Cannot connect to Lync Online (Office 365)

Posted on 2016-10-07
Medium Priority
Last Modified: 2016-10-24
Hello experts,

We were using an on-premise Lync 2013 Server for the last 2 years. Now that our group has merged with another group, we chose to go 'cloud' with them.

So what we did was to change our local split-DNS and external DNS entries, according to documentations found on some office365 websites.

BTW Exchange works fine for everyone.

Most of our users are connecting to Skype for Business Online, but at some locations, our employees cannot. They are all getting the same error regarding DNS

(I'll replace our external domain name for contoso)

"Can't sign in to Skype for Business"

"Skype for Business couldn't find a Skype for Business Server for contoso.ca. There might be an issue with the Domain Name System (DNS) configuration for your domain. See KB2566790 for details and contact your system admin."

Every locations has a DC with DNS server role. So I've checked our internal DNS servers, to make sure everything was replicating fine, and it does. All our DNS servers have the following entries regarding Lync

Forward Lookup Zones

- contoso.ca
name: lyncdiscover    Type: CNAME     Data: webdir.online.lync.com
name: sip    Type: CNAME     Data: sipdir.online.lync.com

- _tcp
name: _sipfederationtls    Type: SRV     Data: sipfed.online.lync.com (5061)

- _tls
name: _sip    Type: SRV     Data: sipdir.online.lync.com (443)

If I run a ‘lync connectivity analyzer’ on problematic workstation, I get the following error:

Server discovery failed for unsecured external channel against http://lyncdiscover.contoso.ca/

I attached the log file.

Thanks for any help you could provide
Question by:deewave
  • 6
  • 4
LVL 46

Expert Comment

by:Vasil Michev (MVP)
ID: 41834127
The easiest way to confirm whether it's a DNS issue is to configure SfB manually. So File -> Personal -> Advanced -> Manual config -> set sipdir.online.lync.com:443 for both internal/external -> confirm -> restart the client. Cleaning your sign-in info or directly the profile dir (under C:\Users\XXXX\AppData\Local\Microsoft\Office\16.0\Lync) can also help in some situations.

If you are able to connect, focus on finding out why the DNS lookup is failing. If you still cannot connect, might be a firewall/proxy issue or something else entirely. Another common situation is when the SIP address doesnt match the UPN and user confuse what to enter where, the error message you get in such cases can sometimes be a bit convoluted...

Author Comment

ID: 41834199
Hi Vasil

I've tried sipdir.online.lync.com:443 for both internal and external server name, now I get the error
"The server is temporarily unavailable. If the problem continues, please contact your support.team."

I've also try to browse https://sipdir.online.lync.com from a working location and the other.
From the working one, I browse a page with some text

Status: 404 Not Found
Server: RTC/7.0
FQDN: BN11A01EDG08.infra.lync.com

From a problematic location, I simply cannot get to the page: "The webpage cannot be found"

Also, I've test with Google's DNS as primary nameserver, and I can connect on Lync!
LVL 46

Expert Comment

by:Vasil Michev (MVP)
ID: 41834282
Looks like a firewall/proxy issue on top of the DNS one? Better check with your network guys.
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.


Author Comment

ID: 41834371
Well, I'm the network guy ;)

I'm 99% sure it's not a firewall issue. We have SonicWall router everywhere, with same security config for each locations (except our datacenter which is not part of this matter). I gave a try though, with no security (antivirus, app control, etc...), same result

I've noticed the locations that are not a full /24 subnet all have the problem. Simple coincidence?

Author Comment

ID: 41838867
If I log on my user's computer with his credentials, I can't open SfB as mentioned above. But if I log on his computer with the domain admin account, and put my user's credentials in SfB, it works perfect!

I tried to give my user local admin rights to his pc, but it doesn't resolve the problem.

I also tried to log on his pc with my credentials (I'm member of Domain Admin group), but it gave the same error as above.

So, that being said, what could cause this issue? Obviously it has something to do with rights.

Thanks for any help you could provide

LVL 46

Expert Comment

by:Vasil Michev (MVP)
ID: 41838925
Are you perhaps using mandatory profiles or similar? Or restricting access to the registry? SfBO uses certificate-based auth and the user must have enough permissions to create a certificate and store it in the registry. You can check whether there are any "communications server" certificates under certmgr.msc -> Personal.

Author Comment

ID: 41840223
I'm not quite sure what mandatory profiles are, and how to verify if we have any. All I know is that Skype is working fine for that same user with DNS or logging from another location.

No there are no certificates in his Personal\Certificates store.
I tried to export the one created with the domain admin account, and import it in his store. It imported succesfully (so I guess he can create a cert and write to registry), but it' still failing to connect to SfB
LVL 46

Expert Comment

by:Vasil Michev (MVP)
ID: 41840442
Not sure, you seem to have few issues contributing to this. The manual configuration should bypass any issues with the local DNS servers, but apart from there seems to be something else in play. Perhaps you are forcing a proxy or different firewall rules for the different profile types?

Accepted Solution

deewave earned 0 total points
ID: 41850054
After more than a week, finally found the culprit.

Some of our divisions have a VPN tunnel to our HeadOffice. These divisions were not in problem. When I set the tunnel also from the other divisions, Lync started to work again.
Even if Lync Online is on the cloud, authentication has to be made against our AD. This authentication is done from the Head Office.
I don't know what suddenly cause the issue (surely something on the Head Office side), but having a tunnel from each location to the Head Office resolved the issue

Thanks Vasil for your time.

Author Closing Comment

ID: 41856718
found my own solution

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their Grid shared hosting experience that much smoother.
With the emergence of Office 365 as a superior email communication platform, many organizations have started switching over to it.  After migrating to Office 365, sometimes users, as well as organizations, will have to import PST files to Office 36…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question