Lync 2010 Account ERROR communicating with GetWebTicket service

Hey Guys,

I have been reading and reading on the boards here and on various blogs and just cannot get my head around my issue here. For some users, we have an issue where the Lync 2010 client cannot download the address book.

As of now I have a standard FE server and an edge deployment with reverse proxy configured. I am testing clean on the MS online testing app with autodiscover and have no issues connecting with most clients (even mobile) are working well with integration.

For some users, no matter what I do, these users cannot get the address book. Below I will show the output of the Test-CsAddressBookService for both users from the FE server's management shell:

============== A Clean Test =====================================================

PS C:\> Test-CsAddressBookService -TargetFqdn pvw-lyncfe01.cfins.com -UserCredential $cred1 -UserSipAddress "sip:test2k10@cfins.com"
        Connecting to web service : https://pvw-lyncfe01.cfins.com:443/WebTicket/WebTicketService.svc
        Using IWA authentication
        Successfully created connection proxy and website bindings
        Requesting new web ticket
        Sending Web-Ticket Request: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action></s:Header><s:Body><RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://pvw-lyncfe01.cfins.com/WebTicket/WebTicketService.svc</Address></EndpointReference></AppliesTo><Entropy><BinarySecret>i+yR9pN4xqVppCo4MiiOy70HnXP2Roc848CtHHMlqwU=</BinarySecret></Entropy><KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType></RequestSecurityToken></s:Body></s:Envelope>
        Web-Ticket response: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header /><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><RequestSecurityTokenResponse Context="00000000-0000-0000-0000-000000000000"><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType><RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-89946b6c-e1ae-4017-a432-a9d278188437" Issuer="https://PVW-LYNCFE01.cfins.com/webticket/webticketservice.svc"
IssueInstant="2013-10-02T14:22:57.479Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2013-10-02T14:22:57.479Z" NotOnOrAfter="2013-10-02T22:39:51.479Z"><saml:AudienceRestrictionCondition><saml:Audience>https://pvw-lyncfe01.cfins.com/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2013-10-02T14:22:57.479Z"><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:Test2K10@cfins.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"></e:EncryptionMethod><KeyInfo><KeyName>PVW-LYNCFE01.cfins.com:8d08d866fcbc800</KeyName></KeyInfo><e:CipherData><e:CipherValue>9q/X4JEGRlkwWf+5R5z1M5VpJ8GRb1jatFLl+nivfv9WO4Pky+tkbA==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#SamlSecurityToken-89946b6c-e1ae-4017-a432-a9d278188437"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>UfCouvEYsFq+za3S6OcwA4Erm0apiL8JvY0spQj2Pw8=</DigestValue></Reference></SignedInfo><SignatureValue>q/wBelLsruoz51P+9wSwEqp5DNNJqnOVB95/X6DGA+Id1rn8kiriBX79zj23xB2vAkzXNdWUwFNbOEV+TetRL/cgodRbOUG0rRx7fz2LO5+7uYMrT/qXZtij76p5MlPPN2m5+XQYRh7kZ38XpqYah9C5SEWSMZ4qqRbCmgb2Ft
SS4baGcf2V4iLHGvMrBr8nJahNElccwGJZ7GKzWpQoQO0/Z7NLk9wPTWyQuesS53VSMLmTuknaBu5JnoJr9a89Y8VBWuALRDvWl9coak/CHKblFjxCswNu3IwPGBnVL+IYTWe+lul57x2lf9moYOl5W9gWrmSsLvLQWjgEYYvIJw==</SignatureValue><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">3IbLh+Yo4TD6175AXjHKMexiq9c=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion></RequestedSecurityToken><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://pvw-lyncfe01.cfins.com/</Address></EndpointReference></AppliesTo><RequestedAttachedReference><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-89946b6c-e1ae-4017-a432-a9d278188437</o:KeyIdentifier></o:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-89946b6c-e1ae-4017-a432-a9d278188437</o:KeyIdentifier></o:SecurityTokenReference></RequestedUnattachedReference><RequestedProofToken><ComputedKey>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</ComputedKey></RequestedProofToken><Entropy><BinarySecret>wbiz3coRVojmhwRJQONBB+VS5gW2TNiw512f8Petcpg=</BinarySecret></Entropy><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-10-02T14:22:57.4796612Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-10-02T22:39:51.4796612Z</Expires></Lifetime><KeySize>256</KeySize><SignWith>http://www.w3.org/2001/04/xmldsig-more#hmac-sha256</SignWith></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>


TargetUri  : https://pvw-lyncfe01.cfins.com:443/abs/handler
TargetFqdn : pvw-lyncfe01.cfins.com
Result     : Success
Latency    : 00:00:00
Error      :
Diagnosis  :

