Search This Blog

Thursday, October 5, 2017

SQL to list Users logged to Lync and their device

Select (cast (RE.ClientApp as varchar (100))) as ClientVersion,R.UserAtHost as UserName,HRD.LastNewRegisterTime as LastRegisterTime, EP.ExpiresAt
        FROM rtcdyn.dbo.RegistrarEndpoint RE
       Inner Join rtc.dbo.Resource R on R.ResourceId = RE.OwnerId
       Inner Join rtcdyn.dbo.Endpoint EP on EP.EndpointId = RE.EndpointId
       INNER JOIN rtcdyn.dbo.HomedResourceDynamic HRD on HRD.OwnerId = R.ResourceId
        Order By UserName ,ClientVersion


Tuesday, October 3, 2017

Polycom VVX debug

I had a case when VVX did not work for hybrid Exchange with Lync onPremises, I spent a lot of time to understand why it is not working until I enabled logging for CURL as DEBIG :)

As always the problem was in SSL Certificates.

Saturday, September 23, 2017

Polycom VVX for hybrid Exchange

Polycom FW version 5.5.3 and Exchange hybrid.

From the logs we see that Polycom tries to perform autodiscover, but finally fails and leave EWS not deployed for online users.  I will continue debuging that, but I found a workaround:

login with sip and UPN  as username@domain.com but leaving domain field empty.
Then in settings-applications-exchange server URL you can hardcode:

https://outlook.office365.com/EWS/Exchange.asmx/WSSecurity

and leave autodiscover disabled.

Update: with CURL DEBUG we can see that problem was in SSL certificates of Digicert not being trusted due to limits we left from other tests in Network - TLS - Application profile 6 (select certificates from platform or imported, but we had only one certificte selected). I also imported Digicert root, as for unknown reasons outlook is based on that while rest of MS is Baltimore.


Inside exchutil.ps1

https://flinchbot.com/2013/09/09/exchucutil/

Friday, September 15, 2017

ADFS trics for MFA

ADFS access control rules to disable MFA for Office 365 application if usrs are connecting from intranet, Lync clients and enforce MFA for member of AD group:

$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
$groupMfaClaimTriggerRule = 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => add(type = "http://schemas.company.com/not_lync", value = "true" );
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-796845957-688789844-854245398-6148"]  && c2:[Type =="http://schemas.company.com/not_lync", Value== "true"] && c3:[Type =="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value== "false"]=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $groupMfaClaimTriggerRule


We use this rule to let Lync on Premises users to use Exchange online