locked
Lync 2013 Federation not working RRS feed

  • Question

  • Hi Guys,

    I desperately need some help with getting federation to work in my deployment. I was able to get external users to connect but not federation. I used snooper to analyse the results which can be found below.

    TL_INFO(TF_PROTOCOL) [1]17E8.3EF4::11/04/2015-14:10:55.539.0000457f (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[792257021] $$begin_record
    Trace-Correlation-Id: 792257021
    Instance-Id: 158A
    Direction: incoming
    Peer: edgeserver.contoso.ORG:5061
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "testuser2"<sip:testuser2@contoso.org>;tag=905591eeda;epid=cf1560aff0
    To: <sip:testuser@hotmail.com>;tag=6944D90DCD4B8F34A666F2F75BDC31A4
    Call-ID: b31cc991ca9c4512839652af0bb87b02
    CSeq: 1 INVITE
    Via: SIP/2.0/TLS 192.1.1.41:60626;branch=z9hG4bKF6868C20.3B0A0DFCF1FEF28F;branched=FALSE;ms-received-port=60626;ms-received-cid=A900
    Via: SIP/2.0/TLS 192.1.1.29:49575;branch=z9hG4bKC832C015.3E923F19707CB28A;branched=FALSE;ms-received-port=49575;ms-received-cid=64B00
    Via: SIP/2.0/TLS 192.1.2.60:54736;received=87.81.225.221;ms-received-port=54736;ms-received-cid=A800
    Content-Length: 0
    ms-diagnostics: 1026;reason="Domain resolved by DNS SRV to multiple FQDNs that match different routing rules";domain="contosa.org";fqdn1="sipfed.online.lync.com:5061";fqdn2="sip.contoso.org:5061";source="access.contoso.org"
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=edge-server.contoso.ORG;ms-source-verified-user=verified
    $$end_record


    Wednesday, November 4, 2015 2:29 PM

Answers

  • Hi

    sorry for the late response.

    Sounds like you have 2 separate installs, an online and on premise. In order to get this working you'll need to configure hybrid and shared sip address space between your on prem and online installations. For this to happen you also need AADSync and single sign on enabled on your Office 365 tenant if not done so already.

    Then once configured, remove the DNS records pointing to the cloud and leave the ones pointing to on premise. The web services (via Rev Proxy) will issue a redirect to the cloud for any identity it perceives as being in the cloud. This means then you will get federation on premises and in the cloud.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:22 AM
    Thursday, November 5, 2015 8:56 AM
  • Unfortunately, no, you need hybrid, but essentially if you have directory sync between your AD and the cloud and SSO enabled, then hybrid is pretty much 3 PowerShell commands. Pretty easy to set up with low risk.

    If you havent got ADFS / SSO then you are in a little more complicated situation.

    You will need to remove the cloud identities for every user and then sync the on premise accounts to the cloud as there is no way to convert a cloud user to a synced user or vice versa. Not so bad for SfB, as you can export user data and re-import. If you are using Exchange Online then you must reconnect the mailboxes manually to each user, then if you use SharePoint and have custom permissions, then you would have to re-assign.

    Alternative is to enable all users on SfB on premise, remove the lync online records and just go on prem for the lot in the short term until you have figured out your strategy?

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:13 AM
  • Hi

    Your public certs and internal certs should be fine if they contain sip.domain.com webconf.domain.com

    Just need to sign up to the PIC service, you'll need your Microsoft EA licence number to prove you are licenced for Lync. The process can take a few hours to a few days so don't expect it to be instant. Configure the federation and then one day it will work :)

    BTW you fed with Skype consumer. The hotmail person must have a Skype account to fed with.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:17 AM
  • Hi

    That's good news. In Office 365 the identities should say Synced from On Premise or AD and not "in cloud".

    If you go to https://portal.office365.com and try and sign in with an account does it redirect you to your ADFS server for auth? (Easiest way to check) If it does then thats good

    From Lync on premise side it is really easy to implement hybrid from this point

    This will guide you through it https://technet.microsoft.com/en-us/library/jj205237(v=ocs.15).aspx

    Specific config: https://technet.microsoft.com/en-us/library/jj205126(v=ocs.15).aspx

    nice and easy to implement :)

    Just remember to sign up to PIC and once the above done, remove the lync online DNS records from your external DNS zone

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:59 AM
  • Hi Mark,

    Thanks a million, for your assistance - really appreciate it. As you can see I am no expert. just learning as I go. Again a big thank you to yourself and Eric.

