How to fix Lync Services Signin : Type your user name and password to connect for retrieving calendar data from outlook.

When signing-in to Lync client using cached Domain Credentials (e.g. you login to your corporate domain-joined laptop at home), Lync Client may prompt you with an additional authentication dialog box:

When Lync Client signs in, it also attempts to retrieve availability data via Exchange 2010 Web Services(EWS). It does so by leveraging the Autodiscover functionality.

Communicator will issue SOAP requests (over HTTPS) to the published Autodiscover server, who returns the URLs for the Microsoft Exchange 2010 Client Access Server(s) that will feed the availability data back to Lync Client.

The additional prompt for authentication stems from Communicator being hard-wired to authenticate using NTLM. When IIS (on the Exchange 2010 CAS machines) returns it’s WWW-Authenticate headers, it does so in the form of:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

When Communicator attempts to negotiate authentication using your cached credentials (over the Internet), it will fail with a “401.2 Unauthorized” (*2), and subsequently prompt you for authentication as above. However, if we force NTLM from either the client side or the server side, we eliminate these additional prompts for credentials

How to Fix:

We are instructing IIS on the Exchange 2010 CAS server(s) to offer NTLM as the first authentication provider (with Negotiate as the fallback provider) in the WWW-Authenticate header.

Fix using command lines

1. On the Exchange 2010 CAS machine(s), start -> run -> cmd -> OK. Change to the C:InetpubAdminScripts directory.

2. Execute the below commands.

a. Inspecting current status:

C:InetpubAdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

The parameter “NTAuthenticationProviders” is not set at this node. (*4)

b. Setting the parameter:

C:InetpubAdminScripts>cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders “NTLM,Negotiate”

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

NTAuthenticationProviders : (STRING) “NTLM,Negotiate”

c. Verifying the output:

C:InetpubAdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

NTAuthenticationProviders : (STRING) “NTLM,Negotiate”

3. Restart the IIS Admin Service (which will restart all dependent services) on the Exchange 2010 CAS machine(s).

IIS 7.0 Configuration

Lists configuration
appcmd list config /section:windowsAuthentication

Removes Negotiate
Appcmd.exe set config /section:windowsAuthentication /-providers.[value=’Negotiate’]

Adds Negotiate
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+”providers.[value=’Negotiate’]” /commit:apphost

Lists configuration
appcmd list config /section:windowsAuthentication

Here is a list of the results:

C:WindowsSystem32inetsrv>appcmd list config /section:windowsAuthentication
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”true” useKernelMode=”false”>
<providers>
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>

C:WindowsSystem32inetsrv>Appcmd.exe set config /section:windowsAuthentication /-providers.[value=’Negotiate’]

C:WindowsSystem32inetsrv>appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+”providers.[value=’Negotiate’]” /commit:apphost

C:WindowsSystem32inetsrv>appcmd list config /section:windowsAuthentication
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”true” useKernelMode=”false”>
<providers>
<add value=”NTLM” />
<add value=”Negotiate” />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>

How to Fix using GUI

1. Open the IIS Manager on the Client Access server, “Navigate to default Web site” Autodiscover and select Authentication

2. Open “Windows Authentication”, on the right hand side pane select “Providers”, Move up the “NTLM”.

3. Open the IIS Manager on the Client Access server, “Navigate to default Web site” EWS and select Authentication

4. Open “Windows Authentication”, on the right hand side pane select “Providers”, Move up the “NTLM”.

Advertisements

How to view Whitespace in Exchange 2010 Databases

With older versions of Exchange admins would use the 1221 EventID to see how much whitespace was available in each database.

With Exchange 2010 EventID 1221 is no longer used.

Admins now can query the database directly with the following PowerShell command to see the whitespace in each Database

Get-MailboxDatabase -Status | FT Name, AvailableNewMailboxSpace

Additonal Scripts on Exchange 2010 SP2

As with most Microsoft Exchange Service Packs and some Update Rollups, Exchange Server SP2 introduces six new scripts that are useful to manage and monitor your Exchange organization.

All the canned Exchange scripts are located in the %ExchangeInstallPath%Scripts folder (normally, C:Program FilesMicrosoftExchange ServerV14Scripts). You can easily change to this folder within the Exchange Management Shell (EMS) using the command cd $exscripts. It looks dirty, but it’s not. 🙂

The six new(ish) Exchange Service Pack 2 scripts are:

  • ConvertOABVDir.ps1 – This script will convert the OAB virtual directory to an IIS web application, as well as create a new application pool called MSExchangeOabAppPool. Converting the OAB virtual directory is necessary to support different authentication methods like Kerberos and Certificate authentication. You need to execute this script on each Client Access Server. Ross Smith wrote about this script in his article, Recommendation: Enabling Kerberos Authentication for MAPI Clients.
  • ExPerfwiz.ps1

What Exchange Delegation and Lync do?

