#357 UCS Initialization Failed

[Edwin Rice]

When attempting to connect to my organization's Office 365 account from home with Pidgin, I receive an error stating UCS initialization failed and I cannot see any of my contacts. This randomly started occurring as I was able to connect just fine with the same configuration a week ago. I've scoured the forums for solutions adn the best I could find was to change the advanced account settings but no sensible combination of User Agents and other settings seems to resolve the issue. I've tried reinstalling Pidgin and the SIPE Plugin but that did not resolve the issue either.

Looking at the debug log, I can see the SSL connection is refused, but why? I can connect just fine to the account with the official Skype for Business application from home. Any suggestions? I know I'm missing something...

OS: Windows 10 x64
Client: Pidgin 2.13.0
Plugin version: 1.24.0

[Stefan Becker]

Thanks for the log.

Looks like your Lync installation may be incorrectly configured or your organization doesn't provide an EWS server that can be accessed from the internet:

(01:03:56) sipe: process_subscribe_response: subscription 'vnd-microsoft-roaming-contacts' to 'sip:...' was rejected
(01:03:56) sipe: no contact list available - assuming Lync 2013+ and Unified Contact Store (UCS)
...
(01:03:56) sipe: sipe_ews_autodiscover_url: trying 'https://Autodiscover.nationwidechildrens.org/Autodiscover/Autodiscover.xml'
...
... a lot of handshake ...
...
(01:03:58) sipe: sipe_ews_autodiscover_parse: ews_url = 'https://mail.childrensroot.net/EWS/Exchange.asmx'
...
(01:03:58) sipe: ucs_set_ews_url: 'https://mail.childrensroot.net/EWS/Exchange.asmx'
...
(01:03:58) sipe: transport_connect - hostname: mail.childrensroot.net port: 443
(01:03:58) sipe: using SSL
...
(01:03:59) proxy: Error connecting to mail.childrensroot.net:443 (Connection refused.).

Whatever that server is it obviously isn't offering EWS. In fact it doesn't even offer any service on that port:

$ telnet mail.childrensroot.net 443
Trying 141.8.225.31...
telnet: connect to address 141.8.225.31: Connection refused
$ openssl s_client -debug -msg -connect mail.childrensroot.net:443
140149880055616:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
140149880055616:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=111

You'll have to ask your IT support what the correct EWS URL for Internet access is. And point out that they should fix the EWS autodiscover configuration of course...

BTW: taking an educated guess from the log I tried https://mslpext.nationwidechildrens.org/EWS/Exchange.asmx, but that only returns a 404 error.

Closing as NOTABUG.

[Edwin Rice]

Stefan, thank you for your help! Bear with me because I'm new to this, but after analyzing WireShark data during a sign in with the official Lync application, and looking into the configuration settings Lync provides, I've come across some additional information that may be able to help.

[Stefan Becker]

No worries, you at least followed the instructions and provided a usable logfile.

What do you mean "wireshark traces"? All (well almost all) HTTP communcation is encrypted. Did you run a MITM attack on your Lync client to decode the traces to cleartext?

Where is the information you attached? Please note that this information may already be in the SIPE log if you enable unsafe debug output. This will include the full message contents, including (sometimes) secret information like passwords. Please have a look at the FAQ.

According to the attached file the external EWS URL would be https://webmail.nationwidechildrens.org/EWS/Exchange.asm. But that URL is not provided by your organizations EWS autodiscovery (at least in the log you provided).

[Edwin Rice]

Ha ha. No, I didn't. I can't seem to find the post (I will link to it when I can) but I found an archived thread in which someone mentioned using the Microsoft Network Monitor tool or WireShark to find the server address I need to connect to. Like I said, I'm new to this, so it sounded fancy. :)

I can ssl from the terminal into webmail.nationwidechildrens.org on port 443 just fine but Pidgin still doesn't want to connect on that server. Attached is the debug log with "webmail.nationwidechildrens.org:443" in the Server[:Port] field of the advanced settings tab.

[Stefan Becker]

The UccApi0 log only contains the SIP messages, so it won't help in this case.

[Edwin Rice]

I GOT IT! AM I ALLOWED TO CURSE ON HERE!?

Solution: For those having similar difficulties, firstly, thank Stefan for his assistance. Secondly, what I did was the following: In line 200 of the 1558957736_log.txt file, it says, "sipe: sipe_core_connect: user specified SIP server [...]" This made me realize that what I am specifying in the first field of the advanced settings tab of the account is, well, a SIP server. This, in conjunction with Stefan mentioning above that the UccApi0 log only contains SIP messages, made me think I ought to look in there for the name of the SIP server. So, I specified the server and port from that log, the user agent from that log, and the external EWS server from Lync.txt. Hopefully that helps someone in need.

[Stefan Becker]

No, no, no, that URL goes into Advance tab, Email services URL field...

[Edwin Rice]

Ha ha. I realized that. :) Thank you for your help! I really appreaciate it! Is there anyway I can "vote" you up on this site to let other people know you're helpful?

[Stefan Becker]

Nah, just a drink a beer for me when you go down to the pub next time.

Now: will it work when you are in the office? Or will you have to clear the URL again?

That said, it would be nice to figure out where the 'External EWS' information is encoded. Could you attach a unsafe debug log (see FAQ). Please make sure to clear the email service URL again before creating the debug log.