Lync 2010 Federation with AOL – Fixed !!

Hi.

One of mine customers where having issues with federation between Lync 2010 and AOL.
I did some investigation, and found that they had applied for both MSN and AOL a long time ago.
Then I did some background check to see if something has been changed – DNS name, IP’s and so on – No change had been made.

Then at the 12th of December, some Windows Update patches was released.
One of them was Root CA Update, and after this patch was installed the Lync Phone devices started to act strange

They did a sign out and sign in each 30 seconds !!!

Lync 2010 FrontEnd Server:

Some investigation was made, and the following Registry change was implemented on the Lync FrontEnd Server.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Created the following DWORD value:

SendTrustedIssuerList with a HEX value of 0

After this change the Lync Phone devices did start to behave normal, and has stayed signed in and running since 🙂

Hello – What does this has to do with AOL Federation issues ??
Right – The above didn’t solve my AOL issues, but I am certain that it helped 🙂

Lync 2010 Edge Server:

After som searching on the Internet, we found some article telling that we had to change to SSL Cipher Suite Order on the Lync Edge Server.
I started with GPEDIT.MSC as stated in the article, but did find that the GPEDIT.MSC has characters limitations, and didn’t accept the complete cipher string !! (It was just copied out, altered and when I where to past it back in – the string didn’t fit !!)

Again searching the net, finding that we could use the Registry to change the value.
Starting up RegEdit, and navigating to the following location:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002
Added the following:

Key: Functions
Value:
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA

This change require a reboot of the Lync Edge, after the reboot the issue was still not solved – ARG !!

Further investigating lead me to the fact that the Lync Edge Server was running with IPv6 fully enabled, so I decided to disable IPv6 on the server.
Did that with the following script: Set-Lync2010Features

Once again disabling of IPv6 requires a reboot of the server.
Reboot was done, and VOILA – Federation with AOL worked !!

I’m not 100% sure of what actually fixed the issue, but I belive that all three changes helped in the resolution of the customers AOL issues.

Advertisements