locked
Unable to join because security certificate isn't trusted RRS feed

  • Question

  • When using the Skype addon in outlook to generate a Skype Meeting, we have a problem when a user clicks on "Join Skype Meeting". The user is greeted with the following message "We couldn't join you to the meeting because the security certificate isn't trusted. For more info, please contact your system admin". I have full logging enabled on the client but the event viewer is only showing information level info that isn't particular useful.

    When we disable "Skype Meeting Add-in For Microsoft Office 2013" and a user receives a Skype Meeting they are able to click the link, IE opens and then closes then they join the meeting with Skype.

    Why would the addon cause a certificate error but without the addon it works just fine? Any ideas?

    Thursday, October 6, 2016 2:40 PM

Answers

  • The issue appear to stem from a registry key that forced TLS 1.1 as the default secure protocol by a group policy that we had pushed out to certain groups.

    https://support.microsoft.com/en-us/kb/3140245

    Removing the key or changing the DefaultSecureProtocols to TLS 1.0 default works around the certificate error. 


    • Marked as answer by MegaBuster Friday, November 18, 2016 8:00 PM
    • Edited by MegaBuster Friday, November 18, 2016 8:00 PM
    Friday, November 18, 2016 8:00 PM
  • Hi MegaBuster,

    Welcome to our forum.

    Did this error occur on all PCs or specific PC?

    By this issue, we suggest you renew the certificate on all SFB FE servers to check if the issue persist. 

    1. From a machine that is domain-joined on your internal network (and hitting your internal DNS servers), browse to https://meet.sipdomain.com. Now, when you get the certificate error in the browser, view the properties of the certificate. Specifically, we want to see if 'meet.sipdomain.com' is listed as a Subject Alternate Name (SAN) on the certificate. The certificate that you are viewing the details of will be the SSL cert that exists on your Front End. The error you are receiving would indicate that the 'meet. sipdomain.com' SAN entry is not on the SSL cert you have listed, so we need to verify it is there.
    2. From this internal client, open a command prompt and perform an nslookup on meet.sipdomain.com. The resulting IP should be pointing at the internal (private IP) of your Front End server, assuming that the DNS server it is querying is your internal AD server

    If there are any questions or issues, please be free to let me know and we will pleasure to help you. If the above suggestion are helpful to you, please mark it as answer so that someone who has similar issue could find this thread as soon as possible.

    Best Regard,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Liinus Friday, October 7, 2016 10:45 AM
    • Marked as answer by jim-xu Friday, October 21, 2016 10:40 AM
    Friday, October 7, 2016 6:38 AM

All replies

  • The add-on shouldn't affect it, that's odd.  Is this an internally signed certificate that it's showing you?  When you have the add-on running, and you get the cert error, how is it presented?  Is it in the browser or via a pop-up message?

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Thursday, October 6, 2016 4:02 PM
  • I am not sure what certificate it's checking against. My department is able to join a Skype meeting within outlook so I have compared our internal certificates to their location and they are the same.

    After clicking the link with the add-on enabled, Skype for Business will appear, attempt to join and display the error message in my original post. Likewise, with the add-on disabled, IE will open then close and Skype for Business will join the meeting and display Join Meeting Audio options.


    • Edited by MegaBuster Thursday, October 6, 2016 4:27 PM verbiage
    Thursday, October 6, 2016 4:10 PM
  • So the error message is coming from Skype itself?  Definitely not within a browser?

    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Thursday, October 6, 2016 4:14 PM
  • Correct. Skype for Business itself is giving the error message.

    Thursday, October 6, 2016 4:24 PM
  • Hi MegaBuster,

    Welcome to our forum.

    Did this error occur on all PCs or specific PC?

    By this issue, we suggest you renew the certificate on all SFB FE servers to check if the issue persist. 

    1. From a machine that is domain-joined on your internal network (and hitting your internal DNS servers), browse to https://meet.sipdomain.com. Now, when you get the certificate error in the browser, view the properties of the certificate. Specifically, we want to see if 'meet.sipdomain.com' is listed as a Subject Alternate Name (SAN) on the certificate. The certificate that you are viewing the details of will be the SSL cert that exists on your Front End. The error you are receiving would indicate that the 'meet. sipdomain.com' SAN entry is not on the SSL cert you have listed, so we need to verify it is there.
    2. From this internal client, open a command prompt and perform an nslookup on meet.sipdomain.com. The resulting IP should be pointing at the internal (private IP) of your Front End server, assuming that the DNS server it is querying is your internal AD server

    If there are any questions or issues, please be free to let me know and we will pleasure to help you. If the above suggestion are helpful to you, please mark it as answer so that someone who has similar issue could find this thread as soon as possible.

    Best Regard,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Liinus Friday, October 7, 2016 10:45 AM
    • Marked as answer by jim-xu Friday, October 21, 2016 10:40 AM
    Friday, October 7, 2016 6:38 AM
  • The issue appear to stem from a registry key that forced TLS 1.1 as the default secure protocol by a group policy that we had pushed out to certain groups.

    https://support.microsoft.com/en-us/kb/3140245

    Removing the key or changing the DefaultSecureProtocols to TLS 1.0 default works around the certificate error. 


    • Marked as answer by MegaBuster Friday, November 18, 2016 8:00 PM
    • Edited by MegaBuster Friday, November 18, 2016 8:00 PM
    Friday, November 18, 2016 8:00 PM
  • Thanks it helped.
    Thursday, November 1, 2018 11:53 AM