My approach to every problem is half academic, half technical – in this precise order. I don’t know how you guys work, but my brain retains information relevant to specific case only for relatively short period of time, or to be precise, until I move to the next case and so, for this task, I went back to my notes and refreshed the knowledge as of how Lync Autodiscover works. I decided to concentrate on Autodiscover process because Lync Metro App does not honor SRV records. Instead, it relies on Autodiscover to receive sign-in FQDN and/or URL.
- Client will try and resolve either lyncdiscoverinternal.contoso.com or lyncdiscover.contoso.com
- Client will request https://lyncdiscoverinternal.contoso.com
- Autodiscover will send back the Autodiscover service URL (typically Director Web Services)
- Client will authenticate and web ticket.
- Client will make new request while submitting the web ticket so that the Director can retrieve the user’s home pool information.
- Director will redirect the client to the home pool Web Services.
- Client will authenticate again and submit the web ticket
- Home pool web services (via Autodiscover) will respond with internal and external Lync services for the user’s home pool.
- Client (Lync Metro App in this case) will sign to the Registrar or the Edge server just like desktop client would after discover the registrar via SR record.
The first logical step was to examine the certificate returned from the server. I know, I know – all other service are working at the moment but… just in case. There are many ways to examine server certificate:
By using Internet Explorer. Simply visit the web site by using
https protocol and review the certificate.
***While this is certificate from my lab, the process used was the same. Earlier today I verified that the required names (lyncdiscover.contoso.com, director_web.contosof.com and home_pool.contoso.com) were present. So, it is not certificate issue!
Alternatively, you can use tool called RUCT (Remote UC Troubleshooting Tool) http://www.insideocs.com/Tools/RUCT/RUCT.htm. Simply start it, go to Certificate Information tab, input the target URL and port, retrieve the certificate and examine it.
Because the issue was Metro App which runs on Windows 8 OS only, my next test will be from W8 machine. I opened IE10 and went to https://lyncdiscoverinternal.customer.com
I received the expected
output and when opend it with notepad, everything looked just fine.
So far I’ve established that DNS resolves to correct IP, the certificate presented from the server have the correct names in the SAN list and the web service is functional.
This is the place to mention the fact that this customer uses F5 Hardware Load Balancer not only as HLB but Reverse Proxy for the External Lync web services. I checked with the network team earlier today and found that the current fimware on F5 is version 10.2
With this in mind, my next stop was… you guessed – F5 compatibility matrix (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-clientcompmatrix-11-1-0.html)
Ouch! As one of my favorite standup comedians Russel Peters often say: "Somebody gonna get a hurt real bad".
I was really not sure what to make of this statement “Windows Phone versions 7 and 8, and Windows RT are not supported”. Any way, as stubborn as I am, next logical step was to "wireshak it" and see what’s up.
I see the normal “Client Hello” followed by “Server Hello”, “Certificate , “Server Hello Done” and “Change Cipher, Encrypted Handshake Message”. Absolutely normal handshake, nothing out of ordinary… handshake done via TLSv1. No RST (reset) i.e both client and server are “talking”. Since I don’t have the private key, I cannot decrypt the traffic and so, for now I will assume the client visited lyncdiscover URL.
I see second handshake in the sequence described above. This must be the authentication attempt. Remember, we must authenticate first in order to receive web ticket.
Oops. This is something new. Note that the TLS version the client requested is v1.2
The server responded with Server Hello TLS v1.2 ...
…but then… nothing. The client dropped the connection.
I already knew from my research that F5 at firmware 10.2 does not support Windows 8 (not that it is clear what exactly is not supported…). I also know that TLS v1.0 works fine (when I visit https://lyncdiscover.contoso.com Internet Explorer 10 does not bombs and so, my conclusion was – this has something to do with the interpretation of TLS v1.2 on both sides.
At this point, just for fun, I decided to disable TLS v1.2 on Windows OS level, which I hoped would force Lync Metro App to use TLS v1.0 and examine the SSL traffic again.
Protocols can be enabled or disabled via registry. To make your life easier, here is link to .reg file which will disable TLS v1.2 on your Windows 8 powered device.
After modifying the registry and reboot, Lync Metro App signed immediately. Wireshark trace confirmed the app used TLS v1.0 to communicate with the Web Services via F5 Reverse Proxy and signed successfully. Download, unzip, move the file to your Windows 8, Merge and reboot.
Simply said, we introduce two new registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
To revert to the default security settings when such "fix" will be no longer necessary, delete "TLS 1.2" key and reboot.
By no means I encourage you to reduce the level of security on your operation system. This “fix” is proposed with the sole purpose that you as IT professional can continue testing all features of Windows 8 and/or Lync Server until such “fix” will be no longer necessary.
50 comments:
Very nice case!
The problem with this one is that Windows update will then be disabled.. for some reason updates cannot be retrieved anymore..
Finally KB2973337 (http://support.microsoft.com/kb/2973337/en-us) solves this Problem.
So update and everything will be fine now :)
The article is so informative. This is more helpful. Thanks for sharing
Learn best software testing online certification course class in chennai with placement
Best selenium testing online course training in chennai
Best online software testing training course institute in chennai with placement
magento developer training
this is really great to know about.
Thanks for sharing this information.
Want to Buy Step Down Transformer or Are you Curious about What is Step Down Transformer? Read the blog to get your queries resolved before making a purchase.
it is really great to know about. Thanks for sharing this with us.
it was really good to know about. thanks for sharing this.
Wonderful post and I hope you more updates from your blog. Thanks to you...
JMeter Training in Chennai
JMeter Training
Spark Training in Chennai
Pega Training in Chennai
Power BI Training in Chennai
Job Openings in Chennai
Linux Training in Chennai
Oracle Training in Chennai
Tableau Training in Chennai
Oracle DBA Training in Chennai
JMeter Training in Velachery
we have provide the best ppc service.
ppc company in gurgaon
website designing company in Gurgaon
PPC company in Noida
seo company in gurgaon
PPC company in Mumbai
PPC company in Chandigarh
Digital Marketing Company
iso 27001 certification services
iso 27001 certification cost
ISO 9001 Certification in Noida
it was really good to know about it. Thanks for sharing this with us.
it was really great to know about.
Download Or Install Office Setup Step 1. Go to www.office.com/setup - Sign in, 2nd. Enter product key, and 3rd. we can also help you with office.com/setup online.
www.trendmicro.com/downloadme
For Trend Micro Download , you must create a Trend Micro account from trend micro that can help you in smooth Trend Micro installation. Protect your systems and online data from multiple threats, including viruses, spyware, identity theft, malware, rootkits, Trojans, phishing attacks, ransomware, Adware, Worms, Bots, Horses, and other threats.You can activate the Trend Micro software by installing the Trend Micro download
Thanks for the Information
wordpress tutorial
Norton.com/setup helps you to deploy Norton setup on your computing devices. Here are the steps for deployment of Norton setup without any interruptions.
norton.com/setup
Norton is a reputed and cost-effective antivirus suite
company which offers protection so that no virus can damage
your computer. It also provides many other products and
services apart from antivirus.
AVG is compatible with almost all the devices, including computers, windows, laptops, and smartphones.
www.avg.com/retail |
avg.com/retail
Excellent blog. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
Visit: webroot.com/safe
It's really helpful. Thank you so much. I can study many things from your blog.
Visit: Webroot geek squad download
Excellent blog. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
Visit: www.norton.com/setup
Great information you shared through this blog. Keep it up and best of luck with your future blogs and posts.
www.norton.com/setup
I am really grateful to the holder of this web page who has shared this fantastic article at this place.
www.trendmicro.com/bestbuypc
Thanks for sharing the information. Your blog has always been a source of great tips.
www.malwarebytes.com/install
I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such a blog.
aol desktop gold download
I am really grateful to the holder of this web page who has shared this fantastic article at this place.
comcast email sign in
www.norton.com/setup – The digital world is mediated through the internet, and it is the main source of different information shared on the internet. In addition to these things, the Internet is also the source of various viruses and online scams
Xfinity Connect app is popular for its features and functions now available with all new users interface and advance security features.
www.norton.com/setup – As we know that cyber-attacks are increasing in today’s time, in which hackers reach into our device.
www.trendmicro.com/bestbuypc is a platform for installing the trend micro antivirus without any problems directly.
www.malwarebytes.com/install- It will shield your computer from different dangers by distinguishing and expelling infections progressively.
aol desktop gold download- AOL desktop is an internet suite produced by AOL that integrates a web browser with a media player and an instant messenger.
comcast email sign in | Xfinity Email Sign in – Comcast now Xfinity is a large US-based internet provider offering a wide range of communication services.
WWW.MALWAREBYTES.COM/INSTALL It will shield your computer from different dangers by distinguishing and expelling infections progressively. This is finished with the utilization of hostile to malware, against spyware, and against rootkit innovation. The software’s auto-examine include likewise offers a proactive method to tidy up a framework.
www.trendmicro.com/downloadme Defend against the unknown threats and proceed for Trend micro download with TrendMicro having Advanced Machine Learning Technology.
www.webroot.com/safe is one of the easiest processes to secure your online web surfing and data. If you want to secure your devices from virus and malware just download webroot with key code from webroot com safe website. Learn the steps to download, install, activate or reinstall webroot.
This post is very useful to us thanks for sharing this info with us…
That’s wonderful. many things to learn. thanks for sharing
Thanks for sharing a useful post here.
Thanks for sharing such an amazing article, really informative
https://www.installmalwarebytes.org/install/
Very valuable information, it is not at all blogs that we find this, congratulations I was looking for something like that and found it here.
Hi I am from Join Pak Navy I and I really like your work thanks for this information and keep it up you are doing good
You can view all the available maps that are present in your Garmin Nuvi series on your computer. Garmin Nuvi is a great application where you can view available routes for your upcoming destination. Not this, you can mark the important waypoints like gas stations, restaurants, etc. Once you are done with planning, transfer all data to your Garmin GPS device. latest available updates, downloading and installing Garmin Nuvi Update and Garmin Map Update.
Keep your Garmin device updated without any miss. Garmin offers many out of the box features which you can access by having regular Garmin GPS Update. Update your map through Garmin.com/express to enhance the efficacy by selecting all eco-friendly roads. Under the map, updates are also available voice commands that help you keep your eyes roads and hands-on your wheel.
Check the requirements for the criminal case law demanded by the Sindh High Court and feel free to consult advocate. Here you can find how to put the case in Sindh high Court.
Get Started with AOL Desktop Gold Download for Windows, 7, 8, 10 and MAC OS.
Just Follow link &
Click Download AOL Desktop Gold to start the process :
Aol Desktop Gold Download
https://sites.google.com/view/aol-desktop-gold-problems/aol-desktop-gold
Aivivu chuyên vé máy bay, tham khảo
ve may bay di my gia re
vé máy bay hà nội đi hồ chí minh
đặt vé máy bay phú quốc đi hà nội
vé máy bay ra nha trang
vé máy bay đi đà lạt vietnam airline
taxi đi sân bay
Nice article!
We are glad to read your blog, and we totally agree with you, the list you shared here is excellent. Keep sharing such articles. Me and my team at Rankofy PPC Company In Chandigarh and Rankofy SEO Services In Chandigarh will surely use your tips.
Post a Comment