Some Lync Users Can’t Communicate to Federated Contacts and ‘Federation is disabled’ Appears in Snooper logs
In this scenario, IM & Presence would work for some users to federated contacts, but wouldn’t work for others.
Federated User Access was enabled in the Global External Access Policy and in the Global Access Edge Configuration policy. The target domain was in the Federated Domains list as an allowed domain. There was no discernable pattern as to what users could communicate with federated contacts, and what users could not. They were spread across various Front End servers, OUs, etc. Various clients on the workstation made no difference.
When looking at logs in Snooper on the front end that the user connects to, “Federation is disabled” would appear when the user attempted to send a message out:Â
09/16/2011|13:09:13.108 FB8:109C INFO :: SIP/2.0 504 Server time-out
Proxy-Authentication-Info: Kerberos qop=”auth”, opaque=”59715D13″, srand=”DF93B1E9″, snum=”16″, rspauth=”040401ffffffffff0000000000000000450a1d9cc165348ae016ee91″, targetname=”sip/USSFA1L14POOL2.global.mydomain.net”, realm=”SIP Communications Service”, version=4
From: “user, test”<sip:test.user@mydomain.com>;tag=94a0d94c10;epid=67fd7944cb
To: <sip:prichard@federateddomain.com>;tag=6E14486DE28A93804279A401E6E7A4CF
Call-ID: db3c59b759ef4065adb458d54d03a687
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 10.1.1.98:58376;ms-received-port=58376;ms-received-cid=63500
ms-diagnostics: 1065;reason=”Federation is disabled“;domain=”federateddomain.com”;source=”sip.mydomain.com”
Server: RTC/4.0
Content-Length: 0
And traffic for this user would never get to the Access Edge servers. This was the case for ANY federated contacts the “broken” users would attempt to communicate with. Yet, other workers wouldn’t have ANY problem communicating to these same federated contacts. In fact, a “good” user could log onto a test workstation, launch Communicator, and it would work – but then close Communicator and launch Communicator as a “broken” user and not be able to communicate – even from the same Windows session. There was no pattern other than “broken” users would always be broken, and working users would always work.
Many things were inspected, and I tried doing things such as disabling the users in Lync and then re-enabling them. I drain stopped the Front End server that was the user’s preferred server to force them onto another server – no luck.
PSS spent several weeks on this one. Everything was configured correctly. What we decided to try was to set the Minimum session security for NTLM SSP based clients & servers. By default, a Windows 2008 R2 server has both settings set to 128-bit minimum. But Windows XP and earlier clients default to only 40-bit. It didn’t make much sense that this would work since we could duplicate both working and broken users on the same machine. But it was worth a shot. Here’s what we did.
Open the Local Security Policy and navigate to Local Policies>Security Options. Find the Network security: Minimum session security for NTLM SSP based (including secre RPC) clients & servers settings, as shown below:
Double click on each and clear the Require 128-bit encrytion checkbox as shown below:
The settings should now show “No minimum” in the Local Security Policy as shown below:
The settings don’t take effect until the server is rebooted. We performed this process on all of the Lync servers in the environment. Incidentally, the settings just change some registry keys. So we can instead change the values using the following PowerShell lines, which will make their way into my server build scripts:
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NtlmMinClientSec" -Value 0 Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NtlmMinServerSec" -Value 0
After the servers were rebooted, and user connections reestablished (which took some time), the problem disappeared. All users were able to communicate with federated contacts.
what server did you do this on ? The Front End ? I am having a similar problem. All clients are Win 8.1 and we are using Lync 2013 Server running on Server 2012 R2. I user can communicate with an external contact, one user cannot. Very strange.
good write up.. I have the same symptoms. Two users cant reach particular external contacts. Snooper trace doesn’t show Federation is disabled but rather 403’s Forbiddens, and 504’s timeouts. Its odd that a user that works can use my workstation and reach these people fine. Alternatively I can use theirs and be denied. I’m going to try your fix and see if it helps. Thanks for documenting this.
@Justin
Hi Justn, were you able to figure out what was causing that?
Thanks
Aamir
Thank you very much! We had a vmware outage and everything came back up but presence for external contacts. This solved it for us.
I’m experiencing the same issue. I have a handful of users that can’t federate with a single domain but can federate with other domains. Which scenario did you look for in the snooper logs? IMandPresence or AlwaysOn?