Twitter

Friday, November 21, 2014

Lync and Skype for Business protocols

today is time that I will explain the Lync protocol short cuts, the name what actually this couple of letters mean.
I was very often asked what e.g. is the meaning of STUN or RT.

Also, which RFC is behind this protocol. If further information are available, I have posted this info too.

Therefore, here it come:

STUN - (Simple Traversal of User Datagram Protocol (UDP) - Through Network Address Translators (NATs))
This is protocol used on the Edge server, where UDP data is passed through the NAT. It contains information about the external (public) IP address where the client is hidden behind and the internal (private) IP address the client has assigned.
https://www.ietf.org/rfc/rfc3489.txt
 
STUN (Session Traversal Utilities for NAT)
http://tools.ietf.org/html/rfc5389

URI Scheme for the Session Traversal Utilities for NAT protocol
https://tools.ietf.org/html/rfc7064

NAT Behavior Discovery Using Session Traversal Utilities for NAT (STUN)
https://tools.ietf.org/html/rfc5780



TURN - Traversal Using Relay NAT
TURN is a design part of the ICE process, but can be used also without ICE. It is responsible for NATed client supporting "direct" communication. in Lync/ Skype for business, this protocol is server related.
https://tools.ietf.org/html/rfc5766
https://tools.ietf.org/html/rfc6062


ICE - Interactive Connectivity Protocol
IT determines all possible UDP and TCP port involved in a SIP communication. Necessary for the client negotiation process which is the best possible path for communication. This protocol is client related. But need ICE award servers.
https://tools.ietf.org/html/rfc5245
http://tools.ietf.org/html/rfc5768


MRAS - Media Relay Authentication Service
This is an authentication protocol used with Lync and Skype for business. MRAS initiates Token for authentication. It can be seen more as a component, rather then a protocol. It involves in the SIP authentication.

I haven't found official information about the MRAS Server/ Service, but it is most best describe the Audio/ Video Authentication description.
http://msdn.microsoft.com/en-us/library/cc431496(v=office.12).aspx


PSOM - Shared Object Messaging Protocol
It a Microsoft proprietary protocol used for Web Conferencing. PSOM is the media protocol for data collaboration. PSOM will use TLS as the underlying transport. PSOM can be used by conferencing clients to establish media channels with the Web Conferencing Server to negotiate or transfer media.
http://msdn.microsoft.com/en-us/library/ff595355(v=office.12).aspx


C3P - Centralized Conference Control Protocol (CCCP)
The Centralized Conference Control Protocol (C3P) activates, modifies, deactivates, and controls conferences. It utilize SIP standards for conferencing.
http://msdn.microsoft.com/en-us/library/cc431498(v=office.12).aspx
http://www.rfc-editor.org/rfc/rfc4353.txt



RTP/ RTCP - Real-Time Transport Protocol
RTP/RTCP is the standard protocol for the transport of real-time data, including audio and video.
https://www.ietf.org/rfc/rfc3550.txt
https://tools.ietf.org/html/rfc3605
https://tools.ietf.org/html/rfc3611

SRTP - Secure Real-Time Transport Protocol
http://www.ietf.org/rfc/rfc3711.txt
https://tools.ietf.org/html/rfc5763


SIP - Session Initiation Protocol
Session Initiation Protocol (SIP) is the industry standard protocol described in IETF RFC 3261 that defines a standard way for session setup, termination, and media negotiation between two parties. It is widely used for Voice over IP (VoIP) call signaling.
https://www.ietf.org/rfc/rfc3261.txt


SDP - Session Description Protocol
Session Description Protocol (SDP) is the industry standard protocol described in IETF RFC 4566 that defines a standard way to convey media details, transport addresses, and other session description metadata to the participants when initiating multimedia teleconferences, Voice over IP calls, streaming video, or other session
https://www.rfc-editor.org/rfc/rfc4566.txt



TLS
https://www.ietf.org/rfc/rfc2246.txt (1.0)
http://tools.ietf.org/html/rfc5246 (1.2)


MTLS
MTLS is nearly the same as TLS, but can contain multiple session with in a TLS connection setup. That's why Lync and Skype for Business use it between the Server-to-Server communication.
https://tools.ietf.org/html/draft-badra-hajjeh-mtls-05



General information:

Signaling and Control Protocol
SIP, as specified in RFC 3261, is used for session setup and termination in Office Communications Server. SIP messages use TCP or TLS as the underlying transport layer for client-to-server communications and TLS with mutual authentication (MTLS) for server-to-server communications. Conferences and call control are established within the context of existing SIP sessions using C3P protocol. C3P commands are sent using SIP INFO messages. A separate SUBSCRIBE/NOTIFY dialog is used to subscribe to conference packages, state change notifications, and the conference participant list.

Media Protocol
The Web Conferencing Server uses PSOM as the media protocol for data collaboration. PSOM uses TLS as the underlying transport. As the client for the Web Conferencing Server, Live Meeting functionality also relies on PSOM.
RTP and RTCP are used to provide audio/video functionality. Secure Real-time Transport Protocol (SRTP) and Secure Real-time Transport Control Protocol (SRTCP) are used to provide secure, encrypted audio/video functionality.) RTP/RTCP uses TCP or User Datagram Protocol (UDP) as the underlying transport.

Codec(s):
RTA/RTAudio - Realt-Time Audio 
RTV/RTVideo - Real-Time Video

G711/ G729/ G722

SILK
This is the SKYPE codec used with Skype and Skype for Business. The new version is only used between clients and client to server. The Mediation Server in Skype for Business will not make use of SILK.

OPUS
A new codec with will be used also in the open communication program with Polycom new phone. But will not be supported with in Skype for Business.

SIREN

PCM




Tuesday, November 18, 2014

Lync become Sykpe for Business (#skype4b) - vNext

Finally it is time to announce the changes Microsoft made.
Still a lot feature are not yet public, but the name and the look and feel of the new client.

A lot of rumors ran around the last month and now we have a huge discussion if this name could be the right one.

YES, I say it is the right name, it is the right way Microsoft is going.

Nothing is more efficient for a company, if user are familiar with the tools they need to master within the company. And here it come. over 20m people use Skype today and yes, they are very familiar with this tool.
This means to us, the unified communication is now taking place in the real world.

Families and their members come closer together. We increase the social component in our work environments.

Never forget how amazing this is, chatting with your parents over the same tool. Even if this are two different platforms. Consumer (Skype) and Business (Skype for Business).
But now we have them together finally. Never sitting in a hotel on a business trip and can't see your wife and loved children.

That's what we were waiting for.
Thank you Microsoft.

And here a look into the new Client:


Please follow us in twitter:

our hash tag is: #skype4b

https://twitter.com/msftlync
https://twitter.com/thomaspoett
http://blogs.skype.com/2014/11/11/introducing-skype-for-business/





Monday, November 3, 2014

Monday, September 29, 2014

SIPPROXY_E_CONNECTION_UNKNOWN_SERVER (TLS negotiation error)

Recently I encountered a very strange issue:

After installation another Lync Frontend Server, in this case a SBS. The Federation was broken.
Incoming via the Edge Server everything looked fine. Meaning, incoming Federation request, e.g. presence or IM, as well as remote access from users hosted on this SBS were working correctly.
But all outing communication to federated partners didn't work at all.
After using the OCSLogger and analyzing the logs in SNOOPER, I saw an error message: The peer is not a configured server on this network interface and SIPPROXY_E_CONNECTION_UNKNOWN_SERVER
coming along with another message: winsock-info="The peer forced closure of the connection"
I used the RUST tool internally verifying the SBS certificate, it was correct. Even requesting the certificate again didn't help at all. Even I imported the Topology on the Edge server again!
What this clearly explains was, if the SBS was presenting it's certificate, it didn't work. If the Edge Server was presenting it's internal certificate to the SBS, the SBS was accepting it.
This is because in the TLS NEGOTIATION message, I identified the peer:
Local-IP: 172.28.248.131:5061 (EDGE INTERNAL)
Peer-IP: 172.28.10.10:59238 (SBS)
Since the SBS had a high port, it must have been the sender.



Resolution:
I had to restart the SBS Frontend Service and the Edge Access Service. This solved the issue.

BUG:
I believe this is a bug, normally if the certificate is assigned, even during the service using it running, the service should query the certificate directly from the certificate store. but in whatever circumstance it is not doing so correctly. This is why you have to restart services, at least on the SBS, the server newly established in your environment.

Note:
A similar issue occurs, e.g. if you setup the Exchange OWA integration for presence and IM. IF the Exchange Server is not trusted server in the Topology, you will find a similar issue on the Frontend server.

