Some accounts unable to log into Lync mobile, third-party Lync clients, and the official Lync client on- and off-site

Hi everyone,

A week ago Thursday, over the lunch hour I suddenly became unable to log into our on-campus Lync server via Pidgin. Over the next few days, we discovered that the problem wasn't just with my account, but suddenly started affecting a number of people randomly, and in different ways.

From what we've observed so far, everyone can log in internally from the Lync client. Many people can log in from off-campus from the Lync client, but not everyone. For those who can't log in remotely, they also can't log in via Pidgin or the Lync Mobile client (from on- or off-campus.)

Whenever someone encounters this problem, a SIP trace results in the error:
ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="MULYNC.at.millikin.edu"
and the Lync FE server's event log reports an EventID 4625, 0xc000006d error, with no sub-status.

The issue isn't machine- or device-specific because my coworker can log into Lync on my machine (under my Windows and Linux profiles) without a problem.

We've spent the last three days Googling and Binging the daylights out of the web, but haven't found a solution. The Lync server reports full replication, and I've manually kicked off a replication just to be safe, but it didn't make any difference. The issue isn't a new- versus old-user problem either, because some new users have no problems, and some old users have no problems, but the inverse is also true. I even totally de-provisioned my account (the first one that was created on the Lync server when we first built it) and re-provisioned it, but it didn't make any difference.

I also ran through the Microsoft Test Connectivity website (https://testconnectivity.microsoft.com/) and it reported no problems.

Our network and security admins have reported no changes since before the problems started, so it doesn't seem like it's related to that.

Is there any direction that you could point us on how to resolve this, or at least try to figure out where to look from here?

Thanks much!

Chris

March 23rd, 2015 4:34pm

Hi,

Would you please elaborate your Lync Server environment(Standard Edition or Enterprise Edition)?

From your description above, it can be an authentication error.

On the issued computer, run MMC and select certificate with computer account, then check if the certificate for Lync existing in the trusted root certificate store.

Please also make sure Lync Server update to the latest version.

Best Regards,
Eason

Free Windows Admin Tool Kit Click here and download it now
March 24th, 2015 2:55am

Well, it looks like the security admin figured out what's going on - they removed all of the patches from the last "Patch Tuesday" from our three domain controllers, and things started working normally again. The odd thing is that they reinstalled the patches one at a time, and things are still working. So we're not sure what the issue was, or why there was such a delay between the "Patch Tuesday" install and Lync puking, but as of right now at least, things seem to be working ok again.

To answer your earlier questions though - the certs haven't been changed in over a year (using two-year certs) and they all seem to be ok. When we run openssl s_client tests from a linux box, the chaining all seems to be ok both on- and off-campus, and Lync is reporting that they're installed correctly.

The Lync server has all of the latest patches (both OS and Lync,) so we should be good there.

And, we're running a three-box Standard Edition (combined Front End server, separate Edge server, and a third server for the reverse proxy.)

March 25th, 2015 1:23pm

Well, it looks like the security admin figured out what's going on - they removed all of the patches from the last "Patch Tuesday" from our three domain controllers, and things started working normally again. The odd thing is that they reinstalled the patches one at a time, and things are still working. So we're not sure what the issue was, or why there was such a delay between the "Patch Tuesday" install and Lync puking, but as of right now at least, things seem to be working ok again.

To answer your earlier questions though - the certs haven't been changed in over a year (using two-year certs) and they all seem to be ok. When we run openssl s_client tests from a linux box, the chaining all seems to be ok both on- and off-campus, and Lync is reporting that they're installed correctly.

The Lync server has all of the latest patches (both OS and Lync,) so we should be good there.

And, we're running a three-box Standard Edition (combined Front End server, separate Edge server, and a third server for the reverse proxy.)

Free Windows Admin Tool Kit Click here and download it now
March 26th, 2015 9:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics