Lync Client Prompts for Credentials when Connecting to Exchange Services
During our migration from Office Communications Server 2007 R2 to Lync Server 2010, we ran into this issue.
Environment
Microsoft Windows Server 2008 R2
Microsoft Lync Server 2010 Enterprise
Microsoft Exchange Server 2010
Microsoft Windows 7
Microsoft Lync 2010
Cisco ACE Hardware Load Balancer (Exchange 2010 CAS HLB)
Problem
After a Lync 2010 user account would sign into the Lync environment, with a Lync client, the user would be presented with an Exchange services sign-in prompt.
The account used here for testing was a fresh test account created with an Exchange 2010 mailbox and created as a Lync 2010 enabled account; the account was not migrated from Exchange 2007 or Office Communications Server 2007 R2. This prompt is presented, using DOMAIN\User.Name as well as User.Name@DOMAIN.edu for the User Name. When you typed in the password, you were immediately presented with the sign-in prompt again. The prompt will not go away unless you cancel it. Once the prompt was canceled, you could see that Exchange integrated services were not working; the red !was displayed in the Lync client, and pulling up the configuration information message showed that EWS (Exchange Web Services) was not available and showed Exchange Connection Down.
<hold down CTRL key and right click the Lync icon in the system tray -> click Configuration Information>
Troubleshooting
I did some initial troubleshooting work on this and captured traffic with Wireshark, Netmon, and Fiddler2. What I found from these tools was that the first HTTP CONNECT event for the Autodiscover service was going in to the root domain, which was not found…
…so then it would look for the Autodiscover DNS record and this was not found either, since we are not using the autodiscover DNS A record…
…then it would move on and look for the Autodiscover SRV record, and it finds that we had this pointed to mail.DOMAIN.edu and is then successful in resolving that DNS A record…
So far everything looked fine, and could also be verified using https://www.testexchangeconnectivity.com/.
After that point is when the authentication prompt would come. At first glance, I didn’t notice anything in the network traffic that followed, that would be causing the issue. Somewhere during my troubleshooting, I went ahead and opened a ticket with Microsoft on this issue; I knew I could work this out, but didn’t want to hold up the migration to Lync 2010 over this. I had just gotten my troubleshooting results sent to Microsoft and gotten all support personnell up-to-date on the issue, when I had a breakthrough.
Resolution
I had a scheduled conference with Microsoft Lync 2010 and Exchange 2010 support teams the next day, but I decided to look over the Wireshark logs again. The thing that I noticed and did stand out, were the multiple Kerberos authentication attempts when the Exchange Services Sign-In prompt appeared. What made this stand out was that we were currently hardware load balancing our Exchange 2010 CAS Array, and were forcing NTLM authentication (we hadn’t configured Kerberos).
When we had moved to Exchange 2007 and set up OCS 2007 R2, I followed the following article to resolve issues with the Exchange Services Sign-In pop-up in Communicator:
I had also followed that article to configure our Exchange 2010 CAS servers to force the NTLM authentication, but this alone did not resolve the issue this time.
Over the past 6 months to 1 year, we had gone from an Exchange 2003 Environment, to Exchange 2007 with a single Exchange 2007 CAS server, to HLB Exchange 2007 CAS, and finally the current setup, HLB Exchange 2010 CAS.
Considering the upgrades and migrations we had gone through, I figured something may have messed up along the way. I logged into one of our new Exchange 2010 CAS servers and checked the Service Principal Names (SPN) for that server, and then for the other active Exchange 2010 CAS. Everything looked good on those two, so then I decided to check the SPNs for all of the Exchange 2007 CAS servers that had been retired.
I checked the SPNs using the following command:
setspn -l <servername>
This is where I found the problem. When I put in the server name of the single Exchange 2007 CAS server we use to have setup, I found SPNs registered to:
http/autodiscover.DOMAIN.edu
http/mail.DOMAIN.edu
Exchange had already been decomissioned and uninstalled from that server, but AD still had SPNs tied to it. In our case, since we did not have Kerberos configured, and we did have our Exchange 2010 CAS servers HLB, we should not have had any SPNs for those records. Even if we were using a single CAS server and wanted the SPNs registered to it, this still would still have been causing us problems since this was a retired Exchange CAS server.
Next, I removed both SPNs by using the following:
setspn -d http/autodiscover.DOMAIN.edu <CASServerName>
setspn -d http/mail.DOMAIN.edu <CASServerName>
After removing those records, I signed out of my Lync 2010 client, and signed back in. I waited about 15 seconds and the pop-up never came. I checked the Lync configuration information and found that the client had connected to Exchange successfully.
Needless to say, I let Microsoft support know I had resolved the issue and canceled the ticket, then I continued on with the migration to Lync 2010. What’s interesting is that we didn’t have this problem in OCS 2007 R2. I’m not sure why things were working ok with OCS (since the CAS causing isssues had been retired for about 6 months or so), but we definitely were not getting this pop-up until signing into Lync.
