status", all looked OK - the Lync server was pointing to
the correct DC. The DC time was correct and syncing to a local NTP server, but the time difference was still large. All other member servers seemed to be synch correctly
C:\Windows\system32>W32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0686951s
Root Dispersion: 0.1420435s
ReferenceId: 0x892CACD1 (source IP: 111.111.111.111)
Last Successful Sync Time: 30/04/2015 09:14:46
Source: DC1.mydom.com
Poll Interval: 15 (32768s)
I ran a "W32tm /resync" on the Lync FE, and over a period of time (about an hour), the synchronisation started coming back into line. Checking the "W32tm /query /status" again revealed the the Poll interval had changed from 15 to 10,
which a shorter time span. Check no shows that the Poll interval has risen to 11, so I guess this rises over a period of time if the client thinks that synchronisation is OK.
The initial "root dispersion" was low (see above), indicating that the FE Server 'thought' that its local clock was pretty much synced with the DC clock - obviously it wasn't, but I'm not sure why this was the case.
However, even after syncing the clocks, some mobile users are still unable to log in. I have had the users send over the sign in logs from the mobiles and the thing that standards out is the following response:
2015-04-30 11:07:27.953 Lync[262:5799000] INFO TRANSPORT TransportUtilityFunctions.cpp/1079:<ReceivedResponse>
POST https://lyncweb.mydom.com/WebTicket/WebTicketService.svc
Request Id: 0x178a54d8
HttpHeader:Content-Length 58
HttpHeader:Content-Type text/html
HttpHeader:Date Thu, 30 Apr 2015 10:07:27 GMT
HttpHeader:Server Microsoft-IIS/8.5
HttpHeader:StatusCode 401
HttpHeader:Strict-Transport-Security max-age=31536000; includeSubDomains
HttpHeader:Www-Authenticate NTLM
HttpHeader:X-Content-Type-Options nosniff
HttpHeader:X-MS-Server-Fqdn FE1.mydom.com
HttpHeader:X-Powered-By ASP.NET, ARR/2.5
You do not have permission to view this directory or page.
</ReceivedResponse>
Both Windows mobile and iPhones seem to be having issues, although my Android device seem to be OK, although I don't understand why NTLM is being used for authentication and not the certificate - perhaps this too has something to do with the initial time sync
error?