Xadean's Empirical Musing

PROBLEM

========

I encountered a scenario where users were able to successfully login to Polycom VVX phones with their Active Directory domain, username, and password credentials. However, users were not able to sign-in to the phones with their extensions and PIN authentication.

RESOLUTION

============

The root cause was tracked down to being a misconfigured DNS SRV record in the SIP domain forward lookup zone. Consider the following example scenario:

Internal AD Domain: contoso.local

SIP Domain: contoso.com

Lync Standard Edition Front End Server/Pool Name: LyncFE.contoso.local

SSL Certificate SN assigned to Lync FE: LyncFE.contoso.local

SSL Certificate SANs assigned to Lync FE:     LyncFE.contoso.com

                        Meet.contoso.com

                        Dialin.contoso.com

                        LyncExtWeb.contoso.com

                        Lyncdiscover.contoso.com

                        Lyncdiscoverinternal.contoso.com

                        Sip.contoso.com

The DNS forward lookup zone for the SIP domain "contoso.com" should have a DNS SRV record pointing to a host record in the same domain as follows:

_sipinternaltls._tcp.contoso.com

Priority: 0

Weight: 0

Port: 5061

Host: LyncFE.contoso.com

The culprit in my case was that the host was defined as "LyncFe.contoso.local", which was incorrect. Once this was changed to "LyncFE.contoso.com", PIN authentication worked as expected.