I have a problem whereby some common area phones (Polycom CX600 / CX3000) cannot sign in to Lync Server. The PIN policy was recently changed from 4 to 6 digits.Using OCS Logger I get the below:

TL_INFO(TF_PROTOCOL) [2]10E8.7490::06/12/2015-08:44:43.449.0001fc00 (UserPinService,UprpHttpAdapter.ProcessRequest:uprphttpadapter.cs(415))[1940756537]

Enter. this=Microsoft.Rtc.Server.UserPin.Http.UprpHttpAdapter:40230505, requestId=7402

TL_VERBOSE(TF_COMPONENT) [2]10E8.7490::06/12/2015-08:44:43.449.0001fc01 (UserPinService,ResolveUserWithPinRequest.ProcessIncomingS2SRequest:userpinrequests.cs(1053))[1940756537]

Processing ResolveUserWithPin incoming request [3f453ef]

TL_INFO(TF_COMPONENT) [2]10E8.7490::06/12/2015-08:44:43.449.0001fc04 (UserPinService,ResolveUserWithPinServer.Execute:interservercommands.cs(3809))[1940756537]

Processing incoming request [3f453ef]. UCIdentifier: [30086]

TL_INFO(TF_COMPONENT) [2]10E8.7490::06/12/2015-08:44:43.449.0001fc05 (UserPinService,ResolveUserWithPinServer.Execute:interservercommands.cs(3856))[1940756537]

Inputs - Phone : [30086], Extension : [30086]

TL_INFO(TF_COMPONENT) [2]10E8.7490::06/12/2015-08:44:43.465.0001fc07 (UserPinService,UserPinSqlAccessor.IUserPinStoreAccessor.ResolveUser:userpinstoreaccessor.cs(152))[1940756537]

ResolveUser Sproc - Phone Number = 30086, NPH1 = +30086 NPH2 = +442081030086 Phone Ext = 30086 MaxResults = 150

TL_VERBOSE(TF_COMPONENT) [2]10E8.7490::06/12/2015-08:44:43.465.0001fc08 (UserPinService,UserPinSqlAccessor.IUserPinStoreAccessor.ResolveUser:userpinstoreaccessor.cs(193))[1940756537]

Successfully queued

TL_VERBOSE(TF_PROTOCOL) [2]10E8.7490::06/12/2015-08:44:43.465.0001fc0a (UserPinService,UprpHttpAdapter.ProcessRequest:uprphttpadapter.cs(444))[1940756537]

Exit ok. this=40230505, requestId=7402

TL_WARN(TF_COMPONENT) [2]10E8.1C30::06/12/2015-08:44:43.730.00020121 (UserPinService,ResolveUserWithPinServer.OnResolveUserSprocComplete:interservercommands.cs(4046))[1940756537]

User [CnfRoom1@domain.co.uk] - Pool is unresolvable, skipping the user.

At this point the phone displays the message "Sign-in cancelled due to internal server error. Please try again"

I have checked Lync server and can confirm the CAP account exists in Lync and Active Directory. The msRTCSIP-PrimaryHomeServer attribute is also populated with details of the Front End Pool.

You can run on the FE Server Test-CsPhoneBootstrap -PhoneOrExt 1111 -PIN 123456 to check the procedure against the web services.

You ma also reset the phones with pressing *# at Startup.

Hi, you mentioned changing 4 to 6 digit pin but your cmdlet output shows 5 digit pin. Not sure if you did a copy and paste of extension to hide the pin. So you may want to check on that first if thats not correct assumption. I noticed your getting an error of "Could not get web ticket", this error is typically related to incorrect pin being used.

You also said some of the CAPs experience this issue, correct? If thats the case run cmdlet Get-CsCommonAreaPhone Identity lobbyphone1 from a good known CAP and compare the results with a CAP you're having problem with. Youre looking to see that policies have been applied correctly.

If all else fails try resetting the pin with Set-CsClientPin Identity lobbyphone1 -Pin xxxxxx and then run the Test-CsPhoneBootstrap -PhoneOrExt xxxx -PIN xxxxxx to see if it passes.

Note: replace lobbyphone1 with actual device name. You probably already know that but didn't want to assume.

• Edited by Kevin FantonMicrosoft employee Tuesday, June 16, 2015 10:18 PM

Hi, you mentioned changing 4 to 6 digit pin but your cmdlet output shows 5 digit pin. Not sure if you did a copy and paste of extension to hide the pin. So you may want to check on that first if thats not correct assumption. I noticed your getting an error of "Could not get web ticket", this error is typically related to incorrect pin being used.

You also said some of the CAPs experience this issue, correct? If thats the case run cmdlet Get-CsCommonAreaPhone Identity lobbyphone1 from a good known CAP and compare the results with a CAP you're having problem with. Youre looking to see that policies have been applied correctly.

If all else fails try resetting the pin with Set-CsClientPin Identity lobbyphone1 -Pin xxxxxx and then run the Test-CsPhoneBootstrap -PhoneOrExt xxxx -PIN xxxxxx to see if it passes.

Note: replace lobbyphone1 with actual device name. You probably already know that but didn't want to assume.

• Edited by Kevin FantonMicrosoft employee Tuesday, June 16, 2015 10:18 PM

Hi, you mentioned changing 4 to 6 digit pin but your cmdlet output shows 5 digit pin. Not sure if you did a copy and paste of extension to hide the pin. So you may want to check on that first if thats not correct assumption. I noticed your getting an error of "Could not get web ticket", this error is typically related to incorrect pin being used.

You also said some of the CAPs experience this issue, correct? If thats the case run cmdlet Get-CsCommonAreaPhone Identity lobbyphone1 from a good known CAP and compare the results with a CAP you're having problem with. Youre looking to see that policies have been applied correctly.

If all else fails try resetting the pin with Set-CsClientPin Identity lobbyphone1 -Pin xxxxxx and then run the Test-CsPhoneBootstrap -PhoneOrExt xxxx -PIN xxxxxx to see if it passes.

Note: replace lobbyphone1 with actual device name. You probably already know that but didn't want to assume.

• Edited by Kevin FantonMicrosoft employee Tuesday, June 16, 2015 10:18 PM

Hi, you mentioned changing 4 to 6 digit pin but your cmdlet output shows 5 digit pin. Not sure if you did a copy and paste of extension to hide the pin. So you may want to check on that first if thats not correct assumption. I noticed your getting an error of "Could not get web ticket", this error is typically related to incorrect pin being used.

You also said some of the CAPs experience this issue, correct? If thats the case run cmdlet Get-CsCommonAreaPhone Identity lobbyphone1 from a good known CAP and compare the results with a CAP you're having problem with. Youre looking to see that policies have been applied correctly.

If all else fails try resetting the pin with Set-CsClientPin Identity lobbyphone1 -Pin xxxxxx and then run the Test-CsPhoneBootstrap -PhoneOrExt xxxx -PIN xxxxxx to see if it passes.

Note: replace lobbyphone1 with actual device name. You probably already know that but didn't want to assume.

• Edited by Kevin FantonMicrosoft employee Tuesday, June 16, 2015 10:18 PM

Hi,

As the issue happen after changing the PIN from 4 to 6, so firstly you need to make sure the change have updated. As Holger Bunkradt provided above, verify that if the user with the specified phone number and PIN can connect to Lync Server using a Lync Phone Edition-compatible device.

If the test fail, please make sure CMS update to the latest status, then test again.

Best Regards,
Eason Huang

ran the test-csphonebootstrap command and result is below:

PS C:\Program Files\Microsoft Lync Server 2013\ResKit> Test-CsPhoneBootstrap -PhoneOrExt 75785 -PIN 75785 -Verbose
VERBOSE: Workflow Instance Id '529ea430-3fe2-437a-93dc-88d25cdf25a1', started.
VERBOSE: Command line executed is 'Test-CsPhoneBootstrap -PhoneOrExt 75785 -PIN 75785 -Verbose'.

