none
Lync 2010 and Skype 2015 coexistence TLS outgoing connection failures. RRS feed

  • Question

  • During our upgrade to S4B Server 2015 (and ultimately to 2019), our Lync 2010 pool logs the following error in the event logs. I have searched multiple KBs on the same error but none with 0x80090308 (The token supplied to the function is invalid). is this server referring to the front end pool or the edge pool? 

    Would this also prevent communication from the 2010 to 2015? We are able to initiate and send IMs from 2015 to 2010, but not the other way around. If a 2010 pool user receives an IM from a 2015 user, the 2010 user's responses fail to send. 


    TLS outgoing connection failures.

    Over the past 15 minutes, Lync Server has experienced TLS outgoing connection failures 14 time(s). The error code of the last failure is 0x80090308 (The token supplied to the function is invalid) while trying to connect to the server "skypepool.domain.com" at address ["IP":5061], and the display name in the peer certificate is "Unavailable".
    Cause: Most often a problem with the peer certificate or perhaps the DNS A record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
    Resolution:
    Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

    Tuesday, November 19, 2019 5:17 PM

Answers

  • Thanks! This was a big help. 

    We ran through all the documentation that you listed above, and all was right. We did find some areas that we misconfigured, but what ultimately fixed it was adding the the following registry values.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001

    The servers would just not make any TLS connections until that was put in and the servers restarted. 

    Thanks again for your help!

    • Marked as answer by Jared. T Friday, November 22, 2019 7:20 PM
    Friday, November 22, 2019 7:19 PM

All replies

  • Hi Jared. T!

    Is the user you communicate is internal or external?

    If the user is internal, the server refers to the front end pool. But if the user is external, this server refers to the Edge pool.

    In my research, there are some possible causes can make this error:

    1. The server is using a certificate with an outdated signature algorithm
    2. The server doesn’t expect SSL over this port
    3. The server returns a large number of CA’s in the handshake. The following link tells us to delete a large number of certificates that were not needed

    https://mikestacy.typepad.com/mike-stacys-blog/certificates/ 

    We recommend you troubleshooting the issue in these ways:

    1. check your CA root
    2. check that the certificate contains FQDN somewhere in its subject or SAN fields. The following picture shows certificate SAN fields in Front End Server and Edge Server.
    3. check your DNS records.

    You could also use Microsoft remote connectivity analyzer test if there are any connectivity issue
    https://testconnectivity.microsoft.com/

    For more details about Lync 2010 upgrade to Skype for Business 2015, you can refer the following article:

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/upgrade?redirectedfrom=MSDN

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Wednesday, November 20, 2019 7:10 AM
  • Thanks! This was a big help. 

    We ran through all the documentation that you listed above, and all was right. We did find some areas that we misconfigured, but what ultimately fixed it was adding the the following registry values.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001

    The servers would just not make any TLS connections until that was put in and the servers restarted. 

    Thanks again for your help!

    • Marked as answer by Jared. T Friday, November 22, 2019 7:20 PM
    Friday, November 22, 2019 7:19 PM