Authentication Process
Topic Last Modified: 2016-04-27
In Microsoft Lync 2010, some IP phones support personal identification numbers (PINs) and certificate authentication, some support NTLM and certificate authentication, and some support both, as described in the following table. To authenticate, the device sends user credentials to Web Services as part of an authentication request. In the case of NTLM authentication, the credentials are the domain user name and password. In the case of PIN authentication, the credentials are the phone number and the PIN. In both cases, the client’s Lync certificate, which is obtained in the previous step, is used to negotiate the security of the communication channel for all subsequent communications.
| Phone | PIN authentication | NTLM authentication |
|---|---|---|
Aastra 6721ip common area phone |
Yes |
No |
Aastra 6725ip desk phone |
Yes |
Yes |
HP 4110 IP Phone (common area phone) |
Yes |
No |
HP 4120 IP Phone (desk phone) |
Yes |
Yes |
Polycom CX500 IP common area phone |
Yes |
No |
Polycom CX600 IP desk phone |
Yes |
Yes |
Polycom CX700 IP desk phone |
Yes |
|
Polycom CX3000 IP conference phone |
Yes |
Yes |
Note
If two users enter the same phone number, their PIN is used to disambiguate them. If a phone number + PIN pairing is not unique, the phone number and extension is used to disambiguate. Phone number + extension must always be unique. This scenario might occur when the PIN is first set, rather than during authentication, however, it is worth understanding in the context of PIN authentication.
Issue 1: User’s Account Is Locked (Applies to Aastra 6725ip, HP 4120, and Polycom CX600)
Issue: The maximum number of attempts have been made to authenticate using incorrect PIN for the user. The number of retries that are allowed is set in the PIN policy for the site or the user.
Resolution: After the user has incorrectly entered her PIN more than the number of allowed retries, the account can only be unlocked by an administrator on the Lync 2010. An administrator can unlock the account for that user by using Lync Server Control Panel. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync 2010 administrative role, the administrator cannot connect in Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user to view the user's settings, and then reset the user's PIN.
Alternately, the user can reset her PIN on the Dial-in Conferencing Settings webpage. To open the Dial-in conferencing Settings webpage, do one of the following:
In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.
In Microsoft Lync 2010, click Menu, click Tools, and then click Dial-in Settings.
In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.
After the user resets the PIN, the user can reenter the correct PIN on the device and authentication continues.
Issue 2: PIN has expired (Applies to Aastra 6725ip, HP 4120, and Polycom CX600)
Issue: The PIN for the user’s account has expired. PIN expiration is set in the PIN policy for the site the user is homed on or for a specific user.
Resolution: PIN expiration is one of the attributes of the PIN policy assigned to the site or user. To determine what the PIN policy is for the user, you need to log on as a member of a Lync 2010 administrative role. For details, see Role-Based Access Control in the Planning documentation. First, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync 2010 administrative role, the administrator cannot connect.
If the PIN has expired, reset the user’s PIN. In Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user to view the user's settings, and then reset the user's PIN.
Alternately, users can reset their PIN on the Dial-in Conferencing Settings webpage. To open the Dial-in Conferencing Settings webpage, do one of the following:
In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.
In Microsoft Lync 2010, click Menu, click Tools, and then click Dial-in Settings.
In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.
After the PIN is reset, the user can reenter the correct PIN on the device and authentication continues.
Issue 3: User doesn’t have a PIN (Applies Aastra 6725ip, HP 4120, and Polycom CX600)
Issue: The user does not have a PIN that the user can use to authenticate.
Resolution: Create a PIN for the user. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync 2010 administrative role, the administrator cannot be able to connect.
In Lync Server Control Panel, click User, and then type the user name in the search field. In the search results, double-click the user to view the user's settings, and set the user's PIN.
Alternately, the user can set his PIN on the Dial-in Conferencing Setting webpage. To open the Dial-in Conferencing Settings webpage, do one of the following:
In the Microsoft Outlook messaging and collaboration client, click Conferencing item and then click Dial-in Settings.
In Microsoft Lync 2010, click Menu, click Tools, and then click Dial-in Settings.
In a meeting invitation, click Find a Local Number or Forgot your dial-in PIN.
After the PIN is reset, the user can reenter the correct PIN on the device and authentication continues. You can provide the new PIN to the user (for example, in an email message). After the user has received his new PIN, he enters this value along with his phone number into the device and then he can authenticate.
Issue 4: Ambiguous Phone Number. (Applies to Aastra 6725ip, HP 4120, and Polycom CX600)
Issue: The phone number entered by the user on the device is not unique or cannot be attributed to a specific user.
Resolution: Reset the phone number for the user. To do this, connect to the Lync Server Control Panel. If the administrator is not a member of a Lync 2010 administrative role, the administrator cannot connect.
In Lync Server Control Panel, click User, and then type the user's name in the search field. In the search results, double-click the user's name to view the user's settings, and they type the new phone number in the Line URI field. To save your changes, click Commit. Send the new phone number to the user. After the user has received the new phone number, the user should enter this value, along with a PIN, into the device and be able to authenticate.
Note
If two users enter the same phone number, their PINs are used to disambiguate them. If a phone number + PIN pairing is not unique, the phone number and extension are used to disambiguate. Phone number + extension must always be unique.
Issue 5: Multiple Devices Are Having Problems with PIN Authentication (Applies to Aastra 6725ip, HP 4120, and Polycom CX600)
Issue: This indicates a problem on the server side, rather than with a specific user. To determine the source of the problem, open the Lync Server Management Shell and run the test-OcsAuth cmdlet. Only an administrator with the CsVoiceAdministrator role or the CsAdministrator role have sufficient administrator rights and permissions to run the test-OcsAuth cmdlet. For details about the Lync 2010 administrative roles, see Role-Based Access Control in the Planning documentation.
Resolution: Run the following synthetic transaction:
$cred = get-credential
test-CsClientAuth -UserSipAddress <SIP address> -UserCredential $cred -TargetFQDN
Do not specify TargetFQDN if you want DHCP discovery to be used. If not, provide the destination FQDN into the synthetic transaction and DHCP discovery will be bypassed.
The output shows you at what point authentication failed. For example, the DHCP discovery message might not receive a response. Follow the directions in the transaction output to resolve the problem.
Issue 6: User Cannot Sign In to Lync Server
Issue: A user enters their valid credentials (whether they use a PIN and phone number on an Aastra 6721ip, Aastra 6725ip, HP 4110, HP 4120, Polycom CX500, or Polycom CX600 or a domain user name and password on Polycom CX700), however, Lync is unable to sign in the user. The user is not enabled for unified communications (UC). The device displays a message similar to the following: "Cannot sign in. Your sign-in address is incorrect or your account is not set up."
Resolution: Enable the user for Lync 2010. To do this, open to the Lync Server Control Panel. If the administrator is not a member of a Lync 2010 administrative role, the administrator cannot connect.
In Lync Server Control Panel, click User, and then type the user name in the search field. In the search results, double-click the user to view the user's settings, and then select the Enabled for Lync 2010 check box. Under Telephony, select Enterprise Voice and then type the user’s phone number in the Line URI field. If necessary, change the user's dial plan policy. To save your changes, click Commit.
When the user reenter her credentials into the device, she can authenticate and log on again. This time the user is able to log on to Lync 2010.
Issue 7: Certificate Publication Fails
Issue: The get-and-publish request for the user’s certificate can fail if the Registrar is unable to publish the user’s certificate to User Services. The device will not receive the user’s certificate, and the user will not be able to log on and must start again.
Resolution: Verify that Web Services is able to generate and publish a certificate for the user, by running the following synthetic transaction:
$cred = get-credential
test-CsClientAuth -UserSipAddress <sip address> -UserCredential $cred -TargetFQDN
If you want to use DHCP discovery, do not specify TargetFQDN. If you do not want to use DHCP discovery, provide the destination FQDN in the synthetic transaction and DHCP discovery will be bypassed.
The output shows you at what point authentication failed. For example, the DHCP discovery message might not receive a response. To resolve the problem, follow the directions in the transaction output.
If this succeeds, restart the device and have the user try to authenticate again. If it fails, resolve the problem indicated.