Skype Federation not working between 2 companies

Skype Federation not working between 2 companies

You may ha valid and working federation with an external partner, and you realize that «Skype Federation not working between 2 companies», because suddently, you get a ticket reporting that there is a federation issue between your own companyA and companyB, as for example: «I can’t see presence status…»

You first check federation communication with other external partners, and you realize that is working fine with the other companies. This would be a symphton that the issue is not at your side.

Skype Federation not working between 2 companies

Afterwards, you connect to your Skype for Business Edge servers, and you review the Event Viewer, to see if ther is some event that could give you some more hint.

In this case, we see the Event 14428, LS Protocol Stack

Skype Federation not working between 2 companies 1
TLS outgoing connection failures.
Over the past XXXminutes, Skype for Business Server has experienced TLS outgoing connection failures 15 time(s). The error code of the last failure is 0x80072746 while trying to connect to the server «xxxxx.xxxx.com» at address [xxx.xx.xxx.xxx:5061], and the display name in the peer certificate is «xxxx.xxx.com».
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

This could give you a hint that something is wrong with the certificate from the external partner.

You can also check the communication with the external partner, running these Powershell commands from one of your Skype for Business Frontends.

You check and test first with one domain, of a partner that you know is working fine.

The result should be similar to this:

PS C:\Users\xxxxx> Test-CsFederatedPartner -TargetFqdn xxxxxxx.xxxx.com -Domain xxxx.com -Verbose
VERBOSE: Reading access proxy port from topology process started.
VERBOSE: Reading access proxy port ‘5061’ from topology process successfully finished.
VERBOSE: Reading certificate process started.
VERBOSE: Reading certificate process successfully finished.
VERBOSE: Searching for certificate with issuer name = ‘CN=xxxx-xxxx-xx, CN=xxx, DC=xxxx, DC=com’ and serial number = ‘xxxxx’.
VERBOSE: Successfully found certificate with the matching issuer name and serial number.
VERBOSE: Workflow Instance Id ‘xxxxxx-xxxxx-xxxx-xxx-xxxxx’, started.
VERBOSE: Command line executed is ‘Test-CsFederatedPartner -TargetFqdn xxxxx.xxxx.com -Domain xxxx.com -Verbose’.

Target Fqdn : xxxxxx.xxxx.com
Result : Success
Latency : 00:00:00
Error Message :
Diagnosis :

VERBOSE: Workflow ‘Microsoft.Rtc.SyntheticTransactions.Workflows.STFederatedPartnerWorkflow’ started.
Workflow ‘Microsoft.Rtc.SyntheticTransactions.Workflows.STFederatedPartnerWorkflow’ completed in ‘0.0010422’ seconds.
Workflow ‘Microsoft.Rtc.SyntheticTransactions.Workflows.STFederatedPartnerWorkflow’, succeeded.
‘Options’ activity started.
‘Options’ activity completed in ‘3.4748799’ seconds.

VERBOSE: Workflow Instance ID ‘xxxx-xxxxx-xxxx-xxx-xxxx’ completed.
VERBOSE: Workflow run-time (sec): 8.0668474.

Skype Federation not working between 2 companies.

Afterwards, you check with the faulty communicated external partner.

The result could be similar to this:

PS C:\Users\xxxx> Test-CsFederatedPartner -TargetFqdn xxxxx.xxxx.com -Domain xxxx.com -Verbose
VERBOSE: Reading access proxy port from topology process started.
VERBOSE: Reading access proxy port ‘5061’ from topology process successfully finished.
VERBOSE: Reading certificate process started.
VERBOSE: Reading certificate process successfully finished.
VERBOSE: Searching for certificate with issuer name = ‘CN=xxx-xx-xx, CN=xxx, DC=xxxx, DC=com’ and serial number = ‘xxxx’.
VERBOSE: Successfully found certificate with the matching issuer name and serial number.
VERBOSE: Workflow Instance Id ‘xx-xx-xx-xxx-xxxxxx’, started.
VERBOSE: Command line executed is ‘Test-CsFederatedPartner -TargetFqdn xxxxxx.xxxx.com -Domain xxxx.com -Verbose’.

Target Fqdn :
Result : Failure
Latency : 00:00:00
Error Message : 504, Server time-out

Diagnosis : ErrorCode=1010,Source=xxxxx.xxx.com,Reason=Certificate trust with another server could not be established,peerserver=xxx.xxxx.com,hresult=0x80092010(ERROR_DS_NO_RIDS_ALLOCATED),errortype=Refer to HRESULT code for specific security
status,tls-target=xxxx.xxxx.com
Microsoft.Rtc.Signaling.DiagnosticHeader

VERBOSE:
VERBOSE: Workflow Instance ID ‘xxxx-xxx-xxxx-xxx-xxxx’ completed.
VERBOSE: Workflow run-time (sec): 0.5724849.

You can also check, the certificate of the external partner and your own certificate.

You can go to ssllabs.com and see the outcome.

Skype Federation not working between 2 companies 2
This can be the result from your own certificate.
Skype Federation not working between 2 companies 3
This can be the result from the external partner certificate.

Skype Federation not working between 2 companies

In this case, the IT external partner should check with their own certificate issuer, the validity of their own certificate and the chain with the intermediate and root certificate authority.

In this case the company XXXXX (issuer from the certificate from the external partner) has revoked intermediate Certificates and published new certificates.

It is needed to replace the intermediate certificates in the Skype for Business Edge servers from the external partner and also in your own Skype for Business Edge servers.

Afterwards, sllabs it looks better and the certificate is now trusted.

After doing this, the external partner. If we check again into ssllabs, we can see that the certificate looks better.

Skype Federation not working between 2 companies 4

Skype Federation not working between 2 companies

Federation service between the 2 companies is re-established and working again.

If some user still faces some issue, just sign-out and sign-in again into Skype for Business client should be enough to work again the communication between two companies.

More content regarding Skype for Business, can be found on the blog here.

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.