To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
Question: Q: After upgrading to Catalina, Skype-for-Business-for-Mac fails with cert problem. I was running nicely on Mojave (10.14) with.
Most sign-in issues can be traced to a small number of causes, and many of these are easy to correct. The table below lists some common causes of sign-in errors and some steps you or the users can take to resolve them.
Possible Cause | Resolution |
---|---|
During sign-in, a dialog box appears that contains the following phrase: cannot verify that the server is trusted for your sign-in address. Connect anyway? | Verify that the domain name in the dialog box is a trusted server in your organization—for example, domainName.contoso.com. Ask the user to select the Always trust this server check box, and then click Connect. Enterprise customers can prevent this message from appearing when a user signs in for the first time by modifying the Windows registry on each user's computer. For details, see Modify TrustModelData registry keys. |
Mistyped sign-in address, user name, or password | Confirm that the user's sign-in name and password are correct. Verify that the user's sign-in name is formatted as follows: bobk@contoso.com. This may be different from the format you use to sign in to your organization's network. Ask the user to try signing in again. |
Forgotten password | Reset the user's password and notify him or her of the new temporary password. |
Not licensed to use Skype for Business Online | Confirm that the user is registered as a Skype for Business Online user. If not, register the user, and then ask him or her to sign in again. |
Wrong version of Skype for Business Online installed | This issue is usually associated with an error message that contains the following phrase: the authentication service may be incompatible with this version of the program. Ask the user to uninstall and reinstall Skype for Business Online from the Microsoft 365 admin center. |
Problem acquiring a personal certificate that is required to sign in | If the user's sign-in address has recently changed, they may need to delete cached sign-in data. Ask users to sign out, click the Delete my sign-in info link on the sign-in screen, and then try again. |
You set up a custom domain name, and the changes may not have finished propagating through the system. | First, ensure that you have modified the Domain Name Service (DNS) records to reflect the change. If you have already made the necessary DNS changes, advise the user to try logging in later. DNS changes can take up to 72 hours to be reflected throughout the system. |
System clock out of sync with server clock | Ensure that your network domain controller is synchronizing with a reliable external time source. For details, see the Microsoft Knowledge Base article 816042, How to configure an authoritative time server in Windows Server. |
Raiders of maraqua guide. To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
Important
These instructions are intended primarily for Microsoft Office 365 Plan E customers. If you are an Office 365 Plan P customer, continue to the following section, Collect more information and seek additional help.
If the user cannot sign in after you have tried the suggestions in the previous section, then you can do additional troubleshooting based on the type of error. The table below lists the most common error messages and possible causes. Following the table are detailed procedures to address each issue.
Error message | Possible cause | Resolution |
---|---|---|
Sign-in address not found | Sign-in requests from the Microsoft Online Services Sign-On Assistant (msoidsvc.exe) are not going through your external firewall, or proxy server. | Add a firewall entry for msoidsvc.exe to your proxy server |
Server is temporarily unavailable | If your organization has a custom domain, the necessary Domain Name System (DNS) settings may be missing or incorrect. | Update DNS settings |
Server is temporarily unavailable | If your organization is using single sign-on with Active Directory Federation Services (ADFS), you may have used a self-signed Secure Socket Layer (SSL) certificate rather than one from a third-party certification authority. | Install a third-party SSL certificate on your ADFS server |
Problem acquiring a personal certificate that is required to sign in | If you've already removed the cached server data used to sign in and the error continues to appear, the user's security credentials may be corrupted, or an RSA folder on the user's computer may be blocking authentication. | Update security credentials |
A certificate trust dialog box appears when a user signs in for the first time. | This dialog box appears if your Skype for Business server is not yet listed in the TrustModelData registry key. | Modify TrustModelData registry keys |
User is not SIP enabled | If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services. | Update user settings in Active Directory |
This procedure is a possible fix for the following error message: Sign-in address not found.
Note
The following steps assume you are using Microsoft Forefront Threat Management Gateway (TMG) 2010. If you have a different web gateway solution, use the settings described in step 4 below.
To create an application entry for Msoidsvc.exe in Forefront TMG 2010, follow these steps:
In the Forefront left pane, click Networking.
