Hi everyone

I'm experiencing something really strange on our Lync Infrastructure.

Since some days, when People browse https://dialin.domain.com they are prompted with a selection of Certificates (the sip certificates stored locally).

It doesn't matter which certificate you choose. It will not work and the User receives a 403 forbidden.
But if they cancel the Window with the certificate selection, they land on the dialin page and the Certificate Tab seams ok.

Browsing https://dialin.domain.com:4443 works right away.

If I delete ALL personal certificates on the User machine. It works too. But as soon you restart Lync, you get a new Certificate and the same window appears.

Now to the fun part:
Get-csCertificate shows me for all 3 Services the same certificate, which is ok.

IIS Settings on internal 443 and external 4443 are the same.

What could that be?

From IIS, check the certificate that assign to dailin and ensure that correct certificate.

Hi,

Can you access dialin conference page internally and externally and check the status ? Is it only for internal users ? If yes , verify internal dialin web farm and associated certificate in IIS.

Thanks

Saleesh

I can Access the page by entering https://webserviceFQDN/dialin without any trouble

Same for the meet page too.

External Access through an EDGE is not deployed. I accessed the external part from the same PC in the same internal Network.

I checked the certificate under IIS -> Bindings and it looks good for me.

Both internal and external uses the same Certificate.

I first was thinking someone changed an Internet Explorer Policy. But that would mean the external dialin page should Show the same effect.

In the first post I forgot to mention: If the user cancel the Certificate selection. They land on the dialin page a can sign in normally without username and Password. And change the PIN for example.

1. Click Start, select All Programs, select Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Sites.

3. Right-click Lync Server Internal Web Site, and then click Edit Bindings

4. Verify that https is associated with port 443.

5. Check the SSL certificate for Lync Server Internal Web Site is assigned with the correct certificate.

Hi Lisa

thanks for your advise.

SSL Cert is the correct one.

Whats bottering me is, after you press cancel from the Certificate Selection. The dialin Webpage Shows as it should. That means, user is signed in, https is ok and Website is encrypted over ssl.

Is there like a landing page befor URL rewriting? Maybe there is a logging proccess where I may find more Details what is causing to Show These certificates.

Is Certificate authentication normal behavior for dialin page?

The Certificate beeing issued is the one from the Client. If there is a bad certificate to investigate, then it is the local sip certificate issued from Communication Server but how can I check if this one is ok?

Here is what the IIS Logs for dialin:

If i browse dialin.domain.com and cancel the Certificate selection:

2014-01-15 13:44:01 [SERVER_IP] GET / - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 500 0 64 79
2014-01-15 13:44:05 [SERVER_IP] GET / - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 18
2014-01-15 13:44:05 [SERVER_IP] GET /Dialin/Conference.aspx - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 5
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/PSTN_info_styles.css - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 4
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/Resource.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 6
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/logo.png - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 13
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/Utilities.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 20
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/WebTicketManager.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 23
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/dialinform.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 30
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/DialinResource.aspx ResourceLang=de 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 2
2014-01-15 13:44:05 [SERVER_IP] GET /dialin/client/warningIcon.gif - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 197
2014-01-15 13:44:06 [SERVER_IP] POST /webticket/webticketservice.svc/mex - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 374

If i browse dialin.domain.com and select the sip@domain.comcertificate:

2014-01-15 13:51:33 [SERVER_IP] GET / - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 500 0 64 70
2014-01-15 13:51:38 [SERVER_IP] GET / - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 403 16 2148204809 24

If I Browse webservicefqdn/dialin I get:

2014-01-15 14:02:03 [SERVER_IP] GET /dialin - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 301 0 0 33
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/ - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 87
2014-01-15 14:02:04 [SERVER_IP] GET /Dialin/Conference.aspx - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 5
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/Resource.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 4
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/PSTN_info_styles.css - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 8
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/dialinform.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 20
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/Utilities.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 20
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/logo.png - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 20
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/WebTicketManager.js - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 23
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/DialinResource.aspx ResourceLang=de 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 2
2014-01-15 14:02:04 [SERVER_IP] GET /favicon.ico - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 500 0 64 60
2014-01-15 14:02:04 [SERVER_IP] GET /dialin/client/warningIcon.gif - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 221
2014-01-15 14:02:04 [SERVER_IP] POST /webticket/webticketservice.svc/mex - 443 - [CLIENT_IP] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/6.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 200 0 0 204

Summary

So there is like a landing zone as I can see on the first log which is / and receives HTTP Code 500

After I cancel the Certificate selection windo it shows once again / but with HTTP Code 200

At the second try by selecting the sip certificate its a short log as I get a forbidden page.A

And the last try is of course directly on /dialin which redirects to /dialin/ and it gets HTTP Code 200

We could solve this issue.

On both internal Website there where some missconfiguration of IIS Settings.

SSL Settings was:

Require SSL -> No

Client Certificate -> Accept

After changing Client Certificate to it's Default "ignore", it solved this Certificate Selection Issue.

Thanks for your help

• Marked as answer by Lutenus 4 hours 9 minutes ago

We could solve this issue.

On both internal Website there where some missconfiguration of IIS Settings.

SSL Settings was:

Require SSL -> No

Client Certificate -> Accept

After changing Client Certificate to it's Default "ignore", it solved this Certificate Selection Issue.

Thanks for your help

• Marked as answer by Lutenus Friday, January 24, 2014 7:41 AM

We could solve this issue.

On both internal Website there where some missconfiguration of IIS Settings.

SSL Settings was:

Require SSL -> No

Client Certificate -> Accept

After changing Client Certificate to it's Default "ignore", it solved this Certificate Selection Issue.

Thanks for your help

• Marked as answer by Lutenus Friday, January 24, 2014 7:41 AM