PS C:\> $cred1 = Get-Credential "cfins\dhartcf"
PS C:\> Test-CsAddressBookService -TargetFqdn pvw-lyncfe01.cfins.com -UserCredential $cred1 -UserSipAddress "sip:dan.hartmann@cfins.com"
        Connecting to web service : https://pvw-lyncfe01.cfins.com:443/WebTicket/WebTicketService.svc
        Using IWA authentication
        Successfully created connection proxy and website bindings
        Requesting new web ticket
        Sending Web-Ticket Request: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action></s:Header><s:Body><RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://pvw-lyncfe01.cfins.com/WebTicket/WebTicketService.svc</Address></EndpointReference></AppliesTo><Entropy><BinarySecret>T4deTySgimnLM6gQBJZEyv6uvTmdSV3CbGOTWstou3g=</BinarySecret></Entropy><KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType></RequestSecurityToken></s:Body></s:Envelope>
        ERROR communicating with GetWebTicket() service
System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Ntlm'. ---> System.Net.WebException: The remote server returned an error: (403)
 Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, Chann
elBinding channelBinding)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message request)
   at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()


TargetUri  : https://pvw-lyncfe01.cfins.com:443/abs/handler
TargetFqdn : pvw-lyncfe01.cfins.com
Result     : Failure
Latency    : 00:00:00
Error      : ERROR - No response received for Web-Ticket service.
             Inner Exception:The HTTP request was forbidden with client authentication scheme 'Ntlm'.
             Inner Exception:The remote server returned an error: (403) Forbidden.

Diagnosis  :



PS C:\> $absExternal
PS C:\> Test-CsAddressBookService -TargetFqdn pvw-lyncfe01.cfins.com -UserCredential $cred1 -UserSipAddress "sip:dan.hartmann@cfins.com"
        Connecting to web service : https://pvw-lyncfe01.cfins.com:443/WebTicket/WebTicketService.svc
        Using IWA authentication
        Successfully created connection proxy and website bindings
        Requesting new web ticket
        Sending Web-Ticket Request: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action></s:Header><s:Body><RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://pvw-lyncfe01.cfins.com/WebTicket/WebTicketService.svc</Address></EndpointReference></AppliesTo><Entropy><BinarySecret>dXDKVaA17SkWWjGqDqc8lM7c9gDfsqTXLW7W0zOvJNM=</BinarySecret></Entropy><KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType></RequestSecurityToken></s:Body></s:Envelope>
        ERROR communicating with GetWebTicket() service
System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Ntlm'. ---> System.Net.WebException: The remote server returned an error: (403)
 Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
   at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, Chann
elBinding channelBinding)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message request)
   at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()


TargetUri  : https://pvw-lyncfe01.cfins.com:443/abs/handler
TargetFqdn : pvw-lyncfe01.cfins.com
Result     : Failure
Latency    : 00:00:00
Error      : ERROR - No response received for Web-Ticket service.
             Inner Exception:The HTTP request was forbidden with client authentication scheme 'Ntlm'.
             Inner Exception:The remote server returned an error: (403) Forbidden.

Diagnosis  :

I am hoping that I can get some traction here as I have been working hard to make a case for Lync over Jabber. I am struggling with understanding the issue since the output is virtually the same with the exception of the user not being able to generate a web ticket. So I checked the service principal names for the server and the machine account is currently the account that is facilitating the Kerberos ticket stuff.

 MSSQLSvc/PVW-LYNCFE01.cfins.com:49356
 MSSQLSvc/PVW-LYNCFE01.cfins.com:RTCLOCAL
 MSSQLSvc/PVW-LYNCFE01.cfins.com:RTC
 MSSQLSvc/PVW-LYNCFE01.cfins.com:49287
 http/lyncpool.cfins.com
 sip/lyncpool.cfins.com
 sip/pvw-lyncfe01.cfins.com
 http/pvw-lyncfe01.cfins.com
 WSMAN/lyncpool
 WSMAN/lyncpool.cfins.com
 MSSQLSvc/lyncpool.cfins.com:RTC
 MSSQLSvc/lyncpool.cfins.com:49314
 RestrictedKrbHost/lyncpool
 RestrictedKrbHost/lyncpool.cfins.com
 HOST/lyncpool.cfins.com
 HOST/lyncpool
 TERMSRV/PVW-LYNCFE01.cfins.com
 TERMSRV/PVW-LYNCFE01
 WSMAN/PVW-LYNCFE01.cfins.com
 WSMAN/PVW-LYNCFE01
 RestrictedKrbHost/PVW-LYNCFE01
 HOST/PVW-LYNCFE01
 RestrictedKrbHost/PVW-LYNCFE01.cfins.com
 HOST/PVW-LYNCFE01.cfins.com

Thanks!

Amos