    If I encounter any other issues I will let you guys know.


    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:06 AM
    Thursday, November 5, 2015 10:05 AM
  • Hi

    Yes unfortunately you will need to rekey your public certificate to include sip.domain.com, sip.domain.com must be the common name and access. as a SAN. include your webconf too.

    If you contact GoDaddy they will revoke your current cert, issue you with a voucher to rekey the cert for the amount of time you have left on the current certificate, so it will not cost you any more money assuming you have capacity to add the addtional SAN entry to the certificate.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Marked as answer by Lion85heart Monday, November 16, 2015 2:14 PM
    Saturday, November 14, 2015 3:55 PM

All replies

  • Hi

    Are you trying to federate with hotmail? If so you need to federate with Skype consumer and sign up to the PIC service https://pic.lync.com

    also looks like you have multiple federation SRV records in your external DNS. If you are in hybrid - remove the lync online SRV record as it should all point to your on prem edge.

    its failed because it doesn't know where to route the request too because you have one SRV record pointing to Office 365 and another to your on premise edge

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Wednesday, November 4, 2015 3:12 PM
  • Hi Mark, 

    Thanks for responding. Well i am trying to federate with hotmail and with our online skype users. is there any way for me to get around this without me deleting the lync online  SRV records.

    We have office 365 users using Skype for business so i think we need the SRV records on the external DNS. 


    Wednesday, November 4, 2015 3:49 PM
  • Hi Lion85heart,

     

    So it’s a Hybrid environment ?

    When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Edge.

     

    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    Thursday, November 5, 2015 1:43 AM
  • Hi

    sorry for the late response.

    Sounds like you have 2 separate installs, an online and on premise. In order to get this working you'll need to configure hybrid and shared sip address space between your on prem and online installations. For this to happen you also need AADSync and single sign on enabled on your Office 365 tenant if not done so already.

    Then once configured, remove the DNS records pointing to the cloud and leave the ones pointing to on premise. The web services (via Rev Proxy) will issue a redirect to the cloud for any identity it perceives as being in the cloud. This means then you will get federation on premises and in the cloud.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:22 AM
    Thursday, November 5, 2015 8:56 AM
  • Hi Eric, 

    Thanks for taking the time to respond. 

    The Issus is that When I joined the company we already had Lync\Skype for Business On-line. So all of the sip records and SRV\A records were already created. I was then asked by management to deploy Lync and have it integrated with our Polycoms systems in each meeting room. Since polycom does into support Lync Online. and we are planning in the near future on integrating our PBX I though it will be easy.

    Now the FE and Edge server is setup and working externally for internal contacts. I cant get federation to work. and I don't want to break the Online Lync. 

    So what I am guessing is that there is no way to federate my deployment to communicate with people outside my organisation unless I implement a hybrid set-up. So close but so far.

    Thursday, November 5, 2015 9:01 AM
  • Morning Mark,

    Thanks for your response. Good Stuff. Is there anything else i need to do on the Lync On-Prem side besides what you mention above. e.g. new internal / external certificates, Internal DNS records changes. also Do i still need to federate with hotmail?. by going through the registration process.

    Thanks Mark, 

    Thursday, November 5, 2015 9:11 AM
  • Unfortunately, no, you need hybrid, but essentially if you have directory sync between your AD and the cloud and SSO enabled, then hybrid is pretty much 3 PowerShell commands. Pretty easy to set up with low risk.

    If you havent got ADFS / SSO then you are in a little more complicated situation.

    You will need to remove the cloud identities for every user and then sync the on premise accounts to the cloud as there is no way to convert a cloud user to a synced user or vice versa. Not so bad for SfB, as you can export user data and re-import. If you are using Exchange Online then you must reconnect the mailboxes manually to each user, then if you use SharePoint and have custom permissions, then you would have to re-assign.

    Alternative is to enable all users on SfB on premise, remove the lync online records and just go on prem for the lot in the short term until you have figured out your strategy?

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:13 AM
  • Hi

    Your public certs and internal certs should be fine if they contain sip.domain.com webconf.domain.com

    Just need to sign up to the PIC service, you'll need your Microsoft EA licence number to prove you are licenced for Lync. The process can take a few hours to a few days so don't expect it to be instant. Configure the federation and then one day it will work :)

    BTW you fed with Skype consumer. The hotmail person must have a Skype account to fed with.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:17 AM
  • Hi Mark, 

    We have a Hybid exchange set-up  with on Premise exchange 2010 CAS server syncing with office 365 and we use Dirsync for directory synchronization, so I am thinking we do have ADFS /SSO set-up. Maybe you can there is somewhere I can check to confirm these setting.?

    Thanks Mark,

    Thursday, November 5, 2015 9:23 AM
  • Hi

    That's good news. In Office 365 the identities should say Synced from On Premise or AD and not "in cloud".

    If you go to https://portal.office365.com and try and sign in with an account does it redirect you to your ADFS server for auth? (Easiest way to check) If it does then thats good

    From Lync on premise side it is really easy to implement hybrid from this point

    This will guide you through it https://technet.microsoft.com/en-us/library/jj205237(v=ocs.15).aspx

    Specific config: https://technet.microsoft.com/en-us/library/jj205126(v=ocs.15).aspx

    nice and easy to implement :)

    Just remember to sign up to PIC and once the above done, remove the lync online DNS records from your external DNS zone

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Mark ValeMVP Thursday, November 5, 2015 10:14 AM
    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:21 AM
    Thursday, November 5, 2015 9:59 AM
  • Hi Mark,

    Thanks a million, for your assistance - really appreciate it. As you can see I am no expert. just learning as I go. Again a big thank you to yourself and Eric.

    If I encounter any other issues I will let you guys know.


    • Marked as answer by Lion85heart Thursday, November 5, 2015 10:06 AM
    Thursday, November 5, 2015 10:05 AM
  • No problem, appreciate it if you could mark the comments that helped you as answered or helpful :)

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, November 5, 2015 10:14 AM
  • Hi Mark,

    Hope all is well. I finally got around to attempting the Lync Hybrid set-up. however i am faced with a new issue.

    "Certificate trust with another server could not be established";ErrorType="The peer certificate does not contain a matching FQDN";tls-target="sip.contoso.org";HRESULT="0x80090322(SEC_E_WRONG_PRINCIPAL)";source="access.contoso.org"

    I already registered the FQN with the PIC and removed the external DNS records pointing to Sipfed.online""".

    I check the godaddy external certificate and the only name listed is (access.contoso.org) and no sip.contoso.org

    Maybe I need to do over a new certificate with sip.contoso.org as an alternative SAN?

    Friday, November 13, 2015 11:13 AM
  • Hi

    Yes unfortunately you will need to rekey your public certificate to include sip.domain.com, sip.domain.com must be the common name and access. as a SAN. include your webconf too.

    If you contact GoDaddy they will revoke your current cert, issue you with a voucher to rekey the cert for the amount of time you have left on the current certificate, so it will not cost you any more money assuming you have capacity to add the addtional SAN entry to the certificate.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Marked as answer by Lion85heart Monday, November 16, 2015 2:14 PM
    Saturday, November 14, 2015 3:55 PM
  • Good news and bad news, 

    Good news - federation is working now. On-Premise and Skype for business on-line users can now see presence and communicate

    Bad news -. Skype for Business On-line users cannot sign-in when connected to our internal network, however when switch over to 3G/4G/External network they are able to auto sign in without any issues.

    They are getting a certificate error issue and I am not sure how to resolve it without going to each computer and installing the internal certificate manually.
    Can someone please help?

    Friday, November 20, 2015 12:25 PM
  • Hi

    You will need to point lyncdiscover.domain.com and lyncwebservices.domain.com to your reverse proxy server so that these urls get proxied to the front end via port 4443 which is the external web services for lync. 

    Did you configure shared sip address space on your tenant?

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Saturday, November 21, 2015 9:13 AM