locked
Skype for Business mobile client doesn't work with Android 10 ? RRS feed

  • Question

  • Hi all,

    Some users reported that they were not able to connect to Skype for Business Mobile client after Android 10 update.

    https://testconnectivity.microsoft.com doesn't show any issues.

    Clients on Android 10 can reach our internal and external autodiscover links without any certificate or DNS issues.

    Same users can connect with any others devices.

    Logs show an issue with host verification :

    09-25 08:31:31.687 27305 INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp:221 UcwaAutoDiscoveryGetUserUrlOperation completed with url = http://lyncdiscover.domain.com/?sipuri=sip:user@domain.com, userUrl = , status = E_HttpOther3xxError (E2-3-17)
    09-25 08:31:31.689 27305 INFO UTILITIES CBasePersistableComponent.cpp:211 Storing 1 out-of-sync components took 0.001411s
    09-25 08:31:31.793 27959 DEBUG [Http] SfbCertificateTrustEngine: Certificate trusted by the standard OS trust manager: X509CertificateInfo { Issuer = DigiCert SHA2 Secure Server CA, Subject = im.domain.com, SigAlgName = SHA256withRSA, NotBefore = 27 Aug 2019 02:00:00 AM, NotAfter = 09 Sep 2021 02:00:00 PM, SerialNumber = 20986494549014957720438283161467386704 }
    09-25 08:31:31.801 27959 INFO [Http] HttpEngine: IllegalArgumentException for Host: lyncdiscover.domain.com
    09-25 08:31:33.570 27959 DEBUG [Http] HttpEngine: Recursive execute after getting SSL info for request Get https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com
    09-25 08:31:33.570 27959 DEBUG [Http] HttpEngine: HttpEngine.execute called for [Normal] Get https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com
    09-25 08:31:33.570 27959 DEBUG [Http] HttpEngine: AutoRedirect false for https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com and setting it to FALSE for manual handling
    09-25 08:31:33.570 27959 DEBUG [Http] ThreadHostCertificateMapper: Updating the host requested on this thread: host = lyncdiscover.domain.com, threadId = 17220
    09-25 08:31:33.570 27959 DEBUG [Http] HttpEngine: Executing request with [Normal] Get https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com  HttpProvider internal connection queue count [0]
    09-25 08:31:33.721 27959 DEBUG [Http] SfbSSLSocketFactory: Hostname verification failed, getting user approval. Host: lyncdiscover.domain.com
    09-25 08:31:33.721 27959 WARN [Http] SfbSSLSocketFactory: Unable to verify host: lyncdiscover.domain.com
    09-25 08:31:33.723 27959 INFO [Http] SfbOkHttpRequest: Canceling Request because of: SocketException: Get https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com
    09-25 08:31:33.725 27959 DEBUG [Http] HttpConnection: Exception SocketException caught while executing http request Get https://lyncdiscover.domain.com/?sipuri=sip:user@domain.com: java.net.SocketException: Unable to verify host: lyncdiscover.domain.com
    at com.microsoft.office.lync.platform.http.NetworkSecurity.SfbSSLSocketFactory.throwHostNameVerificationException(SfbSSLSocketFactory.java:208)
    at com.microsoft.office.lync.platform.http.NetworkSecurity.SfbSSLSocketFactory.verifyHostName(SfbSSLSocketFactory.java:197)
    at com.microsoft.office.lync.platform.http.NetworkSecurity.SfbSSLSocketFactory.configureSocketAndVerifyHostName(SfbSSLSocketFactory.java:145)
    at com.microsoft.office.lync.platform.http.NetworkSecurity.SfbSSLSocketFactory.createSocket(SfbSSLSocketFactory.java:92)
    at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:228)
    at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)
    at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)
    at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)
    at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)
    at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)
    at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)
    at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)
    at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
    at okhttp3.RealCall.getResponse(RealCall.java:243)
    at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)
    at okhttp3.RealCall.execute(RealCall.java:57)
    at com.microsoft.office.lync.platform.http.HttpProvider.OkHttpProvider.SfbOkHttpProvider.sendRequestSyncImpl(SfbOkHttpProvider.java:236)
    at com.microsoft.office.lync.platform.http.HttpProvider.HttpProvider.sendRequestSync(HttpProvider.java:112)
    at com.microsoft.office.lync.platform.http.HttpEngine.execute(HttpEngine.java:254)
    at com.microsoft.office.lync.platform.http.HttpEngine.execute(HttpEngine.java:381)
    at com.microsoft.office.lync.platform.http.HttpConnection$1.run(HttpConnection.java:295)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:462)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:919)

    Has anyone been able to check the app using Android 10 ? Not sure the issue is related to my infra since everyone else can connect...

    Thank you very much for your time.


    Fabien Gaille

    Friday, September 27, 2019 11:21 AM

Answers

  • Hi Sharon,

    I found out the issue. 

    Android 10 uses TLS 1.3 by default. My Reverse Proxy also supports this procotol and I think the negotiation was based on it. However, even if I'm deploying Skype for Business 2019, I'm still using Skype for Business 2015 Front-End pool, which doesn't support TLS 1.3. I think then, the negociation failed.

