Lync Mobile iOS Client Authentication Issues

March 14, 2012 by · 25 Comments 

Troubleshooting Lync client connectivity can be difficult when there are multiple clients which exhibit slightly different behavior and there are some scenarios where not all clients can successfully sign in.

If the case is that both Windows Phone 7 and Android client are able to successfully login but iOS clients cannot then the cause could be related to a specific configuration change applied to the Lync servers somewhere along the line.  More specifically the behavior seen on the iOS clients is that they will hang during the sign-in process and the cancel button is unresponsive.

Basically the iOS clients do not support the basic NTLM Authentication method while Windows Phone and Android clients do.

To determine the available authentication options, the Lync mobile application will retrieve the MEX bindings from the Web Ticket Service and the iOS clients expects to see WebTicketServiceWinNegotiate from the available authentication port names .

const std::string MEX_ATTRIBUTE_VALUE_WIN_NEGOTIATE("WinNegotiate");
const std::string MEX_ATTRIBUTE_VALUE_WEBTICKET_BEARER_TOKEN("WebTicketBearer");
const std::string MEX_ATTRIBUTE_VALUE_FED_BEARER_TOKEN("FedBearer");

When Lync is misconfigured and the iOS clients can not sign-in then the Web Ticket service response will look like this:

<wsdl:service name="WebTicketService">
   <wsdl:port name="WebTicketServiceWinNtlm" binding="tns:WebTicketServiceWinNtlm">
      <soap:address location="https://lync.schertz.local/WebTicket/WebTicketService.svc"/>
   </wsdl:port>

But the iOS client would expect to see the following response from the Web Ticket service:

<wsdl:service name="WebTicketService">
   <wsdl:port name="WebTicketServiceWinNegotiate" binding="tns:WebTicketServiceWinNegotiate">
      <soap:address location="https://lync.schertz.local/WebTicket/WebTicketService.svc"/>
   </wsdl:port>

 

Resolution

Verify that the UseWindowsAuth option is correctly set to Negotiate in the Lync Server’s Web Service configuration.

Get-CsWebServiceConfiguration

image

  • To change the setting use the following cmdlet to revert Lync back to the recommended authentication setting and then verify the new parameter value.

Set-CsWebServiceConfiguration –UseWindowsAuth Negotiate

Get-CsWebServiceConfiguration

image

Thanks again to Dave Howe at Microsoft for sharing details on these Lync mobility topics.

About Jeff Schertz
Site Administrator

Comments

25 Responses to “Lync Mobile iOS Client Authentication Issues”
  1. y0av says:

    That's great. Thanks Jeff!

  2. Wes says:

    Hi Jeff, noticed first Lync iOS client update pushed today. Version 4.1. Any idea what changed? The app bug fix list was empty…

    • jeffschertz says:

      The only resolved issue I am aware of is it now working and supported for iOS clients to sign-in when using Forefront UAG 2010 SP1 as the reverse proxy.

      • Cajuntank says:

        Are you saying you are using UAG 2010 SP1 as your reverse proxy for Lync Mobility service?
        If that's the case, will you please elaborate on how you got that working as I am not seeing that supported by Microsoft as of yet?

        • jeffschertz says:

          I am not using UAG, but that information was incorrectly relayed to me. Apparently iOS clients 'can' function through UAG since that update but not under all circumstances and it's still not officially supported. Apologies for any confusion.

  3. Mike says:

    Fantastic! Trying this soon.

  4. Femopa says:

    Hi Jeff!

    In my case we have Windows phones and android working perfectly through 3g and wifi. But not iphone/ipad. What we see in the logs is this:
    Sending request(WebTicketRequest) to server type = 1
    2012-03-20 16:35:20.643 Lync[258:733f] INFO TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../requestProcessor/privateIos/CHttpStreamPool.cpp/159:Setting url – https://lyncExtWeb.domain.com/webticket/webticket… persistent id as 24
    2012-03-20 16:35:20.734 Lync[258:733f] INFO TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../requestProcessor/privateIos/CHttpConnection.cpp/462:Received stream event = 2 for WebTicketRequest
    2012-03-20 16:35:20.737 Lync[258:733f] INFO TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../requestProcessor/privateIos/CHttpConnection.cpp/462:Received stream event = 16 for WebTicketRequest
    2012-03-20 16:35:20.738 Lync[258:733f] INFO TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../requestProcessor/privateIos/CHttpConnection.cpp/506:Received kCFStreamEventEndEncountered (WebTicketRequest)isHeadersAvailable = true responseHeadersHandle = 62d0810
    2012-03-20 16:35:20.742 Lync[258:733f] INFO TRANSPORT /Users/comobuildadmin/icomo/private/se_wave1_idx/src/dev/CoMo/transport/_buildIos/../requestProcessor/privateIos/CHttpConnection.cpp/554:Response status = 401 for request WebTicketRequest

    This is repeated 7 times and then we get:
    <h2>401 – Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

    The thing is that iphone/ipad work perfect with wifi when we set the "exposedWebURL" as internal.

