Outlook, Lync/SfB, Cloud Based Discovery and prompt for credentials

It’s been a while since I was troubleshooting prompt for credentials. The last time I was happy to find the root cause and how to fix this (you can read about it here).

Now the same issue seems to come back. But this time it has nothing to do with proxy settings. This time it has to do with KB3114351 and KB3114372 from December 8, 2015.

There were besides security related updates also some major design changes implemented as described more in depth in KB3135145:

  • Cloud Based Discovery
  • UPN Enforcement for OrgID
  • SIP Autodetection from Azure

Given the changes in combination with an existing OrgID and an on-premise infrastructure, I can see that the behavior of the client, when a transient error occurs, changed dramatically.

A typical transient error could be when a user is switching networks (e.g.: moving from desk to meeting room). Normally a user will not quit Outlook and Lync/SfB client when he is moving. Therefore the clients will experience a network outage.

In the past a client retried to establish the connection. Prompt for credentials might only occured, when the clients got a 401 HTTP status code or a Winsock error code WSAEACCESS.

Since December’s update I observed a different procedure when the Lync/SfB client experience a transient error:

  • due to the transient error, the DNS-less Cloud Based Discovery is triggered
  • as for the user an OrgID is discovered, the client enforces UPN and no longer accepts the NTLM format
  • as the user’s cached credentials are in a different format (DOMAIN\USER), he will get the prompt for credentials

Resolution

Luckily there is an option to control Cloud Based Discovery. All you need to do is to add the registry key described in KB3135145:

For Lync 2013 (Skype for Business) client:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\15.0\Lync

 

For Skype for Business 2016 client:

HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Office\16.0\Lync

 

To disable cloud-based discovery logic, run the following command to set the DisableCloudBasedDiscovery parameter as REG_DWORD to 1:

reg add HKLM\Software\Policies\Microsoft\Office\15.0\Lync /v DisableCloudBasedDiscovery /t REG_DWORD /d 1 /f

Conclusion

The design changes should help to improve end-user experience. Nevertheless there are scenarios, where this new behavior might not play well in combination with on-premise services and users having OrgIds.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s