UCWA 503 – E_UcwaUnavailable (E2-3-48)

A few days ago I encountered a strange problem in a customer’s testing environment. The environment consisted of two enterprise pools with 3 Front Ends in each pool running Skype for Business Cu3. Signing in from a mobile device had stopped working for some reason.

Inspecting the logs  I could see that authentication worked as expected and the clients all received their webtickets properly but clients still wasn’t able to sign in. Looking at the client logs i found the following.

INFO APPLICATION CAlertReporter.cpp:64 Alert received! Category 2, Type 300, level 0, error E_UcwaUnavailable (E2-3-48), context ‘handleUcwaAppSessionRequestError’, hasAction=false

So obviously the client didn’t get the expected response from UCWA. Inspecting the Mobile Gateway (reverse proxy) logs we could indeed see that when our client tried to access /ucwa/v1/applications it received a HTTP 503 Service Unavailable response from the Front End. Accessing the URL directly on the Front End also gave us the 503 response. When accessing the URL directly on any of the other Front Ends in the pool we received a 401 Unauthorized response which is the expected response.

We issued a restart of the web server on the affected Front End from the IIS manager and tried again. Unfortunately this didn’t solve the problem, the clients still received the 503’s. I’ve seen issued before with a restart issued from the IIS manager. So we tried again using an iisreset issued from a command prompt and… Voilá, the client was able to sign in and direct access to the URL now gave a proper 401 response.

Conclusions: resets from issued from the IIS manager does not really restart and flush the web server. While I still don’t know exactly what caused the 503’s I believe it might be related to system resources, as this was a testing environment the machines had limited resources.

Advertisements

My security thoughts on Outlook for iOS and Android

You’ve probably heard all about the new Outlook for iOS and Android that was recently released to the public. The app is a rebrand of Microsoft’s earlier acquisition of Accompli.

People have been writing a lot about this app but I just can’t refrain from making a post about this due to one of the obvious and one not so obvious problem with this app. Coming from the security side if things I just have to. Even more so since I’m working for a company that is creates security products targeting mobile e-mail.

No S/MIME support
For those of you unfamiliar with the S/MIME term it’s the Microsoft Exchange way of sending and reading encrypted e-mails. As long as the app does not support this, it’s simply not enterprise grade. While I like some of the aspects of the app, this alone makes it a no go for me. While I understand that many do not use encrypted e-mails on a standard basis it’s still half a client without the support.

Credential storing middleware
When I heard about this I thought it was a joke. I actually believed that someone wanted to be all anti-Microsoft and was straight out lying. Turns out it was true. When you configure your corporate, not your personal, e-mail account the app sends your corporate credentials not only to your Exchange server but also to AWS (will be Azure later this year) where it is stored. As if this wasn’t enough, a service from AWS then impersonates you and your device and connects to your company’s Exchange server. There it reads your e-mails and stores them. Office365 users should also take note that it doesn’t matter where your tenant is located since the AWS service is in the USA, so if you chose a location in Europe, perhaps out of security concerns this is bad news for you.

There simply is no excuse for this. There is no argument that holds from a security perspective. Storing your corporate domain credentials on their servers is wrong. Some will say the credentials won’t be used maliciously; What would you call it if I read your e-mail? What if someone hacks that service? Does your company allow you to give someone else the credentials you use to access corporate data?

Uninstalled and now blocked in PointSharp Mobile Gateway for Exchange.

On the 47th (http://www.theucarchitects.com/1489) episode of #TheUCArchitects podcast Steve Goodman (@stevegoodman https://twitter.com/stevegoodman) is right on the spot when he says that the app was released by a startup (Accompli) it was great. Looking at the app now that it’s released by a huge enterprise demands higher standards (to be fair, Steve said it needs more polish). Furthermore Steve talks about some of the security issues I’ve mentioned here, he also talks about a lot of the apps shortcomings (GAL support, Contacts, etc.). Thanks for reading, now go listen to the podcast.

Lync Day 2014

Hello everyone, it’s been quite some time since I last posted due to the fact that my schedule has been crazy the last couple of months. It still is and its filled with Lync so that is great but I will try to update more often.

So as an easy come back I’m going to share my thoughts on Lync Day 2014 which was held in Oslo by Ståle Hansen and the Knowledge Factory team. I attended the event as an exhibitor but I still had the chance to attend some of the sessions. More on those later in the post.

The event as a whole was a success I must say. Speaking to various attendees gave me the impression that it was a much appreciated event with very interesting sessions and professional speakers. Well, talking about speakers… There were at least 6 MVPs that had their own session. On top of that the UC architects did a live recording which included even more MVPs. Suffice to say the speakers knew what they were talking about.

I had the pleasure of attending two sessions.
First up was “Lync Mobile sign in process and media flow” with MVP Tom Arbuthnot as speaker. This session was really interesting for me as it is one of the areas of Lync that I’m very interested in. Tom did an excellent job of explaining how it works, what to think of when deploying mobility and even pointing out some typical pitfalls in deployment and troubleshooting.

Then I went on to “SIP and media in Lync explained” by MVP Johan Delimon. This was a deep dive into the SIP protocol and how it works in Lync. Johan was very thorough in his explanations. I must say all the examples from snooper was much appreciated where he could show us the SIP dialog and also how SDP works and helps the clients decide which codecs to use.

Last but not least by any means I went to the live recording of the UC Architects podcast with Pat Richard as the host. It felt like a privilege to be present during the recording. It was also great to see how relaxed the discussion was. I guess most of the panel are very used to talk in front of the masses but it still impresses me how professional they were while still keeping it relaxed. Before the end of the podcast Steve Goodman summarized the day saying “I had a good Lync Day today”, I think that was spot on.

I big thanks to Ståle for arranging this event, I hope there will be a 2015 version.