none
Skype for Business causing domain AD account locked out RRS feed

  • Question

  • Hi,

    i have deployed Skype for Business to few of my laptop user. 

    They are facing account locked out issue, at first i thought it might be network mapped drive that caused this locked out issue.

    However apparently, it is the SKB that was causing the issue. I tried delete all credential in credential manager but this did not solve my issue.

    Any feedback is appreciated.

    Thanks.

    Wednesday, August 14, 2019 4:22 PM

All replies

  • Hi min777,

    In my experience, it may lock out a user if:

    1) A user changed his password recently,

    2) The user has previously checked the "save my password" / "remember my credentials" box for SFB client.

    I suggest you could try the following steps to see if it helps:

    1. Ensure that the AD account is not locked.

    2. On the client side, delete the sip user profile cache:  %useprofile%\AppData\Local\Microsoft\Office\1x.0\Lync\sip_xxx

    Related Registry Key: HKCU\Software\Microsoft\Office\1x.0\Lync\UserName@Domain.com

    Client certificate: Run “Certmgr.msc”, go to certificate store “Personal” – “Certificates” – Delete the client certificate “user@domain.com”.

    Remove cached credentials under Credential Manager.

    3. Try to login the SFB client, if it prompts for the user password, type the new one. Then check if the user is not locked.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, August 15, 2019 2:45 AM
    Moderator
  • Hi Shaw,

    Thanks for the info.

    1) user hasn't change his password

    2) yes, the password is stored so that SKB can sign in automatically for them. i followed the guide to remove the cache, but the problem still occur. the weird part is the account locked out only occured if i open the outlook together with SKB.

    Scenario:-

    Connected to VPN and enabled proxy connection. open SKB and sign in success. User account not locked out. When i open outlook 2010, my domain account is locked out immediately. is there a way i can separate outlook and SKB so they that wont link?

    Thursday, August 15, 2019 3:43 AM
  • Hi min777,

    Which version of Skype for Business client do you use, Lync 2010, Skype for Business 2015/2016?

    Do you use the same account for Outlook and Skype for Business client?

    Did it only happen on the VPN client?

    Please check the lock reason for the user in AD security Event.

    Please have a try to recreate the Outlook profile with the default account same as the SFB account.

    And in SFB client option, you could unselect the options under “Exchange and Outlook integration”.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, August 15, 2019 8:23 AM
    Moderator
  • Hi Shaw,

    I'm using Skype for business 2016 and outlook 2010.

    The outlook and skype for business is two different ID. And the SKB is using ID from C@xxx.onmicrosoft.com while outlook is c@xxx.com

    Yes, it only happen to VPN client and the lock reason in AD security is 4625 with logon type 3.

    In SFB client, the exchange and outlook integration at general tab are already deselect, but account still locked out.

    Thanks.

    Thursday, August 15, 2019 12:59 PM
  • Hi min777,

    As the SFB account is different from Outlook account, do you use Skype Online account and Exchange on-premise, and do you have any hybrid environment?

    As you said, Skype client could sign in successfully without lock. I think it may be related to Outlook. If only open Outlook, would the account be locked?

    In addition, I think you could install some network monitor tools (e.g. fiddler) on the client, check the network traffic when it happened.  


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, August 20, 2019 8:47 AM
    Moderator
  • Hi,

    Is there any update on this case?

    Please feel free to drop us a note if there is any update.

    Have a nice day!


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, August 23, 2019 9:42 AM
    Moderator
  • I am checking the status of this case. Please let us know if you would like further assistance.

    Meanwhile, if the reply is helpful to you, please try to mark it as an answer to close the thread, it will help others who encounter the same issue and read this thread.

    Thank you for your understanding and patience!


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, August 26, 2019 10:04 AM
    Moderator
  • Hi Shaw,

    I'm using Skype Online account, however the email configured at outlook 2010 is not exchange on-premise.

    We do have exchange server, however this outlook 2010 that we setup does not configured any exchange profile.

    If only open outlook, the account wont be locked out, it only locked out when both of the app is opened.

    Thanks.

    Wednesday, September 4, 2019 10:18 AM
  • Hi,

    According to your description, I assume you use personal mail profile.

    I suggest that you check the client EWS status via registry key:

    HKCU\Software\Microsoft\office\1x.0\Lync\<useraddress>\Autodiscovery

    Check the following urls value to see if they are correct with your environment:

    ExternalAvailabilityServerUrl

    InternalAvailabilityServerUrl

    ExternalEwsUrl

    InternalEwsUrl

    ExternalOofServerUrl

    InternalOofServerUrl


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, September 9, 2019 9:12 AM
    Moderator
  • Hi Shaw, i found in my regedit, HKCU\Software\Microsoft\office\16.0\Lync\<useraddress>\LyncAutodiscovery, below is the screenshot, which one i need to modify?

    please advise:-


    FYI,




    • Edited by min777 Tuesday, September 10, 2019 11:06 AM
    Tuesday, September 10, 2019 11:02 AM
  • Hi min777,

    Please check if you have “Autodiscovery” items, as below:


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, September 11, 2019 2:58 AM
    Moderator
  • Hi Shaw,

    Thanks for your reply. unfortunately, doesnt have the path that you have screenshot at my PC.



    Wednesday, September 11, 2019 3:51 AM
  • Hi Shaw,

    Any update for this case?

    Does SKB has any interaction with Exchange Server?

    Because we do have exchange 2016 on premise, but the exchange email profile is never setup in the user laptop. Does this have relation to my account lockout issue?

    or is it still relate back to my network map drive that causing the issue?

    Thursday, September 19, 2019 9:41 AM
  • Hi,

    Skype for Business client would try to access Exchange Autodiscover and EWS URL based on the user SMTP domain.

    For example, user SMTP domain is a.com, then Skype for Business client would try to access https://autodiscover.a.com.

    I think it is better to do a network monitor to check what happened during the sign in process.

    And about network mapping, have a try to remove it and check if it is related.


    Best Regards,
    Shaw Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, September 19, 2019 9:47 AM
    Moderator