locked
Certain users cannot connect with Skype for Business on iPhone RRS feed

  • Question

  • The environment is working rather well.

    This is on premise.

    I can connect with my phone and everything works. Other users cannot. I have checked the user setup in Skype itself and we are identical. The only difference is RTC and CS active directory group membership. When I make other users match, giving them RTCUniversalServerAdmins and RTCUniversalUserAdmins, they can log on.

    I do not want them to have Admin access. What is the actual security they need?

    So far I have searched and haven't found the answer.

    Thanks!

    Tuesday, August 16, 2016 7:59 PM

Answers

  • Still was banging my head against the wall on this. Finally figured it out today.

    The common thread was that they were on our internal wireless network. I was as well. It worked for me, not them. Finally saw that their IP addresses were 10.10.10.x and mine was 10.0.0.x. It seems that different wireless access points were handing out different subnets. Don't ask why. This is being fixed shortly with a wireless network refresh.

    The 10.10.10.x subnet wasn't routable to the Skype for Business servers.

    Simple solution, just took a while to find.

    Thanks all for your suggestions.

    • Proposed as answer by Alice-Wang Saturday, September 3, 2016 4:51 AM
    • Marked as answer by Alice-Wang Friday, September 9, 2016 9:58 AM
    Friday, September 2, 2016 4:44 PM

All replies

  • They definitely don't need to be a member of those groups.  No RBAC group is required for any mobile access.  

    Does it not work internally and externally both?  

    What is your reverse proxy, does it use pass through authentication, or is it attempting some level of authentication?

    I'm assuming when you checked the user setup in Skype, you checked the mobility policy and have the same settings for yourself as for all users, and that it's enabled in the policy.

    Can the users log in with a normal client externally?


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Tuesday, August 16, 2016 8:12 PM
  • I only have one mobility policy.

    I guess I'm really confused then. Using my co-workers phone, trying to log in as him on Skype mobile, he is refused. I use the same device and use my credentials and it logs on.

    I add my co-worker to those two groups and try again with his logon and it works.

    Tuesday, August 16, 2016 8:17 PM
  • I've never seen that.  What are you using for a reverse proxy?

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Tuesday, August 16, 2016 8:23 PM
  • A Sophos UTM. It is doing a pass through.
    Tuesday, August 16, 2016 8:28 PM
  • Redirecting 443 to 4443 on your front end?  ...  That's incredibly odd.

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Tuesday, August 16, 2016 8:35 PM
  • av.domain.com, webconf.domain.com, sipexternal.domain.com and sip.domain.com are NAT'ed through the firewall and have no authentication whatsoever. They don't go through a reverse proxy and go to the Edge server.

    I was wrong on one symptom. My co-worker can log in with his iPhone but cannot send any messages. He gets a 'we couldn't send this message'.

    So, the only one that work is me. I wish I knew what made me special.

    meet.domain.com, dialin.domain.com, lync.domain.com and lyncdiscover.com go through a reverse proxy to the standard server.

    Tuesday, August 16, 2016 9:52 PM
  • Hi Paul L Fisher,

    Agree with Anthony, for lync mobility, it is not required to be a member of RTCUniversalServerAdmins and RTCUniversalUserAdmins.

    If you want to use Lync on mobile, it will go through the reverse proxy, since you said it didn’t go through a reverse proxy and go to the Edge server, so try to check your configuration about reverse proxy.

    Please refer to

    https://www.ssl247.de/kb/ssl-certificates/troubleshooting/general/How-to-configure-the-UTM-Web-Application-Firewall-for-Microsoft-Lync-Web-Services-connectivity

    You could also use Microsoft Lync Connectivity Analyzer to find where the problem is.

    Here is a great blog about troubleshooting Lync mobility for your reference

    https://blogs.technet.microsoft.com/nexthop/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    Wednesday, August 17, 2016 2:20 AM
  • I had already done that. I have a reverse proxy setup exactly like that article for the UTM.

    https://www.ssl247.de/kb/ssl-certificates/troubleshooting/general/How-to-configure-the-UTM-Web-Application-Firewall-for-Microsoft-Lync-Web-Services-connectivity

    It works flawlessly for me, just no one else. Doesn't that indicate that the network/firewall/reverse proxy is setup properly?


    Wednesday, August 17, 2016 1:45 PM
  • Hi Paul L Fisher,

    Please try to create a new user to see if there is the issue.

    Did you test on an Android phone, is there the same issue as iPhone?

    Since your co-worker could login successfully, so please try to compare the AD attribute between your co-worker and others(who can't logon)

    Since your co-worker can log in with his iPhone but cannot send any messages, please try to restart the UCWA service on FE Server IIS.

    If it not work, try to rerun Step 2 using Skype for Business Deployment Wizard and then restart all SFB Services to test the issue again.

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    Sunday, August 21, 2016 7:31 AM
  • Have you tried to remove the app and install them again and login with this user. I have experience that sometimes something is stored on the phone cache.

    regards Holger Technical Specialist UC

    Sunday, August 21, 2016 8:28 AM
  • Still was banging my head against the wall on this. Finally figured it out today.

    The common thread was that they were on our internal wireless network. I was as well. It worked for me, not them. Finally saw that their IP addresses were 10.10.10.x and mine was 10.0.0.x. It seems that different wireless access points were handing out different subnets. Don't ask why. This is being fixed shortly with a wireless network refresh.

    The 10.10.10.x subnet wasn't routable to the Skype for Business servers.

    Simple solution, just took a while to find.

    Thanks all for your suggestions.

    • Proposed as answer by Alice-Wang Saturday, September 3, 2016 4:51 AM
    • Marked as answer by Alice-Wang Friday, September 9, 2016 9:58 AM
    Friday, September 2, 2016 4:44 PM