Click the Network tab. Under the Tasks tab in the right pane, click Configure Forefront TMG Client Settings.
In the Forefront TMG Client Settings dialog box, click New.
In the Application Entry Setting dialog box, configure the following rules:
Application | Key | Value |
---|---|---|
msoidsvc | Disable | 0 |
msoidsvc | DisableEx | 0 |
For details, see the Microsoft Knowledge Base article 2409256, You cannot connect to Skype for Business Online because an on-premises firewall blocks the connection.
If your organization has a custom domain, this procedure is a possible fix for the following error message: Server is temporarily unavailable.
Contact your domain name registrar for information on how to add the following CNAME record to your domain:
DNS record type: CNAME
Name: sip
Value/Destination: sipdir.online.lync.com
For details, see the Microsoft Knowledge Base article 2566790, Troubleshooting Skype for Business Online DNS configuration issues in Microsoft 365 or Office 365.
To install a third-party SSL certificate on your Active Domain Federation Services (ADFS) server, follow these steps:
Obtain an SSL certificate from a third-party certification authority such as VeriSign or Thawte.
Install the certificate on your ADFS server by using the ADFS management console.
This procedure is a possible fix for the error message Problem acquiring a personal certificate required to sign in.
To eliminate possible certificate or credential problems, first renew the user's certificate in Windows Certificate Manager. To do this, follow these steps:
Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
Double-click Personal, and then double-click Certificates.
Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
Right-click the certificate, and then click Delete.
Next, if the user is running Windows 7, remove their stored credentials in Windows Credential Manager. To do this, follow these steps:
Click Start, click Control Panel, and then click Credential Manager.
Locate the set of credentials that is used to connect to Skype for Business Online.
Expand the set of credentials, and then click Remove from Vault.
Sign in again and reenter the user's credentials.
Finally, if the user still cannot sign in after you've updated their credentials, try deleting the RSA folder on the user's computer, because it could be blocking completion of the user authentication process:
Sign in to the user's computer using an administrator account.
If necessary, turn on the folder view option Show hidden files.
Type the following into the address bar of File Explorer: C:Documents and SettingsUserNameApplication DataMicrosoftCryptoRSA, where UserName is your Windows sign-in name.
Delete any folder that begins with the name S-1-5-21- followed by a string of numbers.
When a user signs in for the first time, they may receive a dialog box that contains something like the following: Cannot verify that the server is trusted for your sign-in address. Connect anyway? This is a security feature, and not an error. However, you can prevent the dialog box from appearing by using a Group Policy Object (GPO) to update users' machines with your domain name before they sign in for the first time. To accomplish this, do the following:
Important
You must append your domain name to the existing value, not simply replace it.
For details, see the Microsoft Knowledge Base article 2531068, Skype for Business (Lync) cannot verify that the server is trusted for your sign-in address.
If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.
To fix this issue, follow these steps:
Update the msRTCSIP-UserEnabled attribute for all affected users to TRUE.
Rerun the Microsoft Online Services Directory Synchronization Tool (DirSync). For details, see AIntegrate your on-premises directories with Azure Active Directory.
To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
If you're still not able to resolve the user's sign-in problems, review the suggestions in Microsoft Knowledge Base article 2541980, How to troubleshoot sign-in issues in Skype for Business Online.
If you've followed the guidance above and still can't resolve your sign-in issues, you must collect additional information and contact technical support. To do this, follow these steps:
Obtain the log files and Windows Event log details from the user's machine. For step-by-step instructions, see the end-user help topic Turn on error logs in Lync.
Send the log files and detailed information about the error to Microsoft technical support.
You may be asked to supply additional diagnostic information by installing the Microsoft Online Services Diagnostic and Logging (MOSDAL) Support Toolkit on the affected user's machine. For details, see Using the MOSDAL Support Toolkit.
