Microsoft Lync VDI Plug-in in XenApp session – bad password count finnaly FIXED !!!

At the beginning of this year I started implementing audio/video Lync conferences in XenApp 6.5 sessions. As you propably know there is a problem with synchronizing A/V in remote session. That’s why in 2013 Citrix created HDX RealTime Optimization Pack for Microsoft Lync. This product support only Lync 2010 client. Right now we have 1.5 version and Citrix still aren’t supporting Lync 2013 Client.

Microsoft has got an alternative – Microsoft Lync 2013 VDI Plugin. You can use it in RDS (Microsoft RDS), HDX (Citrix XA/XD) or even PCoIP (VMware View) remote sessions.

Above was that easy part. When I started PoC I found out, that during pairing procedure user account was locked out. I’ve done a lot of tests (with and wihout Citrix). I found out, that Lync VDI Plugin was increasing bad password attempt counter. Unfortunately Lync client (in remote session) use another DC so that counter wasn’t reset after correct authentication.

I created a ticket in Microsoft support. And finnaly … we have a fix – 2992445 Bad password count is incremented when Lync 2013 VDI plug-in pairs with a Lync 2013 client. This KB is included in September 2014 Cumulative Update – September 2014 update for Lync 2013 (KB2889860).

Here is error description – copied from Microsoft KB site:

Consider the following scenario:

  • You deploy a Microsoft Lync Server 2013 environment.
  • You enable Virtual Desktop Infrastructure (VDI) for all the users in the environment by running the following command:
    Set-CsClientPolicy -Identity Global -EnableMediaRedirection $true
  • You install the Lync 2013 VDI plug-in on a local computer.
  • You install Lync 2013 on a Remote Desktop Session Host server that joins the same domain as the local computer.
  • You create a user account in Active Directory Domain Services (AD DS) and enables the user for Lync 2013.
  • The user logs on to the local computer and to the Remote Desktop Session Host server by using the same account.
  • The user connects to the Remote Desktop Session Host server from the local computer, and then starts Lync 2013 in the Remote Desktop session.
  • The Lync 2013 VDI plug-in begins to pair with the Lync 2013 client.

In this scenario, you might encounter the following issues:

  • The value of the badPwdAttempt attribute in AD DS is incremented by 1.
  • The badPwdTime attribute contains a time stamp for the VDI pairing.
  • You receive event ID 4771 that states one authentication attempt fails in the domain controller (DC) security audit trail.

Additionally, the user account might be locked.

And at the end, what can I say about it. I’m happy, that I could find bug in Microsoft product and be part of that process. But I’m very disappointed, that fixing this small bug took Microsoft so much time (more than half year).

Post author

There are 1 Comment

  1. Posted by Andy C Reply

    Hi Jarek, Thanks for this information. We have been having issues with this and have been wrecking our heads trying to find a root cause! Resetting the users profile on their physical machine did resolve this for 90% or our cases, but in other situations the only thing that would provide a permanent solution was to remove the Lync Plug-in for VDI.

    I have one question, which I was not able to confirm from the kb article. Does this fix need to be applied to the Physical client that is running the Lync Plug-in for VDI or on the VDI machine that the user connects to?

    – Andy C –

Leave a Reply