---------------------------------------------------------------------------------------

For your better understanding, here are some traces of this case:
Starting with the EDGE Server first


TL_INFO(TF_CONNECTION) [0]0D14.06B4::09/29/2014-08:26:30.134.0007e9ae (SIPStack,SIPAdminLog::WriteConnectionEvent:SIPAdminLog.cpp(454))[2855934840] $$begin_recordSeverity: information
Text: TLS negotiation started
Local-IP: 172.28.248.131:5061
Peer-IP: 172.28.10.10:59238
Connection-ID: 0x38F1600
Transport: TLS
$$end_record
 
TL_INFO(TF_PROTOCOL) [1]0D14.06B4::09/29/2014-08:26:30.197.0007ea1e (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[2485748977] $$begin_recordTrace-Correlation-Id: 2485748977
Instance-Id: 591B48
Direction: incoming;source="internal edge";destination="external edge"
Peer: 172.28.10.10:59238
Message-Type: request
Start-Line:
NEGOTIATE sip:127.0.0.1:5061 SIP/2.0
From: sip:sbs01.domain.local;tag=8D4E6E25C6A1BCE8C0AA4EBC780ED3E6
To: sip:LYNCEDGE01.domain.local
Call-ID: A0405E94346142207A1C
CSeq: 1 NEGOTIATE
Via: SIP/2.0/TLS 172.28.10.10:59238;branch=z9hG4bK1B170C12.50835B4246C5B624;branched=FALSE
Max-Forwards: 0
Content-Length: 0
Require: ms-compression
ms-negotiate-data: LZ77-64K
Supported: NewNegotiate,OCSNative,ECC,IPv6,TlsRecordSplit
Server: RTC/5.0
 
$$end_record
 
TL_ERROR(TF_CONNECTION) [1]0D14.06B4::09/29/2014-08:26:30.197.0007ea45 (SIPStack,SIPAdminLog::WriteConnectionEvent:SIPAdminLog.cpp(389))[2855934840] $$begin_recordSeverity: error
Text: The peer is not a configured server on this network interface
Peer-IP: 172.28.10.10:59238
Transport: TLS
Result-Code: 0xc3e93d6a SIPPROXY_E_CONNECTION_UNKNOWN_SERVER
Data: fqdn="sbs01.domain.local"
$$end_record
 
 
Having a look into the SBS log here:
 
TL_INFO(TF_CONNECTION) [0]1DAC.056C::09/29/2014-08:47:01.986.000007a2 (SIPStack,SIPAdminLog::WriteConnectionEvent:SIPAdminLog.cpp(454))[1674556973] $$begin_recordSeverity: information
Text: TLS negotiation started
Local-IP: 172.28.10.10:60309
Peer-IP: 172.28.248.131:5061
Connection-ID: 0x13B00
Transport: TLS
$$end_record
 
 
TL_INFO(TF_DIAG) [1]1DAC.056C::09/29/2014-08:47:02.064.000007a9 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[612839171] $$begin_recordSeverity: information
Text: Routed a locally generated request
SIP-Start-Line: NEGOTIATE sip:127.0.0.1:5061 SIP/2.0
SIP-Call-ID: 57883DA78E69E21BFB83
SIP-CSeq: 1 NEGOTIATE
Peer: LYNCEDGE01.domain.local:5061
$$end_record
 
 
TL_INFO(TF_PROTOCOL) [1]1DAC.056C::09/29/2014-08:47:02.064.000007aa (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[612839171] $$begin_recordTrace-Correlation-Id: 612839171
Instance-Id: 2835
Direction: outgoing;source="local"
Peer: LYNCEDGE01.domain.local:5061
Message-Type: request
Start-Line: NEGOTIATE sip:127.0.0.1:5061 SIP/2.0
From: sip:sbs01.domain.local;tag=A6CBF413214DBEF0CAE0CF071DBF904D
To: sip:LYNCEDGE01.domain.local
Call-ID: 57883DA78E69E21BFB83
CSeq: 1 NEGOTIATE
Via: SIP/2.0/TLS 172.28.10.10:60309;branch=z9hG4bK650D3356.5FCB69DE77B72B06;branched=FALSE
Max-Forwards: 0
Content-Length: 0
Require: ms-compression
ms-negotiate-data: LZ77-64K
Supported: NewNegotiate,OCSNative,ECC,IPv6,TlsRecordSplit
Server: RTC/5.0
$$end_record
 
 
TL_ERROR(TF_CONNECTION) [0]1DAC.056C::09/29/2014-08:47:02.095.000007ae (SIPStack,SIPAdminLog::WriteConnectionEvent:SIPAdminLog.cpp(460))[1674556973] $$begin_recordSeverity: error
Text: Receive operation on the connection failed
Local-IP: 172.28.10.10:60309
Peer-IP: 172.28.248.131:5061
Peer: LYNCEDGE01.domain.local:5061
Connection-ID: 0x13B00
Transport: M-TLS
Result-Code: 0x80072746
Data: fqdn="LYNCEDGE01.domain.local:5061";ip-address="172.28.248.131";peer-type="InternalServer";winsock-code="10054";winsock-info="The peer forced closure of the connection"
$$end_record
 
 
TL_INFO(TF_PROTOCOL) [0]1DAC.056C::09/29/2014-08:47:02.095.000007be (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[4039661650] $$begin_recordTrace-Correlation-Id: 4039661650
Instance-Id: 2838
Direction: outgoing;source="local"
Peer: 172.28.91.102:6861
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Pött Thomas"<sip:thomas.poett@domain.de>;tag=e08f10ad81;epid=1d691e13e1
To: <sip:xyz@microsoft.com>;tag=A6CBF413214DBEF0CAE0CF071DBF904D
Call-ID: 9ef08610a5054b66a1040bef20d1b564
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 172.28.91.102:6861;ms-received-port=6861;ms-received-cid=1700
Content-Length: 0
ms-diagnostics: 1039;reason="Failed to complete TLS negotiation with a peer server";fqdn="LYNCEDGE01.domain.local:5061";ip-address="172.28.248.131";peer-type="InternalServer";winsock-code="10054";winsock-info="The peer forced closure of the connection";source="SBS02.domain.local"
$$end_record


Tuesday, September 9, 2014

Publishing Lync Topology Firewall Requirements (missing TCP Ports)

In a special scenario, where I faced certain issue publishing the Lync Topology, where the Lync Frontend Servers are located in Sub Domain, you need to open certain TCP Ports to at least one Root Domain Controller:

If you enabled the Lync Topology, you might face this issues:

Error: The given key was not present in dictionary.
Type: KeyNotFoundException

Error: An error occurred when attempting to add "computer" to "RTCGroupxxx"
Type: DeploymentException

CategoryInfo: InvalideOperation: ([0] Microsoft.R....Core.Service)
WebServer:pool.<fqdn> execution failed on an unrecoverable error.

Error: Cannot obtain the domain information for computer "Root DC fqdn". Please make sure the computer FQDN is correct.

Error: DsRoleGetPrimaryDomainInfromation failed with error "6BA".

Just missing are the requirements for Topology publishing.

If you are going to enable the Topology, you can use:
Enable-CsTopology [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-GlobalCatalog <Fqdn>] [-GlobalSettingsDomainController <Fqdn>] [-Report <String>] [-SkipPrepareCheck <$true | $false>] [-WhatIf [<SwitchParameter>]]

Here you can specify the following parameter:

GlobalCatalog: Local Domain DC FQDN
GlobalSettingsDomainController: Root Domain DC FQDN
SkipPrepareCheck: can skip the Prepare Checks, e.g. Schema Prep or Forrest Prep

Overview of all required TCP Ports:

While you are publishing the Topology, a bunch of setting at the Root Level Domain must be done.
E.g. we assume, you also positioned all RTC and CS groups, the Lync relevant System Groups in the Root Domain.

 

During publishing the Topology changes are made here:


Root Domain:

- AD Configuration Partition: "CN=RTC Service,CN=Services,CN=Configuration,DC=<DOM>,DC=<DOM>"
Here the Topology writes all entries, e.g. POOLs, Conference Directories and more
This change require access via TCP PORT 88 and 389 only

- Lync System Groups (CS and RTC): "CN=USERS,DC=<DOM>,DC=<DOM>"
Here during publishing the Groups e.g.: RTCComponentUniversalServices, RTCHSUniversalService, RTCUniversalConfigReplicator and RTCUniversalServerAdmins are filled with the e.g. Frontend Server as group member.
This change require access via TCP PORT 139 and 445 only
(This Ports are also used during the PrepareCheck, also the Wizard AD Preparation Check)

- Other Changes are written to the Lync Share, the FileServer. This depends on where this server is located. You could also have placed it into the Root Domain.

Note:
After the Topology is published, you do not need this ports any further and could temporarily disable them.


Within the Lync Server AD Domain:

You find the Ports and protocols for internal servers in Lync Server 2013   here:http://technet.microsoft.com/en-us/library/gg398833.aspx 



Friday, August 29, 2014

Certificate requirements for internal Lync servers

Lync is quiet strict in certificate validation. If you assign a non compatible certificate to Lync it will run into serious issues.
This is most likely happen if you are using dedicated certificate for each Lync service.
Especially the Lync WebServiceInternal certificate cannot be requested correctly, neither with Lync Wizard nor with the Request-CsCertificate command.

Here the problem is that both methods are requesting a certificate with a Subject Name of the Internal Web Services rather than the POOL FQDN.

Lync BUG:
The remote certificate is invalid according to the validation procedure. reason="The web ticket is invalid." ;faultcode="wsse:InvalidSecurityToken",Replace=false

In both, the TechNet and Help File the correct certificate is described. Therefore you need a valide process of requesting the correct certificate.

If you have a consolidated certificate for all services, this is issue is not present, because the Subject Name responds to the POOL FQDN.

Here I post a SNOOPER Tracing of what's happen with the wrong certificate:

You can simple test this by running the Test-CsAddressbookService command-let

Further Information:
Internal Certificate Deployment in Lync 2013 - How to and planning

Download Script: Requesting internal Lync Server Certificates


SUPPORT TEST Result:

The test has successfully demonstrated the issue we expected:
The Test failed with 401 unauthorized error


The Snooper Analysis has shown the following errors:
TL_ERROR(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.924.00352017 (WebInfrastructure,RemoteCertificateResolver.ResolveCertificate:remotecertficateresolver.cs(82))
(00000000030603DB)AuthenticationException. Remote certificate is not valid. <hostName, lyncfe01.customer.com> <port,443> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.


TL_INFO(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.924.00352018 (WebInfrastructure,WebTicketRemoteSecurityTokenStore.EnsureIssuerSecurityToken:webticketremotesecuritytokenstore.cs(315))
(000000000289B908)Unable to ensure we have the SecurityToken from issuer lyncfe01.customer.com, port 443.

TL_VERBOSE(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.0035201e (WebInfrastructure,WebTicketRemoteSecurityTokenStore.GetSigningTokenByThumbprint:webticketremotesecuritytokenstore.cs(84))
(000000000289B908)Did not find <thumbprint, 12DF9402A814C3C5F099D3E1974959F5037FA8B8> in dictionary.

TL_INFO(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.0035201f (WebInfrastructure,WebTicketKeyStore.GetSigningTokenByThumbprint:webticketkeystore.cs(188))
Token not found in remote token store. <thumbprint, 12DF9402A814C3C5F099D3E1974959F5037FA8B8>

TL_ERROR(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.00352020 (WebInfrastructure,OCSAuthModule.BeginAuthenticateUser:iismodule.cs(827))[2147532902]
Exception: System.IdentityModel.Tokens.SecurityTokenException: Unable to resolve SecurityKeyIdentifier found in the SamlAssertion signature. The SamlAssertion signature can not be validated for the Issuer https://lyncfe01.customer.com/367030ae-f2fb-5c02-be25-fe905fabf83c.
   at System.IdentityModel.Tokens.SamlAssertion.ReadSignature(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver, SamlSerializer samlSerializer)   at System.IdentityModel.Tokens.SamlAssertion.ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)   at System.IdentityModel.Tokens.SamlSerializer.LoadAssertion(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)   at System.IdentityModel.Tokens.SamlSerializer.ReadToken(XmlReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)   at System.ServiceModel.Security.WSSecurityJan2004.SamlTokenEntry.ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)   at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSWebTicketCredentials.ExtractInstance(HttpRequest request)   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.BeginAuthenticateUser(Object sender, EventArgs e, AsyncCallback cb, Object state)

 
TL_ERROR(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.00352021 (WebInfrastructure,OCSAuthModule.BeginAuthenticateUser:iismodule.cs(940))[2147532902]
Exception: Microsoft.Rtc.Internal.WebServicesAuthFramework.WebTicketHttpHeaderException: Exception of type 'Microsoft.Rtc.Internal.WebServicesAuthFramework.WebTicketHttpHeaderException' was thrown.
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.BeginAuthenticateUser(Object sender, EventArgs e, AsyncCallback cb, Object state)
 

TL_INFO(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.00352023 (WebInfrastructure,OCSAuthModule.SetHttpResponseOnException:iismodule.cs(1572))[2147532902]
Set response for exception: Microsoft.Rtc.Internal.WebServicesAuthFramework.WebTicketHttpHeaderException: Exception of type 'Microsoft.Rtc.Internal.WebServicesAuthFramework.WebTicketHttpHeaderException' was thrown.
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.BeginAuthenticateUser(Object sender, EventArgs e, AsyncCallback cb, Object state)
 

TL_ERROR(TF_COMPONENT) [0]98CC.054C::08/26/2014-09:21:30.925.00352024 (WebInfrastructure,OCSAuthModule.AddMsDiagnosticsHeader:iismodule.cs(1714))[2147532902]
Add Ms-diagnostics header <errorId,28032> <reason,The web ticket is invalid.>

TL_INFO(TF_IIS) [0]98CC.054C::08/26/2014-09:21:30.925.00352026 (WebInfrastructure,CAuthHelperGlobalModule::DumpEvent:SslNgMod.cpp(16))[2147532902]
Event: 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83:0x0:56:GENERAL_SET_RESPONSE_HEADER, httpContext: 000000BFCEDFFE70, items: ContextId=null,HeaderName=X-Ms-diagnostics,HeaderValue=28032;source="lyncfe01.customer.com";reason="The web ticket is invalid.";faultcode="wsse:InvalidSecurityToken",Replace=false

TL_INFO(TF_IIS) [0]98CC.054C::08/26/2014-09:21:30.926.0035202a (WebInfrastructure,CAuthHelperGlobalModule::DumpEvent:SslNgMod.cpp(16))[2147532902]
Event: 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83:0x0:56:GENERAL_SET_RESPONSE_HEADER, httpContext: 000000BFCEDFFE70, items: ContextId=null,HeaderName=X-MS-WebTicketURL,HeaderValue=https://lyncfe01.customer.com/WebTicket/WebTicketService.svc,Replace=false

TL_INFO(TF_IIS) [0]98CC.054C::08/26/2014-09:21:30.926.0035202d (WebInfrastructure,CAuthHelperGlobalModule::DumpEvent:SslNgMod.cpp(16))[2147532902]
Event: 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83:0x0:56:GENERAL_SET_RESPONSE_HEADER, httpContext: 000000BFCEDFFE70, items: ContextId=null,HeaderName=X-MS-WebTicketSupported,HeaderValue=cwt,saml,Replace=false

If you wish requesting correct certificate, please copy and use my script:


#****************************************************
#*      (c) Thomas Poett, Microsoft MVP Lync        *
#*      contact: thomas.poett@live.de               *
#*                                                  *
#*  Frontend and Director Pool Certificate Request  *
#*           Version 1.2, 25.09.2014                *
#*                                                  *
#*      Certificate Template must be WebServer      *
#*      You need to know your internal CA Name      *
#*     or write script request into a local file    *
#*     Run Script for each required Certificate     *
#*                                                  *
#*    included are Scheduler + ucupdates-r2 FQDN    *
#*                                                  *
#*                                                  *
#* Not for Edge Server certificates                 *
#*                                                  *
#* BUG Warning:                                     *
#* Lync Wizard and Request-Certificate for Internal *
#* Web Service request a certificate with a wrong   *
#* Certificate Subject Name.                        *
#* This script addresses this issue correctly!      *
#****************************************************

#Collect necessary user input
$CAOnline = Read-Host 'Do you request your certificate online (Y/N)'
if ($CAOnline -eq 'Y')
    {
  $CA = Read-Host 'Certificate Authority (Format FQDN\CA)'
    }
   else
    {
  $Folder = Read-Host 'Folder e.g C:\CERTS (this folder must exist)'
    }

$Organization = Read-Host 'ORGANIZATION'
$City = Read-Host 'CITY'
$State = Read-Host 'STATE'
$Country = Read-Host 'COUNTRY (2 characters, e.g. DE)'
$ComputerName = $env:ComputerName+"."+$env:userdnsdomain

#Lync PS command gaining topology information
$SIP_ALL = Get-CsSipDomain | Select-Object -ExpandProperty Identity
$SIPString = ""
foreach($tempUrl in $SIP_ALL)
    {
 $SIPString = $SIPString + $tempUrl+","
    }

$SIPString = $SIPString.Substring(0,$SIPString.Length-1)
$DefaultSIPDomain = Get-CsSipDomain | where {$_.IsDefault -eq $true} | Select-Object -ExpandProperty Name

#Choose Certificate Type
$CertType = Read-Host 'Please provide the following number for the Certificate Service: 1= Default, 2= WebServicesInternal, 3= WebServiceExternal, 4= Consolidated, 5=WebServicesInternal+External'

  if ($CertType -eq 1)
      {
   Write-Host "Certificate is DEFAULT"
      $AutoLogin = Read-Host 'Auto Login Server for SIP? Y/N'
      if ($AutoLogin -eq "Y") 
          {
          #SIP.<SIPDomain> for AutoLogin
          $SANString =""
          foreach($tempUrl in $SIPString)
              {
              $SANString = $SANString + "SIP."+$tempUrl +","
              }
          $SANString = $SANString.Substring(0,$SANString.Length-1)
          Write-Host "Your SAN:"+$SANString
          if ($CAOnline -eq 'Y')
              {
     $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync Default" -Template WebServer -AllSipDomain -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              Set-CsCertificate -Type Default -Thumbprint $CERT.Thumbprint
              }
    else
              {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-Default.cer'
     $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync Default" -Template WebServer -AllSipDomain -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
     }
          }
      else
       {
       #SIP.<SIPDomain> for NON AutoLogin
       Write-Host "Your SAN:" $SANString
    if ($CAOnline -eq 'Y')
           {
        $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync Default" -Template WebServer -AllSipDomain -City $City -Country $Country -Organization $Organization -State $State
           Set-CsCertificate -Type Default -Thumbprint $CERT.Thumbprint
           }
          else
           {
           $CAOnlineName = $Folder + '\' + $ComputerName + '-Default.cer'
           $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync Default" -Template WebServer -AllSipDomain -City $City -Country $Country -Organization $Organization -State $State
           }
        }
      }
   
 elseif ($CertType -eq 2)
      {
   Write-Host "Certificate is WebServicesInternal"
      #Lync PS command gaining topology information
      $SURL_ALL = Get-CsSimpleUrlConfiguration | Select-Object -ExpandProperty SimpleUrl | Select-Object -ExpandProperty ActiveUrl
      $SANString = ""
      foreach($tempUrl in $SURL_ALL)
          {
          $SANString = $SANString + $tempUrl.replace("https://","") +","
          }
#     $surlString = $SANString.Substring(0,$SANString.Length-1)
      $SANString = $SANString + "scheduler."+$DefaultSIPDomain +"," + ",ucupdates-r2."+$DefaultSIPDomain
           
      #LYNCDISCOVERINTERNAL
      foreach($tempUrl in $SIPString)
          {
          $SANString = $SANString + ",LyncDiscoverInternal."+$tempUrl
          }
          Write-Host "Your SAN:" + $SANString
          if ($CAOnline -eq 'Y')
              {
     #The type of DEFAULT is correct, the internal WebServiceFQDN must have a Subject Name (SN) of the Pool!! This is the described bug
     $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync WebServices Internal" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              Set-CsCertificate -Type WebServicesInternal -Thumbprint $CERT.Thumbprint
              }
    else
              {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-WebServicesInternal.cer'
     $CERT = Request-CsCertificate -New -Type Default -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync WebServices Internal" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
           }
      }
     
     elseif ($CertType -eq 3)
          {
          Write-Host "Certificate is WebServicesExternal"
          #Lync PS command gaining topology information
          $SURL_ALL = Get-CsSimpleUrlConfiguration | Select-Object -ExpandProperty SimpleUrl | where {$_.Component -ne "Cscp"} | Select-Object -ExpandProperty ActiveUrl
          $SANString = ""
          foreach($tempUrl in $SURL_ALL)
              {
              $SANString = $SANString + $tempUrl.replace("https://","") +","
              }

          #Get External Web Service FQDN
          $Pool =  Get-CsPool | where {$_.Computers -eq $ComputerName}
          $WebServer = "WebServer:"+$Pool.Identity
          $ExtWebSrvURL = Get-CsService -Identity $WebServer | Select-Object -ExpandProperty ExternalFqdn
          $SANString = $SANString + $ExtWebSrvURL
           
          #LYNCDISCOVER
          foreach($tempUrl in $SIPString)
              {
              $SANString = $SANString + ",LyncDiscover."+$tempUrl
              }
          Write-Host "Your SAN:" + $SANString           
          if ($CAOnline -eq 'Y')
              {
              $CERT = Request-CsCertificate -New -Type WebServicesExternal -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync WebServices External" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              Set-CsCertificate -Type WebServicesExternal -Thumbprint $CERT.Thumbprint
              }
    else
              {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-WebServicesExternal.cer'
     $CERT = Request-CsCertificate -New -Type WebServicesExternal -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync WebServices External" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              }         
          }

     elseif ($CertType -eq 4)
          {
          Write-Host "Certificate is Consolidated"
           
          #Lync PS command gaining topology information
          $SURL_ALL = Get-CsSimpleUrlConfiguration | Select-Object -ExpandProperty SimpleUrl | Select-Object -ExpandProperty ActiveUrl
          $SANString = ""
          foreach($tempUrl in $SURL_ALL)
              {
              $SANString = $SANString + $tempUrl.replace("https://","") +","
              }
#         $surlString = $SANString.Substring(0,$SANString.Length-1)
          $SANString = $SANString + "scheduler."+$DefaultSIPDomain + ",ucupdates-r2."+$DefaultSIPDomain
           
          #LYNCDISCOVER and LYNCDISCOVERINTERNAL
          foreach($tempUrl in $SIPString)
              {
              $SANString = $SANString + ",LyncDiscoverInternal."+$tempUrl + ",LyncDiscover."+$tempUrl
              }
           
          #Get External Web Service FQDN
          $Pool =  Get-CsPool | where {$_.Computers -eq $ComputerName}
          $WebServer = "WebServer:"+$Pool.Identity
          $ExtWebSrvURL = Get-CsService -Identity $WebServer | Select-Object -ExpandProperty ExternalFqdn
          $SANString = $SANString + "," + $ExtWebSrvURL
                      
          $AutoLogin = Read-Host 'Auto Login Server for SIP? Y/N'
          if ($AutoLogin -eq "Y") 
             {
             #SIP.<SIPDomain> for AutoLogin
             foreach($tempUrl in $SIPString)
                 {
              $SANString = $SANString + ",SIP."+$tempUrl
                 }
             Write-Host "Your SAN:" + $SANString               
             if ($CAOnline -eq 'Y')
                 {
     $CERT = Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
                 Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint $CERT.Thumbprint
                 }
    else
                 {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-Consolidated.cer'
     $CERT = Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
                 }
             }
            else
             {
             Write-Host "Your SAN:" + $SANString
          if ($CAOnline -eq 'Y')
                 {
        $CERT = Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
                 Set-CsCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint $CERT.Thumbprint
                 }
    else
                 {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-Consolidated.cer'
     $CERT = Request-CsCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
                 }
              }       
          }
    

     elseif ($CertType -eq 5)
          {
          Write-Host "Certificate is WebServicesInternal+External"
           
          #Lync PS command gaining topology information
          $SURL_ALL = Get-CsSimpleUrlConfiguration | Select-Object -ExpandProperty SimpleUrl | Select-Object -ExpandProperty ActiveUrl
          $SANString = ""
          foreach($tempUrl in $SURL_ALL)
              {
              $SANString = $SANString + $tempUrl.replace("https://","") +","
              }
#         $surlString = $SANString.Substring(0,$SANString.Length-1)
          $SANString = $SANString + "scheduler."+$DefaultSIPDomain + ",ucupdates-r2."+$DefaultSIPDomain
           
          #LYNCDISCOVER and LYNCDISCOVERINTERNAL
          foreach($tempUrl in $SIPString)
              {
              $SANString = $SANString + ",LyncDiscoverInternal."+$tempUrl + ",LyncDiscover."+$tempUrl
              }
           
          #Get External Web Service FQDN
          $Pool =  Get-CsPool | where {$_.Computers -eq $ComputerName}
          $WebServer = "WebServer:"+$Pool.Identity
          $ExtWebSrvURL = Get-CsService -Identity $WebServer | Select-Object -ExpandProperty ExternalFqdn
          $SANString = $SANString + "," + $ExtWebSrvURL
           
          Write-Host "Your SAN:" + $SANString 
    if ($CAOnline -eq 'Y')
              {  
              $CERT = Request-CsCertificate -New -Type WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -CA $CA -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              Set-CsCertificate -Type WebServicesInternal,WebServicesExternal -Thumbprint $CERT.Thumbprint
              }
    else
              {
     $CAOnlineName = $Folder + '\' + $ComputerName + '-WebServicesInternalExternal.cer'
     $CERT = Request-CsCertificate -New -Type WebServicesInternal,WebServicesExternal -ComputerFqdn $ComputerName -Output $CAOnlineName -FriendlyName "Lync Consolidated" -Template WebServer -DomainName $SANString -City $City -Country $Country -Organization $Organization -State $State
              }
          }

    else {"Your input is not valid! - EXIT"}
if ($CAOnline -eq 'Y')
    {
    Write-Host "Your certificate as requested is assigned (as fare you didn't saw any related issues)."
    }
   else
    {
    Write-Host "Your Certificate Request is stored here: " $CAOnlineName
    Write-Host "Please order the Certificate and assign it manually to the Lync Services"
    }

if ($CAOnline -eq 'Y')
    {
 $RestartLyncService = Read-Host 'You need to restart your Lync Services? Y/N'
 if ($RestartLyncService -eq "Y") 
        {
  Stop-CsWindowsService
  Start-CsWindowsService
  }
    else {Write-Host {"Please RESTART your Lync Servises (Stop-CsWindowsService and Start-CsWindowsService."}}}

# ++++ END of SCRIPT ++++