To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
I've been having this issue for quite some time as well, and have been working with a Microsoft Skype for Business (SfB) support engineer on it. To be certain it's the same, or similar-enough issue, here's the setup I've been working with (or against it seems):
* Skype for Business 2016 (any version, including latest in the insider 'Fast Ring' releases)
* Macbook Pro - Early 2011
* OS X 'El Capitan' - v10.11.6
* Corporate domain is on Azure AD (Active Directory)
* When signing in with the AD account, you are either a) Given a choice between 'Work or school account' or 'Personal account), b) usually automatically redirected to the company branded signon page.
If that matches up, the next step is to check the certificate which is on domain's federation services (ADFS) host. This may require getting IT involved to find it, or reviewing the SfB logs.
When you get the host name, for example, 'adfs.mycompany.com', go to that address via HTTPS in Safari. So you'd go to 'https://adfs.mycompany.com'. Once there, click on the lock to the left of the address in the address bar and click the 'Show Certificate' button. Make sure that the selected certificate, in the tree view at the top, is the bottom-most one. The bottom pane should show some brief certificate info (Issued by, Expires, 'This certificate is valid' type message, etc.). Expand the 'Details' section in that lower pane, and look for the 'Signature Algorithm' line, which should be, roughly, the 12th one down. If on that line, you have something similar to 'SHA-512 with RSA Encryption' (forget about the long number afterward), then that is the source of the issue with logging on, and also, activating Office 365 (if you have a company account for it).
OS X prior to 10.12 (Sierra) does not *natively* support 512 bit certificate signatures. So while browsers and everything else shows that, yes, the certificate is good, valid, unexpired, etc, the low level network stack in OSX, which is used by SfB to initially connect, does not, so it cannot validate that the certificate is valid, thus causing this issue.
Unfortunately, at this time, there doesn't appear to be a way to wedge in support for 512 algorithms in OSX, and that includes forcibly upgrading/linking openssl. The only way I've found to date, to use SfB on anything less than 10.12.x, is to essentially MITM yourself, using a proxy application, such as Charles, which will create its own fake certificate which you must trust, to connect.
I apologize for such a long writeup, but given that despite my hours and hours and hours spent over months of researching the issue, I hope to provide as much useful and helpful information as possible for any future Googlers/Bingers/DuckDuckGoers/etc.
To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
Question: Q: After upgrading to Catalina, Skype-for-Business-for-Mac fails with cert problem. I was running nicely on Mojave (10.14) with.
Most sign-in issues can be traced to a small number of causes, and many of these are easy to correct. The table below lists some common causes of sign-in errors and some steps you or the users can take to resolve them.
Possible Cause | Resolution |
---|---|
During sign-in, a dialog box appears that contains the following phrase: cannot verify that the server is trusted for your sign-in address. Connect anyway? | Verify that the domain name in the dialog box is a trusted server in your organization—for example, domainName.contoso.com. Ask the user to select the Always trust this server check box, and then click Connect. Enterprise customers can prevent this message from appearing when a user signs in for the first time by modifying the Windows registry on each user's computer. For details, see Modify TrustModelData registry keys. |
Mistyped sign-in address, user name, or password | Confirm that the user's sign-in name and password are correct. Verify that the user's sign-in name is formatted as follows: bobk@contoso.com. This may be different from the format you use to sign in to your organization's network. Ask the user to try signing in again. |
Forgotten password | Reset the user's password and notify him or her of the new temporary password. |
Not licensed to use Skype for Business Online | Confirm that the user is registered as a Skype for Business Online user. If not, register the user, and then ask him or her to sign in again. |
Wrong version of Skype for Business Online installed | This issue is usually associated with an error message that contains the following phrase: the authentication service may be incompatible with this version of the program. Ask the user to uninstall and reinstall Skype for Business Online from the Microsoft 365 admin center. |
Problem acquiring a personal certificate that is required to sign in | If the user's sign-in address has recently changed, they may need to delete cached sign-in data. Ask users to sign out, click the Delete my sign-in info link on the sign-in screen, and then try again. |
You set up a custom domain name, and the changes may not have finished propagating through the system. | First, ensure that you have modified the Domain Name Service (DNS) records to reflect the change. If you have already made the necessary DNS changes, advise the user to try logging in later. DNS changes can take up to 72 hours to be reflected throughout the system. |
System clock out of sync with server clock | Ensure that your network domain controller is synchronizing with a reliable external time source. For details, see the Microsoft Knowledge Base article 816042, How to configure an authoritative time server in Windows Server. |
Raiders of maraqua guide. To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
Important
These instructions are intended primarily for Microsoft Office 365 Plan E customers. If you are an Office 365 Plan P customer, continue to the following section, Collect more information and seek additional help.
