Lync Web App and Google Chrome

There was a recent update to Lync Server 2013 (including Lync Server 2013 as found in Office 365) that included a new error page for Chrome users.

It appears that Google dropped support for some older APIs that have been deprecated in Chrome. The APIs were for QuickDraw and Carbon.

While I have not had the experience of seeing the error page, I have heard that is reads:

Lync Web App

Google Chrome no longer supports Lync Web App

To join the meeting:

1. Copy the meeting URL

2. Open Internet Explorer or Firefox

3. Past the URL in address bar, and hit Enter

UPDATE (Dec 15, 2014): Microsoft posted something on this issue last night.

http://blogs.technet.com/b/dodeitte/archive/2014/12/15/lync-server-2013-december-2014-cumulative-update-lync-web-app-amp-google-chrome.aspx

And another UPDATE today (Dec 17, 2014): http://support2.microsoft.com/kb/3025563

Posted in Uncategorized | Leave a comment

Skype for Business

In case you missed the announcement, Lync is being rebranded.

In the first half of 2015, Skype for Business will be released. An updated server component, new features for the on-premises, hybrid, and cloud versions will be released, and a new client will be released for business users. It will be an interesting time.

Read more at the Microsoft Office Blog.

For those that are into hash tagging, the unofficial hash tag is #skype4b

Keep an eye out on the Microsoft Office Blog for more information as it is released.

Posted in Uncategorized | Leave a comment

POODLE and the Impact on Lync–The Registry Settings

In case you haven’t heard from the many sources out there, not only does SSL 2.0 have multiple vulnerabilities, but SSL 3.0 is also vulnerable. For more information about POODLE and the impact on Lync, check Richard Brynteson’s blog here.

The key to the madness is that we don’t need SSL 2.0 or SSL 3.0, and we should protect ourselves from known vulnerabilities in SSL.

The easy fix is to make a few changes in the registry in Windows and then restart the servers to make sure that SSL 2.0 and 3.0 are not used.

Take the following text, copy it and save the file as a .reg file, and the import it into the registry. Restart the server, and you are done.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“DisabledByDefault”=dword:1
“Enabled”=dword:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“DisabledByDefault”=dword:1
“Enabled”=dword:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
“DisabledByDefault”=dword:1
“Enabled”=dword:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
“DisabledByDefault”=dword:1
“Enabled”=dword:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:0
“Enabled”=dword:1

Or, just download my file here.

Posted in Uncategorized | 1 Comment

OWAS Configuration and -CertificateName

I downloaded my certificate and was working on configuring an Office Web App Server 2013 Farm. As I was running the New-OfficeWebAppsFarm cmdlet, I received an error as I was using Subject Name of the certificate for the –CertificateName option as shown here, along with the results of the command saying that it doesn’t work.

New-OfficeWebAppsFarm -internalurl “https://owas.infrastructurehelp.com” -externalurl “https://owas.infrastructurehelp.com” –certificatename “owas.infrastructurehelp.com”

New-OfficeWebAppsFarm : Office Web Apps was unable to find the specified certificate.

At line:1 char:1

+ New-OfficeWebAppsFarm -internalurl “https://owas.infrastructurehelp.com” -externalurl “ht …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : ObjectNotFound: (:) [New-OfficeWebAppsFarm], ArgumentException

    + FullyQualifiedErrorId : CertificateNotFound,Microsoft.Office.Web.Apps.Administration.NewFarmCommand

The option wants the Friendly Name for the certificate, but the certificate didn’t have one. In the Friendly Name field, if you looked at the Certificate by using the Certificates MMC, it showed “<None>” in the field.

The installation docs are pretty clear that it is supposed to be the Friendly Name. Hey, clip_image002what can I say other than, I just wanted to try and see if it would accept another method of identifying the certificate in the store if there isn’t a Friendly Name. So, I tried using several different variations for the Friendly Name. I tried leaving it blank, I tried using a space between quotes, and I tried a few other methods, but none of them worked. It was kind of a bit of fun on my part to see if I could make it work.

Finally, I broke down, and selected the properties of the certificate in the MMC and entered OWAS.  Of course, it worked perfectly when I used that Friendly Name.

Yeah, I could have saved a couple of minutes if I had taken this step earlier, but I really enjoy experimenting.

Posted in Lync | 1 Comment

What Computer is Being Used to Connect to Lync?

One of my users came to me complaining that he was logging out of his computer at the end of the day, but when he would come in the next day, he would often have emails showing that others were trying to IM. He did a little digging and found out that he was showing as away, even though he was logged out of his computer.

Well, logic dictates that Lync is awesome and doesn’t screw up. Smile So, that means that he must have been logged in on another computer. The question is, how do you find what computer has his session running.

So, to help this ONE person, I spend a couple of hours and put this script together and tested it. You can just change the $UserName variable, and it will do the rest. The code is below.

