Excitement has grown around the Kloud office of late as each state waits with anticipation of a Surface Hub arriving to connect to our Skype for Business environment. The 84 inch Surface Hub destined for our Adelaide Boardroom which I nicknamed ‘Godzilla’ has had only one problem since installation, it fails to login to Skype for Business. Which makes this device go from a high end meeting room endpoint to a what I could only say is a giant tablet for games of tick tac toe, therefore this became my problem rather quickly. Everything seemed so pleasant following the initial steps from the out of box experience (OOBE). The Hub asked me questions, I responded politely with what I thought were all the right answers with a big smile on my face.

You could feel the electricity in the air.

This first date was going pretty smoothly I thought. Maybe the Hub caught wind of the nickname I was calling it around the water cooler in the office, because after our first date and the Hub launched into its standard meeting experience, an error was presented. Skype for Business would timeout and eventually say ‘login failure‘.

Oh dear!

A quick look around the Hub’s administrative settings I could see that the account configured for mail was saying ‘synced‘ and I could verify this with a quick white board and ‘send to email‘, which arrived promptly to my inbox. Furthermore with my laptop in toe I could successfully login to a Skype for Business soft client with the Hub’s credentials. What is unique to the Hub client is that its does some extra validation on the account over other SFB clients that I’m familiar with. I’ll explain..

The device account I had for the Hub was in the ‘hub@domain.com.au‘ SIP domain, but the Active Directory (AD) FQDN of the connected servers was different. In Kloud’s circumstance I didn’t think much of this issue as our Hub was logging in over an internet connection through the Edge Server that has an access FQDN of sip.domain.com.auwhich to me were the same domain. A quick login to the Edge Server logs didn’t present many results of an attempt of SIP from hub@domain.com.au. The Hub was using autodiscover to kick off the process of login to Lyncdiscover.domain.com.au I knew that much and must be failing. Using the Remote Connectivity Analyser (RCA) I could verify the login process for the account was successful and green ticks appeared against all lines. I thought to myself

What have I said to Godzilla to hurts its feeling so badly? That it deliberately wants to make my life hard

If you run a Skype for Business Autodiscover Web Service test on https://testconnectivity.microsoft.com the following process is attempted to the Autodiscover Web Service URL:

https://lyncdiscover.domain.com.au/Autodiscover/AutodiscoverService.svc/root.

  1. Attempting to resolve the host name lyncdiscover.domain.com.au in DNS.
  2. Testing TCP port 443 on host lyncdiscover.domain.com.au to ensure it’s listening and open
  3. Testing the SSL certificate to make sure it’s valid
  4. Host name lyncdiscover.domain.com.au was found in the Certificate Subject Alternative Name entry
  5. Testing HTTPS authentication methods for URL https://lyncdiscover.domain.com.au/Autodiscover/AutodiscoverService.svc/root/user.
    HTTP authentication methods successful.
  6. Testing HTTP content for URL https://lyncdiscover.domain.com.au/?sipuri=hub@domain.com.au has token=”User”.
  7. Found as expected token=”User” and confirmed anonymous access not allowed.
    HTTP Response Headers:
    Connection: Keep-Alive
    Pragma: no-cache
    X-MS-Server-Fqdn: AUSFBFE01.domain.local
    X-MS-Correlation-Id: 2147484240
    client-request-id: b6d465f4-f318-485e-8d3e-06b32524fd3d
    X-Content-Type-Options: nosniff
    Content-Length: 1047
    Cache-Control: no-cache
    Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
    Date: Sat, 25 Mar 2017 11:49:23 GMT
    Expires: -1
    Elapsed Time: 127 ms.

In the above web request Lyncdiscover told the Hub that the registrar server its connecting to has a X-MS-Server-Fqdn with domain.local, which it did not automatically trust. Microsoft do state this in an article:

  • Multiple DNS suffixes – When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn’t match the suffix of the sign-in address (SIP) for Skype for Business.

followed by examples:

Tip

You can type multiple domain names, separated by commas.
For example: lync.com, outlook.com, lync.glbdns.microsoft.com

For some reason it didn’t click with me as these are all domains used for Office 365 that are publicly accessible DNS zones. My logic was that we were connecting via edge ‘sip.domain.com.au‘ and I had a ‘hub@domain.com.au‘ I wouldn’t need anything added because my SIP Address = Edge FQDN domain, plus its bound to matching SAN entries in a publicly signed certificate. Kloud isn’t a hosting provider that services thousands of SIP domains like Office 365 which it cannot have in its edge certificate as Microsoft aren’t authoritative for. This is why Office 365 get customers to add CNAME’s to their endpoints and perform 80 to 443 port wizardry where possible, allowing clients to bind SSL to correct Microsoft service names.

What Microsoft are trying to say is

If your SFB SIP domain doesn’t match your Active Directory infrastructure domain name that your SFB servers are joined to, you need to add via the following

Add ‘domain.local‘ into the Hub via Settings -> This Device -> Calling

Lastly, this doesn’t matter if your logging the Hub in via the internet or internal LAN, you will get this mismatch with all domains that were created not matching the primary SIP/SMTP domain I would suggest.  Additionally, if your logging your Hub in via LAN you will most probably need to bundle up some certificates as the Hub will not trust your certificate authority used for signing Front End certificates that would include domain.local SANs which Public Certificate Authorities reject.

You’ll be happy to note that Godzilla and I are now on speaking terms again. We quite regularly have catch ups via Skype with colleagues and its all smiles once again.

Category:
Communication and Collaboration, Skype For Business
Tags:
, ,

Join the conversation! 2 Comments

  1. Great work Arran!

    Reply
  2. tremendous work man…Keep going

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: