Lync - get a message body (decrypt) from SIP messages

When You use Lync Logging tool or Lync centralized logging by default message body\content is removed from SIP messages. To enable message body logging, do the following on each server in a Front End pool:

1.    Click Start, click Run, and then type Regedit.

2.    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtcSrv\Parameters.

3.    Right-click the right pane of Registry Editor, and click New, and then, in DWORD (32-bit), type EnableLoggingAllMessageBodies (no spaces).

4.    Set EnableLoggingAllMessageBodies to the value 1.

5.    Close RegEdit, and restart the pool server(s) or restart the RTCSrv service (Lync Server Front-End service) by doing one of the following:

·         At an administrator cmd.exe prompt, run the following command:

net stop rtcsrv && net start rtcsrv

·         In the Lync Server Management Shell, run the following command:

Stop-CsWindowsService –Name RtcSrv –Verbose

Start-CsWindowsService –Name RtcSrv -Verbose

Or You can encrypt TLS messages, described here:
http://blogs.technet.com/b/nexthop/archive/2012/02/15/how-to-decrypt-lync-2010-tls-traffic-using-microsoft-network-monitor.aspx

Lync SIP messages - Event header

Registration:
Event: registration (REGISTER)

In-band provisioning settings:
Event: vnd-microsoft-provisioning-v2 (SUBSCRIBE, OK)

Information about contacts from contact list:
Event: vnd-microsoft-roaming-contacts (SUBSCRIBE, OK)

Presence:
Event: presence (SUBSCRIBE, OK)
Event: presence (NOTIFY, OK)
Event: vnd-microsoft-roaming-self (BENOTIFY)
SERVICE message has no Event header

PowerShell list of folders size

Sample script

$c = gc .\ListOfDisabled.txt
foreach ($el in $c) {
$col = (Get-ChildItem $el -recurse | Measure-Object -Property Length -sum)
if ($col.sum -gt 1000000) {
$el
"{0:N2}" -f ($col.sum / 1MB)
}
}

Troubleshooting Lync 2013 mobility

I want to describe a specific situation in specific Lync environment where was a problem with Lync mobility. There was a few misconfigurations and I will describe them below.
I created also a topic on technet forum about it
https://social.technet.microsoft.com/Forums/office/en-US/492f7d00-4896-40f6-a356-ca864f0ea12f/mobility-cannot-sign-in-android-display-self-signed-certificate?forum=lyncdeploy

Even if it is not supported by Microsoft we use wildcard certificate for Lync and all Lync services are able to work both internally and externally.

I did a lot of troubleshooting steps before find it out like Test-CsMcxP2PIM and another Test-Cs cmdlets, also get logs from mobile devices but the errors were not descriptive enough for me. Finally I found that lyncdiscoverinternal.domain.com was actually resolved from external DNS because we have wildcard\"catch all" DNS setting for our domain. So we changed it and now lyncdiscoverinternal.domain.com is resolvable to some "fake" ip address 1.1.1.1.

Then there was a few misconfigurations on IIS ARR configuration described below.

On IIS ARR there are URL rewrite rules - there must not be rules for http, only rules for https are needed. I had an issue that there was a rule for http with wildcard and it catch what should not be caught also there was a checkbox selected "Stop processing of subsequent rules"
To troubleshoot it enable "Failed request tracing" on IIS under default web site on reverse proxy and look at rule names

Next mistake was to have defined server with external web services URL under IIS ARR Server farms. External web services URL is basically nor resolvable on reverse proxy - this is desirable situation. Server name should be specified as internal FE server name or FE pool name.

Next mistake was specified additional lync.* pattern with Match All setting as shown below. It was never true so trying to use another URL rewrite rules.

Then take a look also for server health: IIS ARR -> Server farms -> select specific farm and click Monitoring and Management. Health status must be health.  It was unhealthy for me as I did some health checks before.

What helps me also was trying to access
https://ExternalWebServicesURL.domain.com:443/certprov/certprovisioningservice.svc
on computer (web browser) which was not domain joined and externally (not in corporate LAN). When You access this address You should get logon window and You should be able to authenticate providing user credentials

Test-CsMCXP2PIM bug - UPN credentials must be provided

You can get an error when doing Test-CsMCXP2PIM
Error Message : No response received for Web-Ticket service.
                Inner Exception:The HTTP request is unauthorized with client au
                thentication scheme 'Ntlm'. The authentication header received
                from the server was 'Negotiate,NTLM'.
                Inner Exception:The remote server returned an error: (401) Unau
                thorized.

when using user credentials in format domain\username. Try to use UPN credentials then user@domain.com

Show disabled AD account with still enabled Lync account and assigned DID numbers

When You disable AD account it is not disabled in Lync automatically and phone number assigned to such user is still in use.

Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | get-csuser | ft Name,Enabled,Lineuri -auto