I was recently deploying Lync Phone Edition for a client and ran into a strange situation where Phones we setup at a certain site were all failing to sign into Lync with their previously established PIN Authentication. We would configure the brand new phones out of the box using PIN Authentication and they would successfully sign onto Lync Server and all was well. So we thought…
Later once the phones were idle they downloaded their firmware updates and rebooted and were failing authentication displaying the message “Cannot contact certificate Web Service” Thinking it was an anomaly we re-entered the PIN Authentication info and the phone promptly signed onto Lync. To be sure, I rebooted the phone once more and found it that it would display that it could not contact the Lync Server and to check the network port… Seconds later it pauses on the same message “Cannot contact certificate web service”…
We checked the previously installed site and the Lync Phones were not exhibiting this behavior there.. Still though, because that site had a different DHCP server, we double-checked all the DHCP settings in the problematic site. (See http://technet.microsoft.com/en-us/library/gg398369(OCS.14).aspx and Jeff Schertz’s great blog on how to do this: http://blog.schertz.name/2010/12/configuring-lync-server-for-phone-edition-devices/) After double-checking all the DHCP settings that were done for Lync were correct I was convinced it was something else. If the DHCP settings had been incorrect the phones likely would not be able to sign on at all.
Doing some searching I found the following post in the Technet forums: http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/c870fbb3-96d5-4e12-8cf8-53e147d8c020/ This was that exact same issue we were experiencing and in this case they were tracing it back to a switch issue. We asked the network team to compare the settings on the switch in this site from the working site and they found that LLDP was not enabled. They enabled it and we retested. Same problem. Further probing showed that the while Spanning Tree was enabled on the switches, the PortFast option was not enabled on the ports connecting workstations, servers and Phones. The use of PortFast allows the speedup of convergence on ports which are connected to a workstations, servers or phones. Essentially any device that will not cause spanning tree loops (like other connected switches).
After enabling PortFast on these ports, we retested several times and success! The phones signed on straight away every time.