CLS

# The name information below may need to be changed to include the SIP Suffix.

$UserName = “russ.kaufmann”

$FirstPriority = Get-CsUserPoolInfo $UserName | Select –ExpandProperty PrimaryPoolMachinesInPreferredOrder | Select fqdn -First 1

$ServerName = $FirstPriority.fqdn

$SQLQuery = “Select

                IsServerSource,

                ClientApp,

                ContactInfo,

                SipHeaderFrom

From RegistrarEndpoint

WHERE SipHeaderFrom LIKE ‘%$UserName%'”

$connection = New-Object system.data.sqlclient.sqlconnection

$Connection.connectionString=”Data Source=$ServerName\RTCLOCAL;Initial Catalog=RTCDyn;Integrated Security=SSPI”

$Connection.open()

$Command = $Connection.CreateCommand()

$Command.Commandtext = $SqlQuery

$DataAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $Command

$Dataset = New-Object System.Data.Dataset

$DataAdapter.Fill($Dataset)

# $Dataset.Tables[0] | Export-CSV UserIP.csv -notype

$connection.close()

$connection = $null

$Results = $dataset.tables[0].rows

ForEach ($r in $Results){

                if ($r.IsServerSource -ne “False”){

                                  $ClientApp = $r.ClientApp

                                 $ContactInfo = $r.ContactInfo

                                $SipHeaderFrom = $r.SipHeaderFrom

                                $EncodingType = “System.Text.ASCIIEncoding”

                                $Encode = new-object $EncodingType

                                $ClientApp = $Encode.GetString($ClientApp)

                                $ContactInfo = $encode.getstring($ContactInfo)

                                $SipHeaderFrom = $encode.getstring($SipHeaderFrom)

                                # Strip garbage from $ContactInfo to get IP

                                                $CI = $ContactInfo.split(‘;’)

                                                $CI2 = $CI[0]

                                                $CI3 = $CI2.split(‘:’)

                                                $ClientIp = $CI3[1]

                                #Strip garbage from $Sip User to get SIP address in SMTP format

                                                $Sip = $SipHeaderFrom.split(‘:’)

                                                $Sip2 = $Sip[1]

                                                $Sip3 = $Sip2.split(‘>’)

                                                $SipAddress = $Sip3[0]

                                write-host $SipAddress

                                write-host $ClientIp    

                                write-host $ClientApp 

    }

}

What you will get is a result something like here:

2                                                     

russ.kaufmann@infrastructurehelp.com

10.1.1.101                                          

UCCAPI/15.0.4641.1000 OC/15.0.4641.1000 (Microsoft Lync)

russ.kaufmann@infrastructurehelp.com

10.2.1.105                                          

UCCAPI/15.0.4641.1000 OC/15.0.4641.1000 (Microsoft Lync)PS D:\ece_scripts>                                     

The “2” is the number of incidents found., then the output from the script is provided in the form of the SIP address, the IP address, and the client application information.

Posted in Uncategorized | 4 Comments

Lync Server Issue – Certificate Status: Missing

Symptom: Yesterday, one of the Lync Front-End servers failed. Almost all of the Lync services were not running, and the services would not start manually. Reviewing the Event Logs, which is something that none of us do until we are well into our troubleshooting, I found the following Event Log errors:

Event 32014, LS Application Server

The application threw an exception while starting.

The application urn:application:testbot threw the following exception when starting: Exception: System.Runtime.Serialization.SerializationException

> Message: The constructor to deserialize an object of type ‘Microsoft.Rtc.Internal.Sip.LocalCertificateNotFoundException’ was not found.

> TargetSite: Void CallStartAsync()

> StackTrace:    at Microsoft.Rtc.ApplicationServerCore.ApplicationLoader.CallStartAsync()

> Source: Microsoft.Rtc.ApplicationServerCore

Cause: Startup errors.

Resolution:

Check the events prior to this to resolve the service startup issue.

 

Event 61002, LS MCU Infrastructure.

No certificate has been configured for secure transport.

The certificate assigned to process ReplicationApp(3756) was not found. 

Certificate serial number: 46ae547f00000000fcda

Certificate issuer name: CN=IHelp CA, DC=infrastructurehelp, DC=com.

Cause: Incorrect configuration of the server or the certificate assigned to the server was deleted from the certificate store

Resolution:

Verify that a valid certificate has been configured.

 

Event 48005, LS Routing Data Sync Agent

The Routing Data Sync Agent has encountered an unexpected Exception: [Operation is not valid due to the current state of the object.], Trace: [   at Microsoft.Rtc.Server.McuInfrastructure.HttpTransport.LoadCertificate(CertificateInfo certificate)

   at Microsoft.Rtc.Server.McuInfrastructure.HttpTransport.LoadCertificate()

   at Microsoft.Rtc.Server.McuInfrastructure.HttpTransport..ctor(String listeningUrl, ICccpConfigurationProvider config, XmlWriterSettings writerSettings)

   at Microsoft.Rtc.Server.Replication.Http.ReplicationHttpAdapter..ctor(String listenerUri, ICccpConfigurationProvider config)

   at Microsoft.Rtc.Server.Replication.Http.ReplicationHttpAdapter..ctor(String listenerUri, ServiceConsumer serviceConsumer, StoreAccessor regStoreAccessor, StoreAccessor uscStoreAccessor)

   at Microsoft.Rtc.Server.Replication.ReplicationApp.Initialize(AutoResetEvent workerStartedEvent, ManualResetEvent serverProcessDiedEvent, ManualResetEvent shutdownEvent, ManualResetEvent updateMasterStateEvent)

   at Microsoft.Rtc.Server.Replication.ReplicationApp.Main(String[] args)]