    Are the web ticket service (internal and external) different?

    Could you give us a helping hang on this?

    Thanks in advance!!

  5. Russ says:

    We discovered that providing the credentials in UPN format also works around the issue.

  6. Ross says:

    Hi Jeff!
    Could you please advise me. I have using Squid as proxy. The CsWebServiceConfiguration is already configure as Negotiate. Windows Phone and Android working, but iOS is cannot. Check the log on iOS, I can see it using Negotiate already, but error 401 at request Webticket.
    I don't know what i need to do to make Lync work on iphone/ipad. Please give me some minutes and give me some ideas. Thanks

  7. Jose Luiz says:

    Same here.. Iptables

  8. José Luiz says:

    Found the problem was keepalive key on reverse proxy server
    http://social.technet.microsoft.com/Forums/en-US/

  9. Thomas says:

    Im facing problme in testing lync moblity internally.
    Unable to access my domain using http://lyncdiscoverinternal.xxx.com/autodiscover/
    Test-CsMcxP2PIM.
    Target Fqdn : lyncdiscoverinternal.xxx.com
    Target Uri : https://hq-lync-01.xxx.com:443/CertProv/CertProvi… ice.svc
    Error Message : No response received for Web-Ticket service.
    Inner Exception:The HTTP request is unauthorized with client
    authentication scheme 'Ntlm'. The authentication header
    received from the server was 'Negotiate,NTLM'.
    Inner Exception:The remote server returned an error: (401)
    Unauthorized.

    Could not get a web ticket
    Im using Lync 2013 standard edition..
    Thanks in advance..
    Regards
    Thomas

    • Rick Eveleigh says:

      Thomas, if you run Get-CsWebServiceConfiguration on your Lync 2013 server, what is the value of UseWindowsAuth (as above)? It needs to be Negotiate.

  10. Marcus says:

    This also sorted issues getting the Lync 2013 Windows Phone 8 Client to work. It just hung on "Signing in…" until this change was made.

  11. ckehayias says:

    Jeff – Great blog and awesome info. I have a strange problem. Lync 2013 is setup and running great. Internal / Edge / Reverse Proxy (iis aar) all running. My system passes both tests in the Lync 2013 connectivity analyzer, but ios clients still cannot login. I just checked and my useWindowsAuth is correctly set to negotiate. I am stumped….Looking for some insight from anyone?

    • Reto says:

      Exactly same problem here…. Android and WP works perfect… But IOS says in Client log: Invalid Credentials. IIS has a 403. useWindowsAuth is correctly set to negotiate. Help ?

  12. Sarah says:

    hi Jeff,

    I have Lync 2010 mobile clients logging but Lync 2013 mobile clients refuse to login in with error 401 from TMG. kindly help

  13. shekar says:

    Hi Jeff, I have Lync 2013 on iphone 5c, while trying to log in it says cannot connect to the server. Internet is fine from my end,

  14. Ric says:

    Hi Jeff,

    I know this is an old article but i recently discovered that I needed to make this change to support Lync 2013 on Android.
    Did Lync 2013 (and S4B) loose basic NTLM authentication ?

  15. chris hall says:

    we are using windows phone and auth is set to negotiate. our phones were able to sign in to Skype for business app yesterday and now they all hand at the sign in screen saying signing in… they never sign in. if I go to Microsoft test connectivity sitr everything passes. there are also no event logs on server and a Skype clinet can sign in on a PC. we are using Skype for business server on premise with an edge server.

Trackbacks

Check out what others are saying about this post...
  1. […] Authentication Issues : Jeff Schertz’s Blog Posted on March 14, 2012 by johnacook http://blog.schertz.name/2012/03/lync-mobile-ios-client-authentication-issues/ Share this:StumbleUponDiggRedditLike this:LikeBe the first to like this […]

  2. […] MVP Jeff Schertz on Lync Mobile iOS Client Authentication Issues: http://blog.schertz.name/2012/03/lync-mobile-ios-client-authentication-issues/ Lync Online Troubleshooting “Cannot connect to the server” errors on Lync mobile […]



Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!