This was something that I have wanted to share with you all. There were more queries from Service desk and desktop team about what “people I manage call for” do and how to remove/manage them from the Lync client.

The “People I manage calls for” is part of the delegation model. If the user in question is responsible for scheduling Lync/OCS meetings for the person in their “People I manage calls for” group, no you cannot remove them because removing them will remove their ability to schedule meetings as well. If that’s not the intention, and they ended up being a delegate by accident of exchange permissions then yes they can be safely removed.

There is a resource kit utility called SEFAUtil.exe that has the ability to add/remove delegations from Lync server manually.

Normally, Lync gets its delegate information from permissions settings in exchange. For the example, I’m going to use Boss and Admin instead of delegator and delegate because I find the latter confusing

For the admin to be able to schedule Lync meetings for the boss, the boss sets either “Editor” or “Author” rights on his calendar to his admin

Both the boss and the admin have the csclientpolicy –EnableExchangeDelegateSync set to $true

When the boss’s Lync client boots up it checks with exchange to see what permissions the boss has granted other people. It will find he’s granted his admin “Editor” or “Author” rights to his calendar and the Lync client will send a message to the Lync server to grant delegation permission to the admin.

When the Admin restarts their client, it will contact the Lync server and pull down the users that the admin has been granted permission for. The admin will then be able to schedule Lync meetings inside the boss’s calendar.

This is the normal process.

Lync 2010 Webcast

Here is a listing of the Lync 2010 webcast:

Microsoft Lync 2010 Voice Deployment

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032492173&Culture=en-US

Deep Dive: Lync Server 2010 Conferencing

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032492176&Culture=en-US

Microsoft Lync 2010 High Availability and Resiliency

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032492171&Culture=en-US

Deep Dive: Lync Server 2010 Edge Servers

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032492168&Culture=en-US

Lync Server 2010 Migration and Coexistence

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032486209&Culture=en-US

Lync Server 2010 Architecture Topologies

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032488520&Culture=en-US

Lync Server 2010 Role Based Access Control

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=10324862111&Culture=en-US

Lync Server 2010 Implementing Call Admission Control

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032486214&Culture=en-US

Lync 2010 CU4 is out

Microsoft has released the Cumulative Update package Number 4 for Lync 2010, this update introduce in addition to multiple host fixes to some reported issues, six new cmd-lets, actually they are Four since two of them was included in CU3 but without any help files.

these Cmd-lets works with the upcoming Lync mobility services, which we don’t have the full details released yet.

here’s a brief description about the new cmd-lets thanks to Tom Arbuthnot

1.      CsAutodiscoverConfiguration

Modifies an existing collection of Autodiscover configuration settings. The Autodiscover service provides a way for client applications such as Lync Web Access or Microsoft Lync Mobile to locate key resources such as a user’s home pool or the URL for joining a dial-in conference.

2.      New-CsWebLink

Creates a new web link that points to the Autodiscover service. The Autodiscover service provides a way for client applications such as Lync Web Access or Microsoft Lync Mobile to locate key resources such as a user’s home pool or the URL for joining a dial-in conference.

3.      Test-CsMcxPushNotification

Verifies that the push notification service is working. The push notification service (Apple Push Notification Service and Microsoft Lync Server 2010 Push Notification Service) provides a way to send notifications about event s such as new instant messages or new voice mail to mobile devices like iPhones and Windows Phones, even if the Microsoft Lync 2010 application on those devices is currently suspended or running in the background.

4.      CsMobilityPolicy

Modifies an existing mobility policy. Mobility policies determine whether o r not a user can use Microsoft Lync 2010 Mobile. These policies also manage a user’s ability to employ Call via Work, a feature that enables users to make and receive phone calls on their mobile phone by using their work phone number instead of their mobile phone number.

5.      CsMcxConfiguration

Modifies an existing collection of Microsoft Lync Server 2010 Mobility Service configuration settings. The Mobility Service enables users of mobile phones such as iPhones and Windows Phones to do such things as exchange instant messages and presence information; store and retrieve voice mail internally instead of with their wireless provider; and take advantage of Microsoft Lync Server 2010 capabilities such as Call via Work and dial-out conferencing.

6.      CsPushNotificationConfiguration

Modifies an existing collection of push notification configuration settings . The push notification service (Apple Push Notification Service and Micros oft Lync Server 2010 Push Notification Service) provides a way to send notifications about events such as new instant messages or new voice mail to mobile devices such as iPhones and Windows Phones, even if the Microsoft Lync 2010 application on those devices is currently suspended or running in the background.

it is recommended to use the Cumulative Update installer to install the update package automatically or use the below links for a manual installation.

note that a server restart is required after applying this update specifically when updating the mediation server.

Server-side updates

Client-side updates