OK, the errors make it sound like a certificate error. Actually, it was pretty clear that it was a certificate error.. So, I opened up the Certificates MMC and verified that the cert was still there. It wasn’t accidentally deleted or anything like that. In fact, the cert still has almost a year before it expires. I started the Deployment Wizard and found the following:

clip_image002

The Certificate Wizard shows the certificate, shows that it is not expired ( today is September 30th, 2014), and that it is “partially” assigned in that the Web services internal shows assigned while the other services show the certificate is missing.

Resolution: I found that I could either replace the existing certificate with a new one, or I could just use the Assign option and re-assign the same certificate. In both cases, the Status became Assigned for all of the services, and the Lync services all started back up properly.

Cause: I am not sure. I know that some patching has been done recently, but I have no idea what patch might have caused this issue. BTW, I also found this issue existing on almost all of the Front-End servers, but only the one server had the services stopped. I am betting that if any of the other Front-End servers were restarted, they would have failed in exactly the same way.

Posted in Uncategorized | Leave a comment

Cleaning up Federation in Lync

I had a recent situation where I had to enable Federation for most of the company’s users because of an acquisition. It made perfect sense to enable Federation for them as they had the need to engage the newly acquired company’s staff on a very regular basis.

Now that the acquired company has been completely merged into the same Lync environment, it is time to clean up Federation. Actually, a month had passed before anyone realized that Federation should be cleaned up. I will take the blame for that. Smile

There are two steps to this process.

  • First, I needed to identify which users were still using Federation to collaborate with other companies. Then I took the list and vetted it to make sure that only those that needed Federation were still using it.
  • Second, I needed to remove Federation from all remaining users.

To meet the needs, I created a script to identify those that were still using Federation.

CLS

$SQLQuery = “Select

       S.User1Id,

       S.User2Id,

       S.IsUser1Internal,

       S.IsUser2Internal,

       U.UserUri ‘User1URI’,

       UU.UserUri ‘User2URI’,

       S.SessionIdTime

From SessionDetails S

Inner join Users U on S.User1Id = U.UserId

Inner join Users UU on S.User2Id = UU.UserId

WHERE S.IsUser1Internal = 0 OR S.IsUser2Internal = 0

Group by

       S.User1Id,

       S.User2Id,

       S.IsUser1Internal,

       S.IsUser2Internal,

       U.UserUri,

       UU.UserUri,

       S.SessionIdTime”

$connection = new-object system.data.sqlclient.sqlconnection

$Connection.connectionString=”Data Source=SQLServerName\InstanceName;Initial Catalog=LcsCDR;Integrated Security=SSPI”

$Connection.open()

$Command = $Connection.CreateCommand()

$Command.Commandtext = $SqlQuery

$DataAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $Command

$Dataset = New-Object System.Data.Dataset

$DataAdapter.Fill($Dataset)

$Dataset.Tables[0] | Export-CSV FederationActivity.csv -notype

$connection.close()

$connection = $null

$File = Get-Content FederationActivity.csv

$Null | Out-File FederationActivity.csv

ForEach ($f in $File) {

                $f | Out-File FederationActivity.csv -append

}

$Results = Import-Csv FederationActivity.csv

ForEach ($r in $Results){

                $FU = Get-Content FederationUsers.txt

                $User1 = $r.User1URI

                $User2 = $r.User2URI

                If($User1 -imatch “DomainName.com”){

                                $Test = $FU -contains $User1

                                If($Test -eq $False){

                                                $User1 | Out-File FederationUsers.txt -Append

                                }

                }

                If($User2 -imatch “DomainName.com”){

                                $Test = $FU -contains $User2

                                # Write-Host $Test is the test value

                                If($Test -eq $False){

                                                $User2 | Out-File FederationUsers.txt -Append

                                }

                }

}

 

The first script creates a nice file of the users. You can run it multiple times, and it will just add the names to the existing file. The FederationUsers.txt file is used in the second script to test whether the person should have Federation removed.

CLS

$Users = Get-CsUser -resultsize unlimited

$FU = Get-Content FederationUsers.txt

$Null | Out-File FederationRemoval.txt

ForEach ($u in $Users){

               $u1 = $u.SamAccountName

                $u1 = $u1 + “@DomainName.com”

                $Test = $FU -contains $u1

                If($Test -eq $False){

                                $Test1 = $u.externalaccesspolicy.friendlyname

                                If ($Test1){

                                                Grant-CsExternalAccessPolicy $u1 -policyname $null

                                                $u1 | Out-File -append FederationRemoval.txt

                                }

                }

}

 

While others may not have the same needs, these scripts might help. Good luck.

Posted in Uncategorized | 1 Comment