    As soon as I disabled TLS 1.3 on my reverse proxy, my users have been able to connect.

    Thank you for your time.

    Best regards,

    Fabien


    Fabien Gaille

    • Marked as answer by Fabien Gaille Thursday, October 3, 2019 8:12 AM
    Thursday, October 3, 2019 8:12 AM

All replies

  • Hi Fabien Gaille,

    According to this information:

    “09-25 08:31:33.721 27959 WARN [Http] SfbSSLSocketFactory: Unable to verify host: lyncdiscover.domain.com

    It may be related to SSL.

    I noticed that you use “DigiCert SHA2 Secure Server CA”, this is an intermediate certificate.

    It should have a root certificate in the certificate chain, please check if the root certificate is installed on both server side and client side.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, September 30, 2019 2:57 AM
  • Hi Sharon,

    Thank you for your feedback.

    I extracted the certificate from my Kemp and I'm able to see the full certificate chain. Also, 09-25 08:31:31.793 27959 DEBUG [Http] SfbCertificateTrustEngine: Certificate trusted by the standard OS trust manager: X509CertificateInfo { Issuer = DigiCert SHA2 Secure Server CA, Subject = im.domain.com, SigAlgName = SHA256withRSA, NotBefore = 27 Aug 2019 02:00:00 AM, NotAfter = 09 Sep 2021 02:00:00 PM, SerialNumber = 20986494549014957720438283161467386704 } shows a trust from the mobile phone.

    The certificates are available on the mobile phone.

    I checked the logs from Android 9 and only the intermediate certificate is also shown but it still work from Android 9.

    Have you already tried the app from Android 10 ?

    Best regards,

    Fabien


    Fabien Gaille

    Monday, September 30, 2019 6:50 AM
  • Hi Fabien Gaille,
    In my test, I use Android 10 and can sign in Skype for Business without problem.
    Do all clients with Android 10 have this problem?
    You could try to update Skype for Business client to the latest version if it is not.

    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, October 3, 2019 4:59 AM
  • Hi Sharon,

    I found out the issue. 

    Android 10 uses TLS 1.3 by default. My Reverse Proxy also supports this procotol and I think the negotiation was based on it. However, even if I'm deploying Skype for Business 2019, I'm still using Skype for Business 2015 Front-End pool, which doesn't support TLS 1.3. I think then, the negociation failed.

    As soon as I disabled TLS 1.3 on my reverse proxy, my users have been able to connect.

    Thank you for your time.

    Best regards,

    Fabien


    Fabien Gaille

    • Marked as answer by Fabien Gaille Thursday, October 3, 2019 8:12 AM
    Thursday, October 3, 2019 8:12 AM
  • Hi Fabien Gaille,

    Thanks for your sharing. It is quite helpful.



    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, October 4, 2019 1:11 AM
  • Thank you for sharing the update here. Your information will benefit other users a lot.

    Here I will provide a brief summary of this post. This will make answer searching in the forum easier.

     

    Issue Symptom:

    Skype for Business mobile client doesn't work with Android 10

     

    (Possible) Cause:

    According to the client log:

    “09-25 08:31:33.721 27959 DEBUG [Http] SfbSSLSocketFactory: Hostname verification failed, getting user approval. Host: lyncdiscover.domain.com”

    It seems related to Reverse Proxy server.

     

    Solution:

    1.Check the DNS records about Reverse Proxy server: lyncdiscover.domain.name

    2.Check the firewall and port/protocol on Reverse Proxy server. External firewall requirements are the HTTPS/TCP/443 and the optional HTTP/TCP/80. HTTPS is used for SSL and TLS secure communications through the reverse proxy. Android 10 uses TLS 1.3 by default. However, Skype for Business server 2015 doesn’t support TLS 1.3. The root cause may be TLS 1.3.

    3.Disable TLS 1.3 ON Reverse Proxy server. Then the mobile client can log in.

     

    Reference Links:

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/system-requirements

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/encryption



    Friday, October 18, 2019 6:56 AM
  • Thanks for the Info Fabien,

    same issue here. And the customer uses also a Kemp for Reverse Proxy. 
    Side note: This setting resolves also a problem on a Samsung A6 Phone with Android 9, the signin failed also. So it's obviosly not only an Android 10 problem.

    Friday, October 18, 2019 7:54 AM
  • Hi All, 

    I'm also facing this issues with some of mobile clients and some of them using Apple MacOS. 

    10-20 08:32:13.979 4073 DEBUG [Http] SfbSSLSocketFactory: Hostname verification failed, getting user approval. Host: FrontEntExternal.domain.com

    How can I check the certificate it matches in both ends..?

    Regards, 

    Sunday, October 20, 2019 8:56 AM
  • Hello Hussain,

    Are the clients internal (Wireless LAN) or external? The mobile client always uses the "external Webservices URL" from the topology to connect, this name should match on the certificate. If you use a public certificate from a trusted CA, then only the name is important. If you use an internal certificate from your internal CA, don't forget to populate the root and intermediate (if existing) certificate to the mobile clients. Windows Clients are pulling the cert through GPO, mobile clients doesn't....

    Best Regards

    Daniel

    Monday, October 21, 2019 6:54 AM