locked
Does Skype for Business 2016 require TLS 1.0? RRS feed

  • Question

  • Hello,

    We run Skype for business 2016 that connects to out O365 account.  We have had no issues until we had to disable TLS 1.0 for PCI compliance.  I tested it out on my Windows 10 laptop and Skype won't connect.  It sits there waiting to connect to the server.  I checked the event log on my machine and saw this:

    Lync was unable to authenticate to the server BLU2A18FES01.infra.lync.com due to following error: 0x80090331.  

    Resolution: Please check that the password is correct and that the user name and SIP URI are specified correctly.  If the login continues to fail, the network administrator should verify that the user account is not disabled, that it is enabled for login to the service and that the password for the account hasn't expired or been reset.


    When I re-enable TLS 1.0 it works.  Any ideas what the issue may be?



    Tuesday, June 6, 2017 9:07 PM

All replies

  • Hi GeorgeNussbaum,

    SFB 2016 requires TLS.

    Skype for Business Server 2015 will offer TLS encryption protocols in the following order to clients: TLS 1.2 , TLS 1.1, TLS 1.0. TLS is a critical aspect of Skype for Business Server 2015 and thus it is required in order to maintain a supported environment.

    For more details, please refer to

    https://technet.microsoft.com/en-us/library/dn481135.aspx

    Hope this reply is helpful to you.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alice-Wang Wednesday, July 19, 2017 8:12 AM
    Wednesday, June 7, 2017 2:01 AM
  • I understand it needs TLS and I have TLS 1.2 enabled but it still doesn't log in once I disable TLS 1.0.
    Thursday, June 8, 2017 8:35 PM
  • Hi GeorgeNussbaum,

    Thanks for your response.

    I understand that when you disable TLS 1.0, you can't sign in SFB client, is that appeared on the specific SFB client?


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 15, 2017 9:54 AM
  • I am having the same issue. Were you able to find an answer to this problem?
    Thursday, June 29, 2017 3:17 PM
  • I am having the same issue. When I disable TLS 1.0 I can no longer log in. It does not even give me the password field to input the password. When I turn TLS 1.0 back on I get the logon screen and can get in just fine. My SFB is through O365.
    Thursday, June 29, 2017 3:20 PM
  • My experience so far with TLS 1.0 disabling is not that S4B server doesn't support it, it's actually been SQL Server not working without it. I've tried jumping through the hoops of correctly disabling 1.0 and forcing 1.2 on SQL server and haven't yet been able to get Skype 4 Business to work without TLS 1.0 to SQL. I've tried it with SQL Server 2014, not 2016 yet. 
    Monday, July 24, 2017 6:17 PM
  • I agree.  Have tried the same, and Lync servers were unable to connect to SQL (both own instance and Back End SQL), despite following all the published documents about how to implement TLS 1.2 with SQL and .NET.  I suspect some code internal to some Lync services cannot use anything higher than TLS 1.0.
    Friday, September 8, 2017 9:42 PM
  • I did not find an answer to this.  Have you been able to since I first reported this?
    Thursday, September 28, 2017 8:31 PM
  • Another issue I've seen when disabling TLS 1.0 is that the rtcsrv service often won't start. Re-enabling TLS 1.0 resolves the issue. Disabling SSL 2.0, SSL 3.0, PCT 1.0, RC2, and RC4 (except RC4 128/128), NULL, Multi Protocol Unified Hello, DES 56/56, SMBv1,  LLMNR, all seem to be safe.
    Tuesday, October 17, 2017 9:07 PM
  • For our Edge servers, I disabled all that, plus RC4 128/128 & Triple DES 168.  Only impact was Win XP and Lync Phone Edition can not connect externally, but that was acceptable to us.
    Thursday, October 19, 2017 4:48 PM
  • I have the same issue. By the way we are using ADFS 3.0 for authentication

    Monday, October 23, 2017 5:30 AM
  • After some testing I have found the issue at least in my case, I verified that Skype is in fact making a TLS 1.2 connection and will fail to connect if the regkeys to disabled TLS 1.0 (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0) are in place. What i did find was that if I enabled "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" The Connection immediately connects and  I have verified a TLS 1.2 connection.

    This is great and all but FIPS introduces it's own set of issues in my environment for example RDP disabled on Windows 7 unless 3DES is enabled, which puts us out of another set of compliance for Sweet32 attacks. 

    Is there a way to get Skype to connect without TLS 1.0 Enabled without enabling FIPS mode ? Is this a Cipher Suite order issue?

    Tuesday, November 14, 2017 8:21 PM
  • The Handshake looks normal...

    A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.

       Protocol version: TLS 1.2
       CipherSuite: 0xC028
       Exchange strength: 384 bits
       Context handle: 0x2058854b4f0
       Target name: sippoolblu2a18.infra.lync.com
       Local certificate subject name:
       Remote certificate subject name: CN=*.online.lync.com

    But then i get this error if FIPS is not enable:

    Creating a TLS client credential.

    A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

    Wednesday, November 15, 2017 3:14 PM
  • I can also confirm that Skype for Business 2016 fails to connect after disabling TLS 1.0 and leaving only TLS 1.1 & TLS 1.2 enabled.  The only change we made to our test systems was the disabling of TLS 1.0, no other alterations.  Reboot and it just sits there at the Sign in page.  FIPS is also not enabled on our systems.  Ironically normal Skype works without an issue.

    Looking in the System Event Logs there's a Schannel error every second dropped in the logs, the same one over and over.

    A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

    Friday, November 17, 2017 9:51 PM
  • Have you tried SchUseStrongCrypto on the clients and SfB server?

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001

    • Edited by DJL Tuesday, December 19, 2017 10:59 AM
    Tuesday, December 19, 2017 10:58 AM
  • Have you tried SchUseStrongCrypto on the clients and SfB server?

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001


    That is already set on our systems but it still fails.
    Tuesday, December 19, 2017 2:56 PM
  • If anyone hears of an update where Skype 2016 will run on only TLS 1.2, or Skype 2018 comes out and no longer needs either TLS 1.0 and TLS 1.1, please post.


    Dave


    • Edited by DaveBryan37 Tuesday, December 19, 2017 6:54 PM
    Tuesday, December 19, 2017 6:53 PM
  • We are experiencing the same issue as well. Disabled TLS 1.0 for PCI, now unable to sign in. Skype for Business through O365.

    Hopefully Microsoft addresses this soon.

    Friday, February 16, 2018 5:32 PM
  • Microsoft had big notices popping up on Office365 saying support for TLS 1.0 was being dropped on March 31st, 2018.  I emailed our TAM and asked him if they were going to drop services for Skype customers and he said it was at the Skype product team.  Noticed the other day Microsoft is now saying they have extended TLS 1.0 support until next fall

    Dave


    • Edited by DaveBryan37 Friday, February 16, 2018 5:36 PM
    Friday, February 16, 2018 5:36 PM
  • I also experiencing the same issue.

    After disabling TLS 1.0, skype for business wont connect.

    CLient: Win10 LTSB 2016 with latest updates, Skype for business 2015 With latest updates.

    TLS 1.2 was defined in RFC 5246 in August 2008 And in 2018 Microsoft still not fully supports it. Instead of making new versions, Microsoft  should better take more care about securing the existing.

    Thursday, April 5, 2018 1:20 PM
  • Hello George,

    please refer to this long article on prerequisites of SFB TLS 1.0 disable:

    https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/

    Thanks, Dan

    Tuesday, September 11, 2018 10:04 AM