1

I'm currently trying to setup a Polycom CX600 to test the operability with Lync. We have been using Lync for several months, but only really using the IM aspect. I didn't set the Lync server up initially but am trying to troubleshoot where the problem may lie. I'll explain my setup to better help track the problem down.

Lync Server 2013 is installed on Windows 2008 R2. Domain Controller is Windows Server 2008, DHCP/DNS server role. To my knowledge there was no DHCP setup on the Lync server itself.
My client is Windows 7 x64, fully patched. Lync client is 2013.

We just have one Lync server being used internally, nothing on the outside, no federation, etc.

Here's what I did:

  1. Reset the phone so it was a clean start.
  2. Plugged the phone into the wall for network access, plugged my PC into the phone.
  3. Plugged the USB cable from the phone into my PC.
  4. Starting up it asks if I want to connect via the PC, I tell it next.
  5. It prompts on my PC to authenticate via Lync with a box labeled "Logon Information Needed".
    It has auto-populated my Sign-In address and username. I enter my password and select OK.
  6. On the phone it states that it is contacting the time server, this takes about 50 seconds or so.
  7. Then it says it is connecting to Lync Server, this takes about 5 seconds.
  8. Next it says it is locating the server to download the certificate, this takes about 20 seconds.
  9. Then it briefly flashes that it's installing the certificate, then gives me a sign-in error that says: "Cannot sign in. Please verify your sign-in address, domain\user name, and password, and try again. Please verify that the domain entered @domain.com is correct".

On the phone screen I click Next.

It says USB connection is detected, I click Skip (only option is Skip or Menu). It asks me for my extension or phone number. I put the number in that is assigned to me on the Lync Server (I set it to 5551212 and verified in AD that the number I put in is the same as the msRTCSIP-Line field.
I click Next, then enter my PIN (I also reset my PIN to make sure it was valid).

I click Sign in, it says "Contacting time server" for a bit, then "Connecting to Lync Server" for just a split second, then quickly an error flashes that says "Account used is not authorized, please contact your support team". Afterward it goes to the screen saying "An account matching this phone number cannot be found. Please contact your support team."

I see looking at the menu/system information on the phone that it grabbed an IP address from the DHCP server (and verify it is shown in leases), the mask and GW/DNS are all set correctly. I did notice VLAN ID is set to 1...which we don't use, but I don't see a way to change that to the VLAN ID we do use on our network (if that is even relevant?). I can't access the phone via the web or ping it, but my computer can use the built-in switch to work through it just fine.

On the Lync server I have ran the test command -

Test-CsPhoneBootstrap -PhoneOrExt "5551212" -PIN "16778" -serSipAddress "sip:my.name@domain.com"

All results come back positive.

I have ran the command -

Test-CsClientAuth -TargetFqdn lync.domain.local -UserSipAddress "sip:my.name@domain.com" -UserCredential "domain\user"

All results come back positive.

I have looked at the certificate store on my local machine, I see a certificate under Personal/Certificates issues by Communications Server, and from what I've seen online this is part of the Polycom/Lync setup. I don't however see anything similar in the Trusted Root store...should it have something in there?

In AD Attributes I verified my msRTCSIP-PrimaryUserAddress setting is the same as my SMTP address, but my sAMAccountName is different to logon to the domain (saw one place saying this had to be the same, but others saying only the SMTP/SIP needed to be the same) and the same as my UserPrincipalName.

So anyway, I'm kind of at a loss, I have tried everything I can think of and so far I've had no luck getting this phone to connect up to Lync. Exchange and Lync seem to work fine, OWA, EWS, Autodiscover, DNS settings are all right, but for some reason this won't connect. If anyone has an idea of something I could try, I would be very appreciative. Thanks in advance!

Don
  • 838
  • 8
  • 18
  • 33
  • Hopefully you've been able to correct this by now. If not, I've got a couple ideas. 1) Ensure the DHCP scope your device is in is configured properly: http://technet.microsoft.com/en-us/library/gg398088(v=ocs.14).aspx. 2) When trying to sign-in using your computer, try using your user principal name (i.e. username@ad.domain.com) instead of the domain\username format. – Rob D. May 29 '13 at 17:25

2 Answers2

1

I have had the same experience trying to connect a CX600 that has never connected to a Lync server. I have used Jeff Schertz's Blog extensively in an effort to configure this.

http://blog.schertz.name/2013/05/updating-lync-phone-edition-devices-lync-2013/

I too noticed the VLAN ID of 1 (default) and found a post by Jeff on how to set this for Lync. However I did not have success with this, once configured per the Blog entry, the phone could no longer get an IP address from DHCP. What we did see was that based on the error code the phone listed, 2f0d, the issue seemed to have something to do with Lync not trusting our private CA. We tried swapping out our private cert for a wildcard cert issued by CA that is trusted by Lync and were then able to connect to our Lync server and the phone updated to the latest firmware after a few minutes.

As I've read a number of post telling that wildcards will not work, it was a surprise to us that this was the work around. We'd like to use the private cert, but have not found a way to do it yet.

Campbell
  • 11
  • 1
0

Since you said "Lync server" (as in, just one), I assume you are not using a hardware load balancer. However, if you have a pool and therefore are doing some sort of load balancing for web services (or SIP, too), make sure that the load balancer is giving the full certificate chain in the handshake. When we had our load balancer guy make a certificate chain group and associate that with the interface on the Cisco ACE we've got for load balancing instead of just the Lync pool server certificate, the phones finally started logging in.

The problem appears to be that the LPE device needs to get whatever intermediate CA certs are between the root CA (which it gets from Active Directory) and the Lync server cert during the handshake right before the client certificate provisioning.

I wrote a bit more about how we diagnosed that here: http://insideactiveroles.com/2014/09/10/lync-phone-edition-pin-cisco-certificate-chain/