“No available Servers to connect to” when trying to view user PIN status.

Recently, someone asked me if I could check his PIN. Usually, I instruct the user to change his PIN in the Dialin Web Page, but in this case, since Lync Control Panel was already open, I check the PIN Status:

UserPINStatus01

Request failed with error No available Servers to connect to:

UserPINStatus02

The only error was managing the user PIN, so I had to wait for a off-peak to do some troubleshooting.

The first step was to get the user PIN status in Lync PowerShell, running the debug option:

Get-CsClientPinInfo -Identity david.paulino -debug

UserPINStatus03

Basically, Lync Server is saying that no server was found in the pool to connect. This was strange since all servers in the pool are up and running. No Warnings/Errors in Event Viewer.

For those who do troubleshooting, it’s really hard to find the cause when you don’t have any explicit error.

I checked Topology, Certificates, DNS records, and everything looked OK.

Before doing some extreme measures, like rebuilding Web Components, I decided to have a look in IIS Site Bindings.

UserPINStatus04

On internal site:

UserPINStatus05

External Site with the same setting:

UserPINStatus06

Both Internal and External Site were listening in 10.0.0.67, which is the Front End IP Address. This seemed strange, so I checked in another Lync Server 2013 environment and it was listening on all interfaces. The next step was obvious: change the listening setting, so IIS would listen on all interfaces.

UserPINStatus11

After changing in all web sites, I got this result on internal site:

UserPINStatus07

And on the external:

UserPINStatus08

After applying both settings, it was possible once again to check the user PIN status in Lync Control Panel:

UserPINStatus09

I also tested in the Lync PowerShell, just so to make sure:

UserPINStatus10

In conclusion, I believe there is a connection to the loopback interface while managing user PIN. Moreover, if IIS isn’t listening on loopback interface, the error No available Servers to connect to is displayed.

Installing private CA root certificate on iOS devices

This isn’t related to Lync or OCS, but we see people having a hard time to install root CA certificates on iOS devices (iPhone/iPad).

While it’s recommended to use public certificates for Lync Mobility, sometimes we are just doing some tests to show to decision makers. Another case is a company that only deployed Lync Mobility internally and doesn’t want to spend on a public certificate.

Sending the root CA to an email account won’t work. We recommend you follow the next steps:

Step 1 – Export root CA certificate

The first thing is to obtain the certificate. We can do this by browsing our CA or exporting it from our PC.

Method A: Internal CA website

In this case http://dc.lync2013.uclobby/certsrv/ in Internet Explorer.

iOSCert01

Select Download a CA certificate, certificate chain or CRL, and then click Download CA certificate.

iOSCert02

Method B: Using MMC Certificate Snap-in

Open MMC and add the Certificate Snap-In. Expand Trusted Root Certification Authorities and select Certificates and the CA certificate and Export it.

iOSCert03

In the File Format select DER.

iOSCert04

After selecting the file destination path, we will get the following windows:

iOSCert05

iOSCert06

Step 2 – Importing CA to OneDrive

Open Internet Explorer and browse http://OneDrive.com.

Select the right folder and select Upload:

After uploading the file, the following message will be displayed:

iOSCert08

Step 3 -Installing the root CA certificate

Now in your iOS device, open Safari, browse http://OneDrive.com, and find the root CA certificate file.

iOSCert09

Download the file and, when it completes, we will be prompted to install:

iOSCert10

Since this is a private root CA, iOS wont trust it. Selecting Install will show a warning and we need to confirm again to install the certificate.

iOSCert11

After choosing the Install option, the private root CA certificate is now trusted by our iOS device.

iOSCert12

Important note: Don’t use OneDrive app to download the certificate, or it will give an error message:

iOSCert13

Step 4 – Check if the root CA certificate is installed

The root CA certificates will be stored as profiles. To view all the certificates installed, go to Settings General Profiles:

iOSCert14iOSCert15

Note: This option will only appear below the VPN settings if we have at least one certificate installed.

As a final note, it’s important to say that these steps aren’t the only way to do this. Still, they certainly are a practical way to successfully install the root CA certificate on iPhone or iPad.

Lync 2013: EWS has not fully initialized

Recently I had to troubleshoot an issue regarding EWS and Lync 2013 Client integration.

In the Lync 2013 Client Configuration Information window, EWS URLs were empty and the status message was EWS has not fully initialized and MAPI Status OK.

EWSFully01

Lync 2013 Client was internal, therefore the conversations were stored in the Outlook Conversation History folder. However, there are some features that depend directly on EWS, such as voice mail integration in the Voice tab. In the next print we can see that the Voice Mail feature is missing:

EWSFully02

One important information is that SIP and SMTP Domains were different, and there wasn’t any issue connecting to Lync or Exchange.

Using Microsoft Remote Connection Analyzer (https://testconnectivity.microsoft.com/), Exchange Autodiscover passed the test with some irrelevant warnings.

In Lync 2010 Client, users were asked to trust the autodiscover certificate:

EWSFully03

This happens because Lync Client will trust certificates from the same domain as our SIP domain, even though it asks for confirmation when the domain of the certificate is changed:

SIP domain SMTP domain Trust
lync2013.uclobby lync2013.uclobby Yes
lync2013.uclobby exchange2013.uclobby No

Just for fun I removed the Lync 2013 Client updates and returned to 15.0.4517.1504 (August 2013 CU). After signing in, the following popup message was displayed:

EWSFully04

In this case, the solution was to tell Lync to trust the other domain, by adding the following key to the registry:

reg add HKLMSoftwarePoliciesMicrosoftOffice15.0Lync /v TrustModelData /t REG_EXPAND_SZ /d exchange2013.uclobby /f

For more information check this:

http://support.microsoft.com/kb/2833618

After adding the registry key, just restart Lync Client and the EWS status will change to EWS Status OK. Since Lync 2013 Client can connect now to EWS in the voice tab, it will list our voice mails:

EWSFully05