• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 942
  • Last Modified:

Cannot connect to Lync Online (Office 365)

Hello experts,

We were using an on-premise Lync 2013 Server for the last 2 years. Now that our group has merged with another group, we chose to go 'cloud' with them.

So what we did was to change our local split-DNS and external DNS entries, according to documentations found on some office365 websites.

BTW Exchange works fine for everyone.

Most of our users are connecting to Skype for Business Online, but at some locations, our employees cannot. They are all getting the same error regarding DNS

(I'll replace our external domain name for contoso)

"Can't sign in to Skype for Business"

"Skype for Business couldn't find a Skype for Business Server for contoso.ca. There might be an issue with the Domain Name System (DNS) configuration for your domain. See KB2566790 for details and contact your system admin."

Every locations has a DC with DNS server role. So I've checked our internal DNS servers, to make sure everything was replicating fine, and it does. All our DNS servers have the following entries regarding Lync

Forward Lookup Zones

- contoso.ca
name: lyncdiscover    Type: CNAME     Data: webdir.online.lync.com
name: sip    Type: CNAME     Data: sipdir.online.lync.com

- _tcp
name: _sipfederationtls    Type: SRV     Data: sipfed.online.lync.com (5061)

- _tls
name: _sip    Type: SRV     Data: sipdir.online.lync.com (443)

If I run a ‘lync connectivity analyzer’ on problematic workstation, I get the following error:

Server discovery failed for unsecured external channel against http://lyncdiscover.contoso.ca/

I attached the log file.

Thanks for any help you could provide
  • 6
  • 4
1 Solution
Vasil Michev (MVP)Commented:
The easiest way to confirm whether it's a DNS issue is to configure SfB manually. So File -> Personal -> Advanced -> Manual config -> set sipdir.online.lync.com:443 for both internal/external -> confirm -> restart the client. Cleaning your sign-in info or directly the profile dir (under C:\Users\XXXX\AppData\Local\Microsoft\Office\16.0\Lync) can also help in some situations.

If you are able to connect, focus on finding out why the DNS lookup is failing. If you still cannot connect, might be a firewall/proxy issue or something else entirely. Another common situation is when the SIP address doesnt match the UPN and user confuse what to enter where, the error message you get in such cases can sometimes be a bit convoluted...
deewaveAuthor Commented:
Hi Vasil

I've tried sipdir.online.lync.com:443 for both internal and external server name, now I get the error
"The server is temporarily unavailable. If the problem continues, please contact your support.team."

I've also try to browse https://sipdir.online.lync.com from a working location and the other.
From the working one, I browse a page with some text

Status: 404 Not Found
Server: RTC/7.0
FQDN: BN11A01EDG08.infra.lync.com

From a problematic location, I simply cannot get to the page: "The webpage cannot be found"

Also, I've test with Google's DNS as primary nameserver, and I can connect on Lync!
Vasil Michev (MVP)Commented:
Looks like a firewall/proxy issue on top of the DNS one? Better check with your network guys.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

deewaveAuthor Commented:
Well, I'm the network guy ;)

I'm 99% sure it's not a firewall issue. We have SonicWall router everywhere, with same security config for each locations (except our datacenter which is not part of this matter). I gave a try though, with no security (antivirus, app control, etc...), same result

I've noticed the locations that are not a full /24 subnet all have the problem. Simple coincidence?
deewaveAuthor Commented:
If I log on my user's computer with his credentials, I can't open SfB as mentioned above. But if I log on his computer with the domain admin account, and put my user's credentials in SfB, it works perfect!

I tried to give my user local admin rights to his pc, but it doesn't resolve the problem.

I also tried to log on his pc with my credentials (I'm member of Domain Admin group), but it gave the same error as above.

So, that being said, what could cause this issue? Obviously it has something to do with rights.

Thanks for any help you could provide

Vasil Michev (MVP)Commented:
Are you perhaps using mandatory profiles or similar? Or restricting access to the registry? SfBO uses certificate-based auth and the user must have enough permissions to create a certificate and store it in the registry. You can check whether there are any "communications server" certificates under certmgr.msc -> Personal.
deewaveAuthor Commented:
I'm not quite sure what mandatory profiles are, and how to verify if we have any. All I know is that Skype is working fine for that same user with DNS or logging from another location.

No there are no certificates in his Personal\Certificates store.
I tried to export the one created with the domain admin account, and import it in his store. It imported succesfully (so I guess he can create a cert and write to registry), but it' still failing to connect to SfB
Vasil Michev (MVP)Commented:
Not sure, you seem to have few issues contributing to this. The manual configuration should bypass any issues with the local DNS servers, but apart from there seems to be something else in play. Perhaps you are forcing a proxy or different firewall rules for the different profile types?
deewaveAuthor Commented:
After more than a week, finally found the culprit.

Some of our divisions have a VPN tunnel to our HeadOffice. These divisions were not in problem. When I set the tunnel also from the other divisions, Lync started to work again.
Even if Lync Online is on the cloud, authentication has to be made against our AD. This authentication is done from the Head Office.
I don't know what suddenly cause the issue (surely something on the Head Office side), but having a tunnel from each location to the Head Office resolved the issue

Thanks Vasil for your time.
deewaveAuthor Commented:
found my own solution

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now