PROBLEM
========
I encountered a scenario where users were able to successfully login to Polycom VVX phones with their Active Directory domain, username, and password credentials. However, users were not able to sign-in to the phones with their extensions and PIN authentication.
RESOLUTION
============
The root cause was tracked down to being a misconfigured DNS SRV record in the SIP domain forward lookup zone. Consider the following example scenario:
Internal AD Domain: contoso.local
SIP Domain: contoso.com
Lync Standard Edition Front End Server/Pool Name: LyncFE.contoso.local
SSL Certificate SN assigned to Lync FE: LyncFE.contoso.local
SSL Certificate SANs assigned to Lync FE: LyncFE.contoso.com
Meet.contoso.com
Dialin.contoso.com
LyncExtWeb.contoso.com
Lyncdiscover.contoso.com
Lyncdiscoverinternal.contoso.com
Sip.contoso.com
The DNS forward lookup zone for the SIP domain "contoso.com" should have a DNS SRV record pointing to a host record in the same domain as follows:
_sipinternaltls._tcp.contoso.com
Priority: 0
Weight: 0
Port: 5061
Host: LyncFE.contoso.com
The culprit in my case was that the host was defined as "LyncFe.contoso.local", which was incorrect. Once this was changed to "LyncFE.contoso.com", PIN authentication worked as expected.