Friday, May 23, 2014

Lync 2013 android client error connecting to ADFS 3.0 federated 365 service

So after our migration to ADFS 3.0 from the old ADFS 2.0 servers my Android based Lync users started getting we can't sign you in, please try again errors during login.  After digging around I found this forum entry from Jeffr.M which points out that the Lync android app has an issue with servers that can support multiple certificates on the same IP.

The following command adds a new default catch-all listener to your server.  If you're using a Web Application Proxy like I am you'll want to run this on that server as well.

netsh http show sslcert

The command above will show you all the listeners and their associated certificate hashes and application IDs.  You'll need those for the next step.

netsh http add sslcert ipport= certhash=INSERTHASHHERE appid='{INSERTAPPIDHERE}'

Note the ticks around the appid.  Powershell sometimes eats curly brackets so you'll get an error if you don't use the "'" marks.  More info here

Note 2: If you're thinking it's easier to just copy/paste the certificate hash from the MMC Certificates panel - Don't. That method often introduces hidden characters which will take forever to debug.

After you do that on your ADFS 3.0 and WEP servers, restart the ADFS services on them and then your Android Lync clients will start working again.

On a related note, if your Onedrive authentication isn't working - try disabling the /adfs/services/trust/2005/windowstransport endpoint.  (disable on proxy if using a proxy or just disable both modes just in case).  There's a bug with the windowstransport endpoint in ADFS 3.0 and Onedrive authentication.