I encountered a scenario where users were able to successfully login to Polycom VVX phones with their Active Directory domain, username, and password credentials. However, users were not able to sign-in to the phones with their extensions and PIN authentication.
The root cause was tracked down to being a misconfigured DNS SRV record in the SIP domain forward lookup zone. Consider the following example scenario:
Internal AD Domain: contoso.local
SIP Domain: contoso.com
Lync Standard Edition Front End Server/Pool Name: LyncFE.contoso.local
SSL Certificate SN assigned to Lync FE: LyncFE.contoso.local
SSL Certificate SANs assigned to Lync FE: LyncFE.contoso.com
The DNS forward lookup zone for the SIP domain "contoso.com" should have a DNS SRV record pointing to a host record in the same domain as follows:
The culprit in my case was that the host was defined as "LyncFe.contoso.local", which was incorrect. Once this was changed to "LyncFE.contoso.com", PIN authentication worked as expected.