During one of my regular on-site visit to a customer of mine, I ran into a problem with a user cannot sign in to Lync 2013 clients, whenever the user try to login he gets an error message telling him to check his username and password (Login credentials), although the credentials is 100% correct, he could never log in, interesting to say here is that the history of the customer’s infrastructure included an Active directory migration.
When the user try to log in he gets an error to check his username and password, resetting the user’s password did not result in any success.
Collecting sip-stack logs on the client and the server while trying to log in gave me the reason why the frontend is refusing the login credentials
Text: Failed to authorize user credentials
“User Token SID S-1-5-21-xxx-xxx-xx-xxx did not match DB SID S-1-5-21-xxx-xxx-xx-xxx”
shortly after I see a SIP/2.0 403 Forbidden error with
“ms-diagnostics: 4004; reason=Credentials provided are not authorized to act as specified from URI; AuthenticatedIdentity = username; source = frontend“
so the problem was with the user SID, for some reason when Lync synched the new accounts to its database after the AD migration, it took it with wrong SID, so Lync database had a SID of this users that is not the same like the one from active directory.
checking the user’s object-sid attributes in the Active directory I found even a stranger problem, the account had a 3rd SID that is totally different from the ones reported in the logs 🙂
so like any other Lync specialist will do, I fired the PowerShell and give command to Lync to update the user database, thinking it might be a problem with Synchronization
monitoring the event viewers to see the progress of the synchronization I saw a new error reported
Event ID 30020, source “LS User Replicator”
“User URI is already being used by another valid user in the database….”
so I was like “huh…?! really” checking Lync, only one user have this SIP address, checking Active directory msRTCSIP-PrimaryUserAddress attribute of all users (thanks to PowerShell) found that only him has this SIP address, then what is the problem?
finally I tried the last two options which are using DBanalyze & disabling and enabling the user again for Lync, long story shot, did not fix it also.
** DO NOT DO THAT IF YOU HAVE LIMITED EXPERIENCE WITH SQL SERVER YOU CAN AND WILL BREAK YOUR LYNC**
- Disable and remove the user from Lync server
- login to the Frontend and start SQL Management Studio
- connect to the RTCLOCAL Instance
- run the following query against the RTC database
- execute dbo.RtcDeleteResource ‘user sip address’
- restart the Master Replica replicator & the Replica replicator agent service on the frontend
- Enable the user for Lync again and wait a couple of minutes