locked
New-CsOauthServer "The operation has timed out" RRS feed

  • Question

  • Recently upgraded on-prem Skype for Business Server 2015 to 2019 (legacy SfB removed entirely from topology).  Since we are still using O365 UM for voicemail and auto-attendant functionality in addition to establishing a hybrid with SfB Online to prepare for next migration phase to Teams, OAuth is needed in the meantime.  Everything went well except that I'm getting a timed out error when running the following NewCsOAuthServer command to add O365's Auth server.  I'm also running the command in Azure AD Module PowerShell and using my TenantID.  Interestingly, I also get the same error when running it in the SfB Management PowerShell.  I've also played around with the Metadata URL and tried a different domain like login.microsoftonline.com that was mentioned in another forum post with success and also substituting the TenantID for one of the verified domains without any luck.  My tenant "displayname" contains two words which I omitted from using.






    • Edited by ADGAdmin Tuesday, October 1, 2019 4:48 PM grammar
    Tuesday, October 1, 2019 4:43 PM

Answers

  • Hello Blue_Craig and Sharon_Zhao and thank you for the reply.  I actually went through a lot of research and also saw those mentioned articles.  I've also successfully browsed to the accounts.accesscontrol.windows.net URL using both verified domains and the TenantID and it worked on my local workstation, but what I didn't do was to try the URL on the Skype front end server itself.

    Anyway, I did manage to find the solution and it ended up being our network admin created a static outbound route for the newly provisioned SFB2019 frontend server which blocked access to the majority of the Internet.  I found out after noticing failures when trying to install PowerShell packages from the online nuget repo and also trying to browse the STS URL on the frontend server itself.



    • Marked as answer by ADGAdmin Wednesday, October 2, 2019 2:37 PM
    • Edited by ADGAdmin Wednesday, October 2, 2019 7:13 PM
    Wednesday, October 2, 2019 2:35 PM

All replies

  • What happens when you type the URL into a browser? Does it resolve properly?

    https://accounts.accesscontrol.windows.net/domain.onmicrosoft.com/metadata/json/1

    I have not run the command, but if I put the above URL into a web browser and replace domain with the proper name of my company's domain it resolves properly.

    Have you had a look through this document?

    https://docs.microsoft.com/en-us/skypeforbusiness/manage/authentication/configure-a-hybrid-environment


    Tuesday, October 1, 2019 9:23 PM
  • Hi ADGAdmin,

    Agree with Blue_Craig, you can try to replace domain name with your company’s domain name in this URL: https://accounts.accesscontrol.windows.net/domain.onmicrosoft.com/metadata/json/1. And check if the new URL can be open in browser.

    The form of the command must be like this: New-CsOAuthServer -Identity "Office 365" -MetadataUrl "https://sts.office365.microsoft.com/metadata/json/1"

    According to the error message, the problem seems related to the URL.

    In my research, there are several articles for your refence:

    https://ntsystems.it/post/Skype-for-Business-Hybrid-Observations

    https://gallery.technet.microsoft.com/office/Configure-OAuth-between-5705f1ac

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.



    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, October 2, 2019 3:12 AM
  • Hello Blue_Craig and Sharon_Zhao and thank you for the reply.  I actually went through a lot of research and also saw those mentioned articles.  I've also successfully browsed to the accounts.accesscontrol.windows.net URL using both verified domains and the TenantID and it worked on my local workstation, but what I didn't do was to try the URL on the Skype front end server itself.

    Anyway, I did manage to find the solution and it ended up being our network admin created a static outbound route for the newly provisioned SFB2019 frontend server which blocked access to the majority of the Internet.  I found out after noticing failures when trying to install PowerShell packages from the online nuget repo and also trying to browse the STS URL on the frontend server itself.



    • Marked as answer by ADGAdmin Wednesday, October 2, 2019 2:37 PM
    • Edited by ADGAdmin Wednesday, October 2, 2019 7:13 PM
    Wednesday, October 2, 2019 2:35 PM
  • Here I will provide a brief summary of this post. This will make answer searching in the forum easier.

     

    Issue Symptom: 

    Execute New-CsOauthServer command with error “The operation has timed out”

     

    (Possible) Cause:  

    It is mostly related to the new certificate.

     

    Solution: 

    Canceling the static outbound route for the newly provisioned Skype for Business 2019 front end server, because this blocked the access to majority of the Internet.

     

    Reference Links: 

    https://docs.microsoft.com/en-us/powershell/module/skype/new-csoauthserver?view=skype-ps


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Friday, October 18, 2019 8:37 AM