Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Connect with Pidgin to Lync 2013 in Linux Mint 17.3 (Ubuntu 14.04)
Wednesday - Jan 13th 2016 - by - (2 comments)

It took me quite a while but eventually I got it working: Using Pidgin on Linux Mint and connect it to the company's Lync 2013 server. I installed the following packages:

sudo apt-get install pidgin pidgin-sipe

Afterwards I needed to handle quite a few hickups.

Problem 1: Self-Signed certificates

The first problem was that the internal SIP server had self-signed certificates and Pidgin refused to connect to the server:

(10:24:14) proxy: Connected to sipserver01:5061.
(10:24:14) nss: subject=CN=sipserver01.company.local,OU=IT,O=Company,L=Zuerich,ST=Zuerich,C=CH issuer=CN=Company CA,O=Company,C=CH
(10:24:14) nss: partial certificate chain
(10:24:14) certificate/x509/tls_cached: Starting verify for sipserver01
(10:24:14) certificate/x509/tls_cached: Checking for cached cert...
(10:24:14) certificate/x509/tls_cached: ...Not in cache
(10:24:14) nss: CERT 0. CN=sipserver01.nzzmg.local,OU=IT,O=Company,L=Zuerich,ST=Zuerich,C=CH :
(10:24:14) nss:   ERROR -8179: SEC_ERROR_UNKNOWN_ISSUER
(10:24:14) certificate: Failed to verify certificate for poolzh01
(10:24:14) connection: Connection error on 0x7fc15343b8f0 (reason: 0 description: SSL peer presented an invalid certificate)

Although there are a lot of pidgin bugs/requests open to allow self-signed certificates, there is a manual workaround. I downloaded the SSL certificate by using the following openssl command:

openssl s_client -connect sip.company.local:443

This gave me the output of the server's first certificate and the information with which certificate it was signed. This turned out to be another self-signed CA certificate which was deployed on all Windows workstations.
In order to get the CA certificate I went into a Windows machine running in the company's domain, I did the following steps:

Open Internet Explorer -> Internet Options -> Content (Inhalte in German) -> Certificates -> Intermediate Certification Authorities (Zwischenzertifizierungsstellen)

In my case, the company's CA certificate could be selected in this list and I exported it as Base-64 coded X509 certificate.

Now that I got both certificates (the main server certificate plus it's issuing certificate), I saved them in the following paths:

  • ~/.purple/certificates/x509/tls_cached/
  • ~/.purple/certificates/x509/tls_peers/

 However this was still not sufficiant because Pidgin reported that the Company CA certificate was not trusted. So I needed to copy the CA certificate into /etc/ssl/certs, too. After this, first success:

(10:39:13) certificate/x509/ca: Lazy init completed.
(10:39:13) nss/x509: Exporting certificate to /home/admck/.purple/certificates/x509/tls_peers/sipserver.company.local
(10:39:13) util: Writing file /home/admck/.purple/certificates/x509/tls_peers/sipserver.company.local
(10:39:13) nss: Trusting CN=sipserver01.company.local,OU=IT,O=Company,L=Zuerich,ST=Zuerich,C=CH
(10:39:13) certificate: Successfully verified certificate for sipserver.company.local
(10:39:13) stun: using server

Problem 2: Authentication problems - update pidgin-sipe plugin

I found a lot of pages describing different Pidgin settings to connect to Lync, here are some:

I tried all kinds of combination using NTLM, Auto, TLS authentication, etc. I got a "401 - Unauthorized: Access is denied due to invalid credentials", later a "certificate request failed", depending on the settings.

Eventually I decided to try the newest piding-sipe plugin (as of this writing 1.20). Unfortunately in Linux Mint 13.7 (and therefore Ubuntu 14.04 trusty), the package version is at 1.17. I decided to add a PPA repository which contained the new version:

sudo add-apt-repository ppa:sipe-collab/ppa
You are about to add the following PPA to your system:
 More info: https://launchpad.net/~sipe-collab/+archive/ubuntu/ppa
Press [ENTER] to continue or ctrl-c to cancel adding it

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.LiRa3uJQ8z --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys F93FF666
gpg: requesting key F93FF666 from hkp server keyserver.ubuntu.com
gpg: key F93FF666: public key "Launchpad PPA for Sipe plugin collaboration" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

And then installed the new version:

sudo apt-get install pidgin-sipe
[...]
The following packages will be upgraded:
  libnice10 libpurple0 pidgin pidgin-data pidgin-sipe
[...]

Besides showing more details in the debug log, the new pidgin-sipe version also offered an additional authentication mechanism (but it's not needed in this case).

Solving it: Using the correct settings

Although I updated pidgin-sipe to the newest version, the same errors still appeared: "sipe certificate request CertProvisioningService.svc failed" and other failures with "Webticket failed". Finally I got it working with the follwing account settings:

[ Basic ]

Protocol: Office Communicator
Username: myemail@company.local
Login: Empty
Password: mypassword
Local alias: Empty

[ Advanced ]

Server[:Port]: Empty
Connection type: Auto
User Agent: UCCAPI/4.0.7577.0 OC/4.0.7577.0 (Microsoft Lync 2010)
Authentication scheme: Auto
Use Single Sign-On: Not checked

The fact that server/port is left empty requires a correct DNS setup for your domaine. Check out https://technet.microsoft.com/en-us/library/gg398758%28v=ocs.15%29.aspx for more information.

Interestingly, the User Agent seems to be very important for the connection.

Pidgin connect to Lync server

With these settings I was finally able to connect to the Lync server with Pidgin!

 

Add a comment

Show form to leave a comment

Comments (newest first):

Claudio Kuenzler from Switzerland wrote on Jul 13th, 2016:
Unfortunately only IM. But I'm not sure whether this is a Pidgin or a Lync connection problem.

Patrick Rynhart from New Zealand wrote on Jul 13th, 2016:
Awesome! Are you able to do Voice Calls ? Or IM only ? Thanks, Patrick


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

6938 Days
until Death of Computers
Why?