To troubleshoot Lync sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
What do you want to do?
Check for common causes of Lync sign-in errors
Most Lync sign-in issues can be traced to a small number of causes, and many of these are easy to correct. The table below lists some common causes of sign-in errors and some steps you or the users can take to resolve them.
|During sign-in, a dialog box appears that contains the following phrase: Lync cannot verify that the server is trusted for your sign-in address. Connect anyway?
Verify that the domain name in the dialog box is a trusted server in your organization—for example, domainName.contoso.com. Ask the user to select the Always trust this server check box, and then click Connect.
Enterprise customers can prevent this message from appearing when a user signs in for the first time by modifying the Windows registry on each user’s computer. For details, see Modify TrustModelData registry keys.
|Mistyped sign-in address, user name, or password
- Confirm that the user’s sign-in name and password are correct.
- Verify that the user’s sign-in name is formatted as follows: email@example.com. This may be different from the format you use to sign in to your organization’s network.
- Ask the user to try signing in to Lync again.
||Reset the user’s password and notify him or her of the new temporary password.
|Not licensed to use Lync Online
||Confirm that the user is registered as a Lync user. If not, register the user, and then ask him or her to sign in to Lync again.
|Wrong version of Lync installed
This issue is usually associated with an error message that contains the following phrase: the authentication service may be incompatible with this version of the program.
Ask the user to uninstall and reinstall Lync from the Office 365 Portal at http://portal.microsoftonline.com/.
|Microsoft Online Services Sign-In Assistant missing
Users receive this message To sign in, additional software is required. Download and install now?
The error message contains a link that allows users to install the Microsoft Online Services Sign-in Assistant from the Office 365 Portal at http://portal.microsoftonline.com/.
|Problem acquiring a personal certificate that is required to sign in
||If the user’s sign address has recently changed, they may need to delete cached sign-in data. Ask users to run the automated Fix it wizard in Microsoft Knowledge Base article 2604176.
|User name, password, or domain appears to be incorrect
||The user’s sign address may have changed recently. Ask the user to reinstall the Online Services Sign-in Assistant from the Office 365 Portal at http://portal.microsoftonline.com/, and then try signing in again
|You set up a custom domain name, and the changes may not have finished propagating through the system.
First, ensure that you have modified the Domain Name Service (DNS) records to reflect the change. For details, see Update DNS Service (SRV) Records.
If you have already made the necessary DNS changes, advise the user to try logging in later. DNS changes can take up to 72 hours to be reflected throughout the system.
|System clock out of sync with server clock
||Ensure that your network domain controller is synchronizing with a reliable external time source. For details, see the Microsoft Knowledge Base article 816042, How to configure an authoritative time server in Windows Server.
Follow resolution steps for a specific error (Enterprise only)
Important These instructions are intended primarily for Enterprise (Microsoft Office 365 “Plan E”) customers. If you are a Professional and Small Business (Microsoft Office 365 “Plan P”) customer, continue to the following section, Collect more information and seek additional help.
If the user cannot sign in after you have tried the suggestions in the previous section, then you can do additional troubleshooting based on the type of error. The table below lists the most common error messages and possible causes. Following the table are detailed procedures to address each issue.
|Sign-in address not found
||Sign-in requests from the Microsoft Online Services Sign-On Assistant (msoidsvc.exe) are not going through your external firewall, or proxy server.
||Add a firewall entry for msoidsvc.exe to your proxy server
|Server is temporarily unavailable
||If your organization has a custom domain, the necessary Domain Name System (DNS) settings may be missing or incorrect.
||Contact your domain name registrar and update the DNS Service (SRV) records
|Server is temporarily unavailable
||If your organization is using single sign-on with Active Directory Federation Services (ADFS), you may have used a self-signed Secure Socket Layer (SSL) certificate rather than one from a third-party certification authority.
||Install a third-party SSL certificate on your ADFS server
|Problem acquiring a personal certificate that is required to sign in
||If you’ve already removed the cached server data used by Lync to sign in and the error continues to appear, the user’s security credentials may be corrupted, or an RSA folder on the user’s computer may be blocking authentication.
||Update security credentials
|A certificate trust dialog box appears when a user signs in for the first time.
||This dialog box appears if your Lync server is not yet listed in the TrustModelData registry key.
||Modify TrustModelData registry keys
|User is not SIP enabled
||If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.
||Update user settings in Active Directory
Add a firewall entry for msoidsvc.exe to your proxy server
This procedure is a possible fix for the following error message: Sign-in address not found.
