Export (0) Print
Expand All

Authentication Process

Lync Server 2010
 

Topic Last Modified: 2012-06-21

In UNRESOLVED_TOKEN_VAL(nm-oc-14-3rd), some IP phones support personal identification numbers (PINs) and certificate authentication, some support NTLM and certificate authentication, and some support both, as described in the following table. To authenticate, the device sends user credentials to Web Services as part of an authentication request. In the case of NTLM authentication, the credentials are the domain user name and password. In the case of PIN authentication, the credentials are the phone number and the PIN. In both cases, the client’s Lync certificate, which is obtained in the previous step, is used to negotiate the security of the communication channel for all subsequent communications.

 

Phone PIN authentication NTLM authentication

Aastra 6721ip common area phone

Yes

No

Aastra 6725ip desk phone

Yes

Yes

HP 4110 IP Phone (common area phone)

Yes

No

HP 4120 IP Phone (desk phone)

Yes

Yes

Polycom CX500 IP common area phone

Yes

No

Polycom CX600 IP desk phone

Yes

Yes

Polycom CX700 IP desk phone

Yes

Polycom CX3000 IP conference phone

Yes

Yes

noteNote:
If two users enter the same phone number, their PIN is used to disambiguate them. If a phone number + PIN pairing is not unique, the phone number and extension is used to disambiguate. Phone number + extension must always be unique. This scenario might occur when the PIN is first set, rather than during authentication, however, it is worth understanding in the context of PIN authentication.

Issue: The maximum number of attempts have been made to authenticate using incorrect PIN for the user. The number of retries that are allowed is set in the PIN policy for the site or the user.

Resolution: After the user has incorrectly entered her PIN more than the number of allowed retries, the account can only be unlocked by an administrator on the Lync Server. An administrator can unlock the account for that user by using Lync Server Control Panel. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync Server administrative role, the administrator cannot connect in Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user to view the user's settings, and then reset the user's PIN.

Alternately, the user can reset her PIN on the Dial-in Conferencing Settings webpage. To open the Dial-in conferencing Settings webpage, do one of the following:

  • In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.

  • In UNRESOLVED_TOKEN_VAL(nm-oc-14-3rd), click Menu, click Tools, and then click Dial-in Settings.

  • In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.

After the user resets the PIN, the user can reenter the correct PIN on the device and authentication continues.

Issue: The PIN for the user’s account has expired. PIN expiration is set in the PIN policy for the site the user is homed on or for a specific user.

Resolution: PIN expiration is one of the attributes of the PIN policy assigned to the site or user. To determine what the PIN policy is for the user, you need to log on as a member of a Lync Server administrative role. For details, see Role-Based Access Control in the Planning documentation. First, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync Server administrative role, the administrator cannot connect.

If the PIN has expired, reset the user’s PIN. In Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user to view the user's settings, and then reset the user's PIN.

Alternately, users can reset their PIN on the Dial-in Conferencing Settings webpage. To open the Dial-in Conferencing Settings webpage, do one of the following:

  • In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.

  • In UNRESOLVED_TOKEN_VAL(nm-oc-14-3rd), click Menu, click Tools, and then click Dial-in Settings.

  • In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.

After the PIN is reset, the user can reenter the correct PIN on the device and authentication continues.

Issue: The user does not have a PIN that the user can use to authenticate.

Resolution: Create a PIN for the user. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync Server administrative role, the administrator cannot be able to connect.

In Lync Server Control Panel, click User, and then type the user name in the search field. In the search results, double-click the user to view the user's settings, and set the user's PIN.

Alternately, the user can set his PIN on the Dial-in Conferencing Setting webpage. To open the Dial-in Conferencing Settings webpage, do one of the following:

  • In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.

  • In UNRESOLVED_TOKEN_VAL(nm-oc-14-3rd), click Menu, click Tools, and then click Dial-in Settings.

  • In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.

After the PIN is reset, the user can reenter the correct PIN on the device and authentication continues. You can provide the new PIN to the user (for example, in an email message). After the user has received his new PIN, he enters this value along with his phone number into the device and then he can authenticate.

Issue: The phone number entered by the user on the device is not unique or cannot be attributed to a specific user.

Resolution: Reset the phone number for the user. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync Server administrative role, the administrator cannot connect.

In Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user's name to view the user's settings, and they type the new phone number in the Line URI field. To save your changes, click Commit. Send the new phone number to the user. After the user has received the new phone number, the user should enter this value, along with a PIN, into the device and be able to authenticate.

noteNote:
If two users enter the same phone number, their PINs are used to disambiguate them. If a phone number + PIN pairing is not unique, the phone number and extension are used to disambiguate. Phone number + extension must always be unique.

Issue: This indicates a problem on the server side, rather than with a specific user. To determine the source of the problem, open the Lync Server Management Shell and run the test-OcsAuth cmdlet. Only an administrator with the CsVoiceAdministrator role or the CsAdministrator role have sufficient administrator rights and permissions to run the test-OcsAuth cmdlet. For details about the Lync Server administrative roles, see Role-Based Access Control in the Planning documentation.

Resolution: Run the following synthetic transaction:

$cred = get-credential
test-CsClientAuth -UserSipAddress <SIP address> -UserCredential $cred -TargetFQDN

Do not specify TargetFQDN if you want DHCP discovery to be used. If not, provide the destination FQDN into the synthetic transaction and DHCP discovery will be bypassed.

The output shows you at what point authentication failed. For example, the DHCP discovery message might not receive a response. Follow the directions in the transaction output to resolve the problem.

Issue: A user enters their valid credentials (whether they use a PIN and phone number on an Aastra 6721ip, Aastra 6725ip, HP 4110, HP 4120, Polycom CX500, or Polycom CX600 or a domain user name and password on Polycom CX700), however, Lync is unable to sign in the user. The user is not enabled for unified communications (UC). The device displays a message similar to the following: "Cannot sign in. Your sign-in address is incorrect or your account is not set up."

Resolution: Enable the user for Lync Server. To do this, open to the Lync Server Control Panel. If the administrator is not a member of a Lync Server administrative role, the administrator cannot connect.

In Lync Server Control Panel, click User, and then type the user name in the search field. In the search results, double-click the user to view the user's settings, and then select the Enabled for Lync Server check box. Under Telephony, select Enterprise Voice and then type the user’s phone number in the Line URI field. If necessary, change the user's dial plan policy. To save your changes, click Commit.

When the user reenter her credentials into the device, she can authenticate and log on again. This time the user is able to log on to Lync Server.

Issue: The get-and-publish request for the user’s certificate can fail if the Registrar is unable to publish the user’s certificate to User Services. The device will not receive the user’s certificate, and the user will not be able to log on and must start again.

Resolution: Verify that Web Services is able to generate and publish a certificate for the user, by running the following synthetic transaction:

$cred = get-credential
test-CsClientAuth -UserSipAddress <sip address> -UserCredential $cred -TargetFQDN

If you want to use DHCP discovery, do not specify TargetFQDN. If you do not want to use DHCP discovery, provide the destination FQDN in the synthetic transaction and DHCP discovery will be bypassed.

The output shows you at what point authentication failed. For example, the DHCP discovery message might not receive a response. To resolve the problem, follow the directions in the transaction output.

If this succeeds, restart the device and have the user try to authenticate again. If it fails, resolve the problem indicated.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft