0

I have configured a Lync system which is successfully working with the Lync windows client.

I followed the instructions at http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/ and was able to successfully configure DHCP and DNS. I tested with:

DHCPUtil -EmulateClient

and

Test-CsPhoneBootstrap

Which both returned successfully.

However, when entering the same details which worked on Test-CsPhoneBootstrap on a Polycom CX500, I get the error:

"An account matching this phone number cannot be found. Please contact your support team."

There is also a very quick flash of an error which I managed to capture on video:

"Account used is not authorized. Please contact your support team."

This appears very briefly before the error above remains on the screen.

In my Lync logs, there is only a single line logged for the device:

2012-05-23 04:37:51 10.8.0.111 POST /CertProv/CertProvisioningService.svc/anon - 80 - 10.8.32.6 OCPhone/4.0.7577.250+(Microsoft+Lync+2010+Phone+Edition) 200 0 0 7

There is nothing else logged for the IP address of the phone.

What I've tried

I've found very few reports on the Internet of similar problems. Tried solutions:

Factory reset

I booted the phone holding 4 and 6, and chose the option to reset it.

Upgrade the firmware

I imported and approved the latest firmware. However, it seems the phone will not update if it cannot sign in.

Don't use a wildcard certificate

http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/ Our internal certificates are not wildcard certificates. They are created by our certificate server.

Has anyone else come across this before? Any tips?

Tass
  • 101
  • 1
  • 3

2 Answers2

1

If the Schannel send the truncated list of trusted root certificate authorities to the Lync phone edition during the TLS/SSL handshake process. Please try to configure the Schannel does not send the list on the Lync FE server and check the problem occurs again.:

  1. Click Start, click Run, type regedit, and then click OK.Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  2. On the Edit menu, point to New, and then click DWORD Value.Type SendTrustedIssuerList, and then press ENTER to name the registry entry.

  3. Right-click SendTrustedIssuerList, and then click Modify.In the Value data box, type 0 if that value is not already.

  4. Exit Registry Editor and reboot the server.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
bren
  • 11
  • 1
0

Make sure that your root certificate is in AD where the phone knows to look for it: http://technet.microsoft.com/en-us/library/gg398270%28v=ocs.14%29.aspx

If you are using a load balancer and an intermediate CA (the CA that issued your Lync server certificates is not your root CA), make sure that the full certificate chain is getting passed to the connecting device. One way to do this is to have your load balancer pass the full certificate chain, not just the server certificate. More details here: http://mandie.net/2014/09/10/lync-phone-edition-pin-cisco-certificate-chain/. Read the comments for information on what is probably a better way to handle this.

Also, Test-CsPhoneBootstrap can give a false positive if the computer running the Lync commands is not on the same subnet as the phone (they would probably not be on the same subnet in all but the smallest organizations). For example, I was getting a good result from it when I was either directly on one of our Lync servers or implicitly remoted from my desktop to one of them to run that command.

However, when I installed the Lync Management Tools on my desktop and tried it from there, the truth came out.

Cause? DHCP "lite" was running on the Lync servers, so on their subnet, they were getting the proper values, but there were still problems on the subnets the phones are on.

Amanda Debler
  • 25
  • 5