Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Connect Client problems after installing new certificate

    I really want to like the Connect Client, but...

    I wanted to secure my setup, so I bought a third party SSL certificate (2 actually), one for the HQ Director, and one for the SA100 conferencing server. I loaded the one for the SA100, everything worked fine, no issues. I loaded the one for the HQ Director, and, everything also worked fine except that now Connect Client won't connect. The IP phones connect to the Directory and History fine. Connect Client reports "Unable to reach your server at FQDN." To rule out a DNS issue, I key in the IP address, and that also doesn't work. Confusingly, the Director logs a successful login attempt, "The user Domain\User authenticated successfully using network credentials."

    In the Connect Client logs, I see this being reported after every login attempt:

    10:31:04.950 ERROR: Request Error: error code: 404, URL: https://shoretel.domain.com/shoreauth/useradauth?expiry=260000"&_=1527690488238

    The odd thing is, if I copy and paste that URL into a browser, I do NOT get a 404, I get a bunch of data returned.

    I have checked the bindings in IIS to make sure that the new certificate is active (it is), I have also restarted the server multiple times. Everything else seems to be working fine; phones, even the conferencing Outlook plugins connect and work fine, but Connect Client just won't connect now.

    I am genuinely stumped at this point.

  • #2
    Whenever you import a new certificate into HQ, you have to reboot.
    In addition, if you're on Server 2016, you have to use IISCrypto.exe to change a cipher suite up to the top of the list and enable

    CONNECT CLIENT CANNOT LOGIN IF DIRECTOR IS ON SERVER 2016

    If Connect HQ server is on Windows Server 2016, and a 3rd party certificate is installed, the connect client cannot login.

    SCENARIO
    If Connect HQ server is on Windows Server 2016, and a 3rd party certificate is installed, the connect client cannot login.

    You may receive a “cannot contact your server” or "your username and password are incorrect" error message.


    SYMPTOMS
    If you try to browse to the director webpage from a desktop you may also receive an error message stating "inadequate_transport_security" or something similar.


    CAUSE
    Windows Server 2016 has changed the default Cipher suite list.

    This combined with browser vendors implementing stricter controls on encryption algorithms causes the HTTPS connection from the connect client to fail.


    RESOLUTION
    You will want to enable and move TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the top of the cipher suite list on the Server 2016 computer.

    You can do this through the registry or by using a GUI tool called IIS Crypto 2.0 (https://www.nartac.com/Products/IISCrypto/)


    Last edited by Lance; 05-30-2018, 02:20 PM. Reason: Edited the post so all users can see the resolution

    Comment


    • #3
      Thanks for that, that indeed was the cause of my problem. I am on Windows Server 2016 and that cipher was disabled, so after enabling it and moving it to the top of the list with IIS Crypto 2.0 and rebooting, the client will connect using HTTPS now. However, it won't connect on the first attempt for some reason. When you launch Connect Client, it will tell you it is unable to reach the server, but if you hit Sign In again without changing a thing, it connects right away. Very odd.

      Comment


      • #4
        That was a bug fixed in I believe the last two builds. Check the resolved issues but I know that was fixed for certain. I've been the certificate go-to in my team lately and very familiar with some of these newer issues with certificates.

        Wooo! I'm on a roll - is BTX looking for a new engineer, Lance?
        Last edited by augie; 06-01-2018, 09:55 AM.

        Comment


        • #5
          Originally posted by OcalaGator View Post
          Thanks for that, that indeed was the cause of my problem. I am on Windows Server 2016 and that cipher was disabled, so after enabling it and moving it to the top of the list with IIS Crypto 2.0 and rebooting, the client will connect using HTTPS now. However, it won't connect on the first attempt for some reason. When you launch Connect Client, it will tell you it is unable to reach the server, but if you hit Sign In again without changing a thing, it connects right away. Very odd.
          Does it affect all users or just users that attempted to log in before the certificate issue was resolved?

          I have seen removal of the %localappdata%\ShoreTel folder fix this issue. Close the client before you remove/move/delete this folder. The client will rebuild this folder the next time it launches. Only seen it fix it when the client attempted to log in while there was a certificate issue.

          Comment


          • #6
            @dnhansen

            This problem was solved in Build 21.87.3629.0/ Client 213.100.2973.0.

            Created By: <anonymous> 3/23/2018
            Subject: Connect Client Users With AD Integration have to log in twice due to "Unable To Reach Your Server" error Case Comment: anonymous,

            I have good news to report today. The fix for the issue you reported is available in release of Connect ONSITE Software Build 21.87.3629.0/ Client 213.100.2973.0 or higher. This build is available from the Support site.

            Comment

            Working...
            X