Plantronics + Polycom. Now together as Poly Logo

TLS-DSK Failing Back to NTLM

Occasional Advisor

TLS-DSK Failing Back to NTLM

When signing into our VVX phones directly or using BToE with their credential users are being signed in using NTLM rather than TLS-DSK.  PIN Auth works correctly and the user are registred with Skype using TLS-DSK.  I lowered the logging on the phones and can see the below errors during the sign in procress using credentails where it fails TLS-DSK and reverts to NTLM.

 

0328082302|sip |3|00|401 challenge received
0328082302|sip |2|00|SipCallState is not Idle, So send Re-INVITE
0328082302|sip |2|00|new UA Client Non-INVITE trans state 'callingTrying', timeout=0 (0xb62b5648)
0328082302|sip |2|00|CStkAuth::ParseAuthenticateHeader: TLS-DSK parsing enabled
0328082302|sip |2|00|CStkAuth::ParseAuthenticateHeader: TLS-DSK parsing enabled
0328082302|sip |2|00|CStkAuth::ParseAuthenticateHeader: TLS-DSK parsing enabled
0328082302|sip |2|00|CStkAuth::ParseAuthenticateHeader: TLS-DSK parsing enabled
0328082302|sip |2|00|CStkAuth::ParseAuthenticateHeader: TLS-DSK parsing enabled
0328082302|sip |1|00|TLS-DSK authentication
0328082302|sip |1|00|TLS-DSK: Setting of Client Certificate failed due to (33558530) error:02001002:system library:fopen:No such file or directory
0328082302|sip |1|00|TLS-DSK: Setting of Client Private key failed due to (537346050) error:20074002:BIO routines:FILE_CTRL:system lib
0328082302|utilm|4|00|uBLFUnCompressed: File /ffs0/Config/Local/WebTicket/0/private.key doesn't exist or is empty
0328082302|sip |3|00|getUserCertInfo: sip.usr[user@domain.com] result[-1] validUntil[0]
0328082302|sip |2|00|[ParseMessageHeader]:[540],SIPURI=[user@domain.com]
0328082302|sip |2|00|[ParseMessageHeader]:[555] Calling UC Fetch through Service FrameWork
0328082302|sip |1|00|NTLM authentication
0328082302|sip |1|00|Fall-back to NTLM

 

We have tested on most UCS version from 5.4.5 to 5.7.0 with the same results.  Has anyone seen the below errors before and know what exactly could be happening?

 

0328082302|sip |1|00|TLS-DSK: Setting of Client Certificate failed due to (33558530) error:02001002:system library:fopen:No such file or directory
0328082302|sip |1|00|TLS-DSK: Setting of Client Private key failed due to (537346050) error:20074002:BIO routines:FILE_CTRL:system lib
Message 1 of 9
8 REPLIES 8
Polycom Employee & Community Manager

Re: TLS-DSK Failing Back to NTLM

Hello @BDengler,

welcome back to the Polycom Community.

As reminded before most of your old post(s) => here <= are still open / pending as you have not marked these as "Accept as a solution" or at least provided some form of feedback or answer.

 

Are any of these escalated into Polycom as advised ? 

 

If yes what is the Polycom reference?

If they are in this state nobody finding them via a community search will know if an answer or advice provided was useful and has maybe helped you.

Could you therefore kindly go over them and mark or answer as appropriate ?

If they are marked as "Accept as a solution" other users can find these easier and it helps them to utilise the community more efficiently. 

 

In order to answer your original question the error you see is quite common and may be misleading.

 

I had a similar case in the past and certain cyphers where disabled on the Skype end.

 

sec.TLS.profile.1.cipherSuite="ALL:!aNULL:!eNULL:!DSS:!SEED:!ECDSA:!IDEA:!MEDIUM:!LOW:!EXP:!ADH:!PSK:!MD5:!RC4:@STRENGTH"
sec.TLS.profile.1.cipherSuiteDefault="0"

Please test the above and update your old posts accordingly.

 

The next step would be to raise a ticket.


In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you.

End Customers are unable to open a ticket directly with Polycom support.

If this is some sort of an Internet discounter please post either your phone's MAC address or your Polycom devices serial so I can look up who would be able to support you. This may not be who you purchased the Polycom device from.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 2 of 9
Advisor

Re: TLS-DSK Failing Back to NTLM

If this is still an issue for you, is your domain set to: "NTLMv2 only. Refuse NTLM and LM"?

 

There's was a bug that was resolved in the 5.7.2 firmware that broke NTLMv2 authentication.

Even with 5.7.2 it requires the user name be supplied in UPN or FQDN\username format.

Message 3 of 9
Occasional Advisor

Re: TLS-DSK Failing Back to NTLM

Hi James,

 

Yes this is still an issue for us and thanks for the update to the thread.  Our LAN Manager authentication level is setup to refuse NTLM and LM.  I will test out the 5.7.2 firmware, it sounds promissing if they addressed the bug that broke this.

Message 4 of 9
Advisor

Re: TLS-DSK Failing Back to NTLM

I also had to add a couple settings to my config...

 

device.set="1"
device.ntlm.versionMode="2"
device.ntlm.versionMode.set="1"

I've still got a ticket open for the NTLMv2 failure with credentials suppiled in down-level format NetBios\username

 

But it is working with credentials in UPN format username@FQDN and FQDN\Username.

 

Polycom also sent me a hotfix (5.5.4.2263) for the Trio8800 which are also affected.

Message 5 of 9
Highlighted
Advisor

Re: TLS-DSK Failing Back to NTLM

Polycom sent me a patched verison 5.7.2 rts33 J (5.7.2.2186) release that resolved this issue for me on the VVX with credentials supplied in the domain\UserName down-level format.

Message 6 of 9
Polycom Employee & Community Manager

Re: TLS-DSK Failing Back to NTLM

Hello @JamesW and all,

 

Polycom reference for this is 1-9138231445 / EN-90495 / EN-101200

 

Best Regards

 

Steffen Baier




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 7 of 9
Occasional Contributor

Re: TLS-DSK Failing Back to NTLM

Do we know if this issue has been fixed in 5.8.0.12848 Rev C?

 

Allen Armstrong

 

Message 8 of 9
Polycom Employee & Community Manager

Re: TLS-DSK Failing Back to NTLM

Hello @AllenArmstrong ,

 

welcome back to the Polycom Community.

 

5.8.0.12848 Rev C is the official Microsoft 3PIP certified and tested Version and to my personal knowledge the Fix is only in our next maintenance release 5.8.1 or later.

 

Polycom supports customers on all Major versions including maintenance releases. We are due to release UC Software 5.8.3 so if you are after this feature and want to stay on the 5.8.x train please await this or install for now UC Software 5.8.2

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 9 of 9