If the user cannot sign in after you have tried the suggestions in the previous section, then you can do additional troubleshooting based on the type of error. The table below lists the most common error messages and possible causes. Following the table are detailed procedures to address each issue.
Error message | Possible cause | Resolution |
---|---|---|
Sign-in address not found | Sign-in requests from the Microsoft Online Services Sign-On Assistant (msoidsvc.exe) are not going through your external firewall, or proxy server. | Add a firewall entry for msoidsvc.exe to your proxy server |
Server is temporarily unavailable | If your organization has a custom domain, the necessary Domain Name System (DNS) settings may be missing or incorrect. | Update DNS settings |
Server is temporarily unavailable | If your organization is using single sign-on with Active Directory Federation Services (ADFS), you may have used a self-signed Secure Socket Layer (SSL) certificate rather than one from a third-party certification authority. | Install a third-party SSL certificate on your ADFS server |
Problem acquiring a personal certificate that is required to sign in | If you've already removed the cached server data used to sign in and the error continues to appear, the user's security credentials may be corrupted, or an RSA folder on the user's computer may be blocking authentication. | Update security credentials |
A certificate trust dialog box appears when a user signs in for the first time. | This dialog box appears if your Skype for Business server is not yet listed in the TrustModelData registry key. | Modify TrustModelData registry keys |
User is not SIP enabled | If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services. | Update user settings in Active Directory |
This procedure is a possible fix for the following error message: Sign-in address not found.
Note
The following steps assume you are using Microsoft Forefront Threat Management Gateway (TMG) 2010. If you have a different web gateway solution, use the settings described in step 4 below.
To create an application entry for Msoidsvc.exe in Forefront TMG 2010, follow these steps:
In the Forefront left pane, click Networking.
Click the Network tab. Under the Tasks tab in the right pane, click Configure Forefront TMG Client Settings.
In the Forefront TMG Client Settings dialog box, click New.
In the Application Entry Setting dialog box, configure the following rules:
Application | Key | Value |
---|---|---|
msoidsvc | Disable | 0 |
msoidsvc | DisableEx | 0 |
For details, see the Microsoft Knowledge Base article 2409256, You cannot connect to Skype for Business Online because an on-premises firewall blocks the connection.
If your organization has a custom domain, this procedure is a possible fix for the following error message: Server is temporarily unavailable.
Contact your domain name registrar for information on how to add the following CNAME record to your domain:
DNS record type: CNAME
Name: sip
Value/Destination: sipdir.online.lync.com
For details, see the Microsoft Knowledge Base article 2566790, Troubleshooting Skype for Business Online DNS configuration issues in Microsoft 365 or Office 365.
To install a third-party SSL certificate on your Active Domain Federation Services (ADFS) server, follow these steps:
Obtain an SSL certificate from a third-party certification authority such as VeriSign or Thawte.
Install the certificate on your ADFS server by using the ADFS management console.
This procedure is a possible fix for the error message Problem acquiring a personal certificate required to sign in.
To eliminate possible certificate or credential problems, first renew the user's certificate in Windows Certificate Manager. To do this, follow these steps:
Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
Double-click Personal, and then double-click Certificates.
Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
Right-click the certificate, and then click Delete.
Next, if the user is running Windows 7, remove their stored credentials in Windows Credential Manager. To do this, follow these steps:
Click Start, click Control Panel, and then click Credential Manager.
Locate the set of credentials that is used to connect to Skype for Business Online.
Expand the set of credentials, and then click Remove from Vault.
Sign in again and reenter the user's credentials.
Finally, if the user still cannot sign in after you've updated their credentials, try deleting the RSA folder on the user's computer, because it could be blocking completion of the user authentication process:
Sign in to the user's computer using an administrator account.
If necessary, turn on the folder view option Show hidden files.
Type the following into the address bar of File Explorer: C:Documents and SettingsUserNameApplication DataMicrosoftCryptoRSA, where UserName is your Windows sign-in name.
Delete any folder that begins with the name S-1-5-21- followed by a string of numbers.
When a user signs in for the first time, they may receive a dialog box that contains something like the following: Cannot verify that the server is trusted for your sign-in address. Connect anyway? This is a security feature, and not an error. However, you can prevent the dialog box from appearing by using a Group Policy Object (GPO) to update users' machines with your domain name before they sign in for the first time. To accomplish this, do the following:
Important
You must append your domain name to the existing value, not simply replace it.
For details, see the Microsoft Knowledge Base article 2531068, Skype for Business (Lync) cannot verify that the server is trusted for your sign-in address.
If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.
To fix this issue, follow these steps:
Update the msRTCSIP-UserEnabled attribute for all affected users to TRUE.
Rerun the Microsoft Online Services Directory Synchronization Tool (DirSync). For details, see AIntegrate your on-premises directories with Azure Active Directory.
To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
If you're still not able to resolve the user's sign-in problems, review the suggestions in Microsoft Knowledge Base article 2541980, How to troubleshoot sign-in issues in Skype for Business Online.
If you've followed the guidance above and still can't resolve your sign-in issues, you must collect additional information and contact technical support. To do this, follow these steps:
Obtain the log files and Windows Event log details from the user's machine. For step-by-step instructions, see the end-user help topic Turn on error logs in Lync.
Send the log files and detailed information about the error to Microsoft technical support.
You may be asked to supply additional diagnostic information by installing the Microsoft Online Services Diagnostic and Logging (MOSDAL) Support Toolkit on the affected user's machine. For details, see Using the MOSDAL Support Toolkit.
To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.
I've been having this issue for quite some time as well, and have been working with a Microsoft Skype for Business (SfB) support engineer on it. To be certain it's the same, or similar-enough issue, here's the setup I've been working with (or against it seems):
* Skype for Business 2016 (any version, including latest in the insider 'Fast Ring' releases)
* Macbook Pro - Early 2011
* OS X 'El Capitan' - v10.11.6
* Corporate domain is on Azure AD (Active Directory)
* When signing in with the AD account, you are either a) Given a choice between 'Work or school account' or 'Personal account), b) usually automatically redirected to the company branded signon page.
If that matches up, the next step is to check the certificate which is on domain's federation services (ADFS) host. This may require getting IT involved to find it, or reviewing the SfB logs.
When you get the host name, for example, 'adfs.mycompany.com', go to that address via HTTPS in Safari. So you'd go to 'https://adfs.mycompany.com'. Once there, click on the lock to the left of the address in the address bar and click the 'Show Certificate' button. Make sure that the selected certificate, in the tree view at the top, is the bottom-most one. The bottom pane should show some brief certificate info (Issued by, Expires, 'This certificate is valid' type message, etc.). Expand the 'Details' section in that lower pane, and look for the 'Signature Algorithm' line, which should be, roughly, the 12th one down. If on that line, you have something similar to 'SHA-512 with RSA Encryption' (forget about the long number afterward), then that is the source of the issue with logging on, and also, activating Office 365 (if you have a company account for it).
OS X prior to 10.12 (Sierra) does not *natively* support 512 bit certificate signatures. So while browsers and everything else shows that, yes, the certificate is good, valid, unexpired, etc, the low level network stack in OSX, which is used by SfB to initially connect, does not, so it cannot validate that the certificate is valid, thus causing this issue.
Unfortunately, at this time, there doesn't appear to be a way to wedge in support for 512 algorithms in OSX, and that includes forcibly upgrading/linking openssl. The only way I've found to date, to use SfB on anything less than 10.12.x, is to essentially MITM yourself, using a proxy application, such as Charles, which will create its own fake certificate which you must trust, to connect.
I apologize for such a long writeup, but given that despite my hours and hours and hours spent over months of researching the issue, I hope to provide as much useful and helpful information as possible for any future Googlers/Bingers/DuckDuckGoers/etc.