NOTE: The following steps assume you are using Microsoft Forefront Threat Management Gateway (TMG) 2010. If you have a different web gateway solution, use the settings described in step 4 below.
To create an application entry for Msoidsvc.exe in Forefront TMG 2010, follow these steps:
1. In the Forefront left pane, click Networking.
2. Click the Network tab. Under the Tasks tab in the right pane, click Configure Forefront TMG Client Settings.
3. In the Forefront TMG Client Settings dialog box, click New.
4. In the Application Entry Setting dialog box, configure the following rules:
For details, see the Microsoft Knowledge Base article 2409256, You cannot connect to Lync Online because an on-premises firewall blocks the connection.
Update DNS settings
If your organization has a custom domain, this procedure is a possible fix for the following error message: Server is temporarily unavailable.
- Contact your domain name registrar for information on how to add the following CNAME record to your domain:
- DNS record type: CNAME
- Name: sip
- Value/Destination: sipdir.online.microsoft.com
For details, see the Microsoft Knowledge Base article 2566790, Unable to sign in to Lync Online because the server is temporarily unavailable, and the Office 365 Wiki article, Ensuring your network works with Lync Online.
Install a third-party SSL certificate on your ADFS server
To install a third-party SSL certificate on your Active Domain Federation Services (ADFS) server, follow these steps:
- Obtain an SSL certificate from a third-party certification authority such as VeriSign or Thawte.
- Install the certificate on your ADFS server by using the ADFS management console. For details, see Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on.
Update security credentials
This procedure is a possible fix for the error message Problem acquiring a personal certificate required to sign in.
To eliminate possible certificate or credential problems, first renew the user’s certificate in Windows Certificate Manager. To do this, follow these steps:
- Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
- Double-click Personal, and then double-click Certificates.
- Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
- Right-click the certificate, and then click Delete.
Next, if the user is running Windows 7, remove their stored credentials in Windows Credential Manager. To do this, follow these steps:
- Click Start, click Control Panel, and then click Credential Manager.
- Locate the set of credentials that is used to connect to Lync Online.
- Expand the set of credentials, and then click Remove from Vault.
- Sign in to Lync Online again and reenter the user’s credentials.
Finally, if the user still cannot sign in after you’ve updated their credentials, try deleting the RSA folder on the user’s computer, because it could be blocking completion of the user authentication process:
- Sign in to the user’s computer using an administrator account.
- If necessary, turn on the folder view option Show hidden files. For details, see the Windows help topic Show hidden files.
- Type the following into the address bar of Windows Explorer: C:\Documents and Settings\UserName\Application Data\Microsoft\Crypto\RSA, where UserName is your Windows sign-in name.
- Delete any folder that begins with the name S-1-5-21- followed by a string of numbers.
Modify TrustModelData registry keys
When a user signs in for the first time, they may receive a dialog box that contains the following phrase: Lync cannot verify that the server is trusted for your sign-in address. Connect anyway? This is a security feature, and not an error. However, you can prevent the dialog box from appearing by using a Group Policy Object (GPO) to update users’ machines with your domain name before they sign in for the first time. To accomplish this, do the following:
- Create and deploy a GPO that appends your Lync Online domain name—for example, domainName.contoso.com—to the current value of HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\TrustModelData.
Important You must append your domain name to the existing value, not simply replace it.
For details, see the Microsoft Knowledge Base article 2531068, Lync cannot verify that the server is trusted for your sign-in address.
Update user settings in Active Directory
If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.
To fix this issue, follow these steps:
- Update the msRTCSIP-UserEnabled attribute for all affected users to TRUE.
- Rerun the Microsoft Online Services Directory Synchronization Tool (DirSync). For details, see Active Directory synchronization: Roadmap.
Top of Page
Use the Microsoft Support troubleshooting guide
If you’re still not able to resolve the user’s sign-in problems, review the suggestions in Microsoft Knowledge Base article 2541980, How to troubleshoot authentication and connectivity issues in Lync Online.
Collect more information and seek additional help
If you’ve followed the guidance above and still can’t resolve your Lync Online sign-in issues, you must collect additional information and contact technical support. To do this, follow these steps:
- Obtain the Lync log files and Windows Event log details from the user’s machine. For step-by-step instructions, see the end-user help topic Set Logging options.
- Send the log files and detailed information about the error to technical support:
Note You may be asked to supply additional diagnostic information by installing the Microsoft Online Services Diagnostic and Logging (MOSDAL) Support Toolkit on the affected user’s machine. For details, see Using the MOSDAL Support Toolkit.
Top of Page