Target Fqdn   : dirpool01.domain.com
Target Uri    : https://dirpweb01.domain.com:443/CertProv/CertProvisioningService.svc
Result        : Failure
Latency       : 00:00:01.0401720
Error Message : No response received for Web-Ticket service.
                Inner Exception:The content type text/html of the response message does not match the content type of
                the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the
                IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were:
                '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
                "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
                <html xmlns="http://www.w3.org/1999/xhtml">
                <head>
                <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
                <title>500 - Internal server error.</title>
                <style type="text/css">
                <!--
                body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
                fieldset{padding:0 15px 10px 15px;}
                h1{font-size:2.4em;margin:0;color:#FFF;}
                h2{font-size:1.7em;margin:0;color:#CC0000;}
                h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
                #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana,
                sans-serif;color:#FFF;
                background-color:#555555;}
                #content{margin:0 0 0 2%;;}
                .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
                -->
                </style>
                </head>
                <body>
                <div id="header"><h1>Server Error</h1></div>
                <div id="content">
                 <div class="content-container"><fieldset>
                 '.
                Inner Exception:The remote server returned an error: (500) Internal Server Error.

Diagnosis     :
                Inner Diagnosis:X-Ms-diagnostics : 28009;source="ukvir40170.domain.com";reason="Internal error
                while processing pin authentication or authorization.";faultcode="wsse:FailedAuthentication"
                X-MS-Server-Fqdn : ukvir40170.domain.com
                Strict-Transport-Security : max-age=31536000; includeSubDomains
                X-Content-Type-Options : nosniff
                Content-Length : 1208
                Content-Type : text/html
                Date : Tue, 16 Jun 2015 09:24:09 GMT
                Server : Microsoft-IIS/8.5
                X-Powered-By : ASP.NET

VERBOSE: Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' started.
Workflow 'Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow' completed in '3.98E-05' seconds.
Target server Fqdn or web service Url not provided. Will have to do DHCP Registrar Discovery.
An exception 'No response received for Web-Ticket service.' occurred during Workflow Microsoft.Rtc.SyntheticTransactions.Workflows.STPhoneBootstrapWorkflow execution.
Exception Call Stack:    at Microsoft.Rtc.Admin.Authentication.WebServicesHelper.GetWebTicket()
   at Microsoft.Rtc.SyntheticTransactions.Activities.GetWebTicketActivity.InternalExecute(ActivityExecutionContext executionContext)
   at Microsoft.Rtc.SyntheticTransactions.Activities.SyntheticTransactionsActivity.Execute(ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message request)
   at Microsoft.Rtc.Internal.WebTicketService.WebTicketServiceClient.IssueToken(Message request)
   at Microsoft.Rtc.Admin.Authentication.WebServicesHelper.GetWebTicket()
'DHCPDiscover' activity started.
Starting DHCP registrar discovery...
Constructing a DHCP packet.
Adding DHCP option PARAMETER_REQUEST_LIST.
Successfully added DHCP option.
Adding DHCP option VENDOR_CLASS_IDENTIFIER.
Successfully added DHCP option.
Successfully constructed DHCP packet.
Trying to open an udp connection.
Remote IP : 255.255.255.255.
Local IP : 10.10.24.12.
\tCreating a new UDP client.
Udp connection successfully created.
Sending packet.
Remote IP : 255.255.255.255.
Remote Port : 67.
Packet sent successfully.
DHCP discovery message send. Waiting for DHCP servers to respond.
Data received successfully.
Remote IP : 10.10.24.29.
Remote Port : 67.
Response received for the DHCP Discovery message.
Constructing a DHCP packet from received raw data.
Extracting DHCP Options.
Successfully constructed DHCP packet.
Return value for DHCP option : SIP_SERVER.
Found registrar Fqdn : dirpool01.domain.com.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.1 - MS-UC-Client.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.2 - https.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.3 - dirpweb01.domain.com.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.4 - 443.
Successfully extracted sub option value.
Searching for DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5.
Return value for DHCP option : VENDOR_SPECIFIC_INFORMATION.
Found DHCP sub option : VENDOR_SPECIFIC_INFORMATION.5 - /CertProv/CertProvisioningService.svc.
Successfully extracted sub option value.
Found web service Url : https://dirpweb01.domain.com:443/CertProv/CertProvisioningService.svc.
Disconnecting.
DHCP registrar discovery activity completed successfully.
'DHCPDiscover' activity completed in '1.0250658' seconds.
'GetRootCertChains' activity started.
Trying to download a certificate chain from web service.
Web Service Url : http://dirpweb01.domain.com/CertProv/CertProvisioningService.svc
Certificate chain downloaded successfully.
'GetRootCertChains' activity completed in '0.0151062' seconds.
'GetWebTicket' activity started.
Trying to get web ticket.
Web Service Url : https://dirpweb01.domain.com:443/WebTicket/WebTicketService.svc
Using PIN authentication with Phone\Ext : 75785 Pin : 75785
Could not get a web ticket
CHECK:
 - Web service Url is valid and the web services are functional
 - If using Phone Number\PIN to authenticate, make sure they match the user uri
 - If using NTLM\Kerberos authentication, make sure you provided valid credentials
'UnRegister' activity started.
'UnRegister' activity completed in '2.16E-05' seconds.
VERBOSE: Workflow Instance ID '529ea430-3fe2-437a-93dc-88d25cdf25a1' completed.
VERBOSE: Workflow run-time (sec): 30.3172921.

            CurrentMatchIndex              ReplacementIndex             ReplacementLength CompletionMatches
            -----------------              ----------------             ----------------- -----------------
                           -1                             0                             8 {System.Management.Automat...

Eason,

this started happening AFTER the policy change from 4 to 6 digit PINS and is only affecting common area phones. user accounts are unaffected.

Hi, you mentioned changing 4 to 6 digit pin but your cmdlet output shows 5 digit pin. Not sure if you did a copy and paste of extension to hide the pin. So you may want to check on that first if thats not correct assumption. I noticed your getting an error of "Could not get web ticket", this error is typically related to incorrect pin being used.

You also said some of the CAPs experience this issue, correct? If thats the case run cmdlet Get-CsCommonAreaPhone Identity lobbyphone1 from a good known CAP and compare the results with a CAP you're having problem with. Youre looking to see that policies have been applied correctly.

If all else fails try resetting the pin with Set-CsClientPin Identity lobbyphone1 -Pin xxxxxx and then run the Test-CsPhoneBootstrap -PhoneOrExt xxxx -PIN xxxxxx to see if it passes.

Note: replace lobbyphone1 with actual device name. You probably already know that but didn't want to assume.

• Edited by Kevin FantonMicrosoft employee 8 hours 57 minutes ago

Apologies, I did obfuscate the PIN by copy paste and forgot to add the extra digit.

I have however figured it out after some digging into the SQL database with DBAnalyze.exe.

It seems the CAP contact objects where deleted manually in ADUC and then recreated manually. This results in a new GUID which is not in the Lync DB so when Lync tries to resolve the User Pool it cannot find the Object with the GUID it knows of so it errors with the message User [CnfRoom1@domain.co.uk] - Pool is unresolvable, skipping the user.

Deleting the SQL entry across all front ends and the AD contact object, then re-creating via New-CSCommonAreaPhone command resolves this...

Glad to have assisted you onsite with this Kelvin. Its worth noting the correct procedure to remove common area phones would be to run the Remove-CsCommonAreapPhone cmdlet to ensure a clean delete from both AD and the Lync DB. Be sure the correct OU permissions are granted to anyone running the cmdlet for AD contact object removal, this can sometimes be overlooked if they are stored in a secluded OU.