Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Xadean's Empirical Musing > Posts > Skype for Business Edge Server Not Able to Communicate via Federation to Microsoft Office 365 (Teams and Cloud Voice Mail Auto Attendants Not Reachable)
June 17
Skype for Business Edge Server Not Able to Communicate via Federation to Microsoft Office 365 (Teams and Cloud Voice Mail Auto Attendants Not Reachable)

Issue Description and Background:

We have an enterprise voice deployment of Skype for Business Server 2015 integrated with Microsoft (MS) Teams Phone System running in a hybrid configuration with direct routing using a Ribbon Communications SBC. Inbound calls to our main phone number are answered by a MS Teams auto attendant (AA). However, that suddenly stopped working after we had incidentally recently deployed Direct Routing for MS Teams and afterwards we noticed the AA's were no longer reachable via on-premises Skype for Business Server 2015 via federation.

   

The following errors were in the Event Viewer logs on the Edge Server under Lync Server.

   

EVENT ID: 14428

TLS outgoing connection failures.

   

Over the past 66 minutes, Skype for Business Server has experienced TLS outgoing connection failures 31 time(s). The error code of the last failure is 0x800B0109(CERT_E_UNTRUSTEDROOT) while trying to connect to the server "sipfed.online.lync.com" at address [52.112.65.203:5061], and the display name in the peer certificate is "sipfed.online.lync.com".

Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.

Resolution:

Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

   

   

Multiple invalid incoming certificates.

   

In the past 147 minutes the server received 1 invalid incoming certificates. The last one was from host 52.112.67.51.

Cause: This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.

Resolution:

No action needed unless the number of failures is large. Contact the administrator of the host sending the invalid certificate and resolve this problem.

   

   

We also captured a SIP trace of a test inbound call that was failing using the ClsLogging tool and noticed the following error.

   

TL_INFO(TF_PROTOCOL) [LYNCPOOL\btfls13fe]1F64.347C::06/13/2022-23:20:45.600.000133D2 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [2430505428]

Trace-Correlation-Id: 2430505428

Instance-Id: 18C69

Direction: incoming

Peer: LSEDGEPOOL.hq.biztechfusion.com:5061

Message-Type: response

Start-Line: SIP/2.0 504 Server time-out

From: "AHMASI XADEAN"<sip:12024891495;phone-context=PstnGateway_10.1.20.3@biztechfusion.com;user=phone>;epid=8D00A9C65B;tag=937ee3bfb9

To: <sip:4433600959;phone-context=PstnGateway_10.1.20.3@biztechfusion.com;user=phone>;tag=11BF95CFA045B9B046D298304CD0978C

Call-ID: 292742da-6c2f-47f0-b881-f4f6379787e9

CSeq: 5797 INVITE

Via: SIP/2.0/TLS 10.1.20.33:49948;branch=z9hG4bKAEF14639.AB56DBC7A7D924DD;branched=FALSE;ms-received-port=49948;ms-received-cid=1E4C00

Via: SIP/2.0/TLS 10.1.20.33:53216;branch=z9hG4bKd3415c7;ms-received-port=53216;ms-received-cid=26A800

Content-Length: 0

ms-diagnostics: 1010;reason="Certificate trust with another server could not be established";ErrorType="The peer certificate is not chained off a trusted root";tls-target="sipfed.online.lync.com";PeerServer="sipfed.online.lync.com";HRESULT="0x800B0109(CERT_E_UNTRUSTEDROOT)";source="LYNCSIP.biztechfusion.com"

ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=LSEDGEPOOL.hq.biztechfusion.com;ms-source-verified-user=verified

Server: RTC/6.0

$$end_record

   

   

   

The test call to 4433600959 is translated to +7006 (Teams Auto Attendant), then the Skype FE/Med Srvr sends the call to the Edge Srvr to get to O365 Cloud Voice Mail / Teams Auto Attendant, and gets a Cert error. Looks like it doesn't trust the O365 side server's cert, for some reason.

   

RESOLUTION:

The error messages was clearly indicating that our Edge Server was not trusting the SSL certificate being presented by Microsoft's Edge Servers (sipfed.online.lync.com). Therefore, we had to do the following to update the trusted root CA store on the Edge Server.

   

Open an elevated command prompt and enter the following commands:

   

# The following command downloads the Trusted Root CA's to a serialized store file:

Certutil -generateSSTFromWU WURoots.sst

   

# The following command opens the serialized store file (you can also simply double-click on the file to open it):

start explorer.exe wuroots.sst

   

Once the serialized store file is open, expand to the lowest level "Certificates" folder in the left navigation pane, and then you will see certificates for all of the trusted root certification authorities in the right action pane.

   

   

Next, you will need to open the Microsoft Management Console (right-click on start menu and select run, then type mmc and click OK) and add the Certificates snap-in for your Local Machine. Navigate to the Trusted Root Certification Authorities and right-click the Certificates subfolder in the left navigation pane.

   

   

Select "All Tasks" from the context menu and then "Import". Click next to progress through the wizard to browse and select the Microsoft Certificate Serialized Store (.SST) file you created and finish to complete importing all the root CA certs.

   

After importing the certs, federation between our Edge and Microsoft (sipfed.online.lync.com) began working immediately.

   

You may also determine whether or not you would like to update your registry on the server to automatically update the trusted root certification authorities by performing the following action.

   

   

Save the following to a text file and save it as "AuthRoot.reg":

   

BEGIN FILE [Do Not Include in the Text File]

   

Windows Registry Editor Version 5.00

   

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot]

"DisableRootAutoUpdate"=dword:00000000

"EnableDisallowedCertAutoUpdate"=dword:00000001

   

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates]

   

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\CRLs]

   

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\CTLs]

   

END FILE [Do Not Include in the Text File]

   

Now, double-click on the AuthRoot.reg file to configure the registry accordingly.

   

Comments

Crypto Tech News

MyEtherWallet (MEW) is a user-friendly and open-source Ethereum wallet that allows users to create, manage, and interact with Ethereum-based assets. It provides a secure environment for storing and accessing Ether (ETH) and other ERC-20 tokens. Read more about this topic with our blogs.
https://sites.google.com/officialaccs.com/myetherwallet/
https://sites.google.com/officialaccs.com/my ethpolstaking/
https://sites.google.com/metalogmask.com/metamask-extension/
 on 11/19/2023 11:58 PM

MetaMask Chrome Extension

A smooth and safe entryway to the world of Web3 apps and decentralized finance (DeFi) is provided by the MetaMask Wallet Extension. Users may easily manage their Ethereum-based assets, communicate with decentralized apps (dApps), and carry out transactions on the Ethereum blockchain with MetaMask's user-friendly interface and strong security features.
https://sites.google.com/view/metamaskwallettextension/home
https://sites.google.com/view/metamaskchrameextension/home
 on 2/25/2024 11:07 PM

Yeezy Slides

https://www.yeezyofficialwebsite.us.com/ Yeezy Official Website
https://www.yeezy--shoes.us.com/ Yeezy Shoes
https://www.yeezysupply.us/ Yeezy Supply
https://www.yeezyshoess.org/ Yeezy Shoes
https://www.adidas-yeezyshoess.com/ Yeezy Shoes
https://www.adidas-yeezyshoess.com/ Adidas Yeezy
https://www.adidas-yeezyslides.com/ Yeezy Slides
https://www.adidas-yeezyslides.com/ Adidas Yeezy
https://www.yeezy350.us/ Yeezy 350
https://www.yeezyofficialwebsite.us/ Yeezy Official Website
https://www.yeezyofficialwebsite.com/ Yeezy Official Website
https://www.lvoutlet.us.com/ Louis Vuitton
https://www.lvoutlet.us.com/ Louis Vuitton Outlet
https://www.lvoutlets.us.com/ Louis Vuitton
https://www.lvoutlets.us.com/ Louis Vuitton Outlet
https://www.louis-vuitton-outlets.us.com/ Louis Vuitton
https://www.louis-vuitton-outlets.us.com/ Louis Vuitton Outlet
https://www.lv-outlet.us.com/ Louis Vuitton
https://www.lv-outlet.us.com/ Louis Vuitton Outlet
https://www.yeezyshoes.de/ Yeezy Shoes
https://www.yeezysupplys.de/ Yeezy Supply
https://www.yeezy-slides.de/ Yeezy Slides
https://www.yeezy-supply.de/ Yeezy Supply
https://www.yeezy-350.de/ Yeezy 350
https://www.yeezyshoess.us/ Yeezy Shoes
https://www.yeezy-slidess.us/ Yeezy Slides
https://www.adidayeezy.us.com/ Adidas Yeezy
https://www.yeezyadidas.us.com/ Yeezy Adidas
https://www.yeezysupplys.com/ Yeezy Supply
https://www.adida.us.com/ Adidas Yeezy
https://www.yeezy2024.us.com/ Yeezy 2024
https://www.yeezys-supply.us.com/ Yeezy Supply
https://www.yeezys-supplys.us.com/ Yeezy Supply
https://www.yeezy-slidess.us.com/ Yeezy Slides
https://www.yeezy350official.us.com/ Yeezy 350
https://www.yeezy350official.us.com/ Yeezy Official
https://www.yeezyshoesofficial.us.com/ Yeezy Shoes
https://www.yeezyshoesofficial.us.com/ Yeezy Official
https://www.yeezys-supplys.com/ Yeezy Supply
https://www.yeezys-shoes.com/ Yeezy Shoes
https://www.yeezy-350.com/ Yeezy 350
https://www.yeezys-slidess.com/ Yeezy Slides
https://www.yeezysupplyofficial.us.com/ Yeezy Supply
https://www.yeezysupplyofficial.us.com/ Yeezy Official
https://www.yeezyslidesofficial.us.com/ Yeezy Slides
https://www.yeezyslidesofficial.us.com/ Yeezy Official
https://www.yeezyboost350v2.us.com/ Yeezy 350
https://www.yeezyofficialwebsites.com/ Yeezy Official Website
https://www.yeezyofficialwebsites.us.com/ Yeezy Official Website
https://www.yeezyshoesofficialwebsite.us/ Yeezy Shoes
https://www.yeezyshoesofficialwebsite.us/ Yeezy Official Website
https://www.yeezy-supply.us/ Yeezy Supply
https://www.yeezy-350.us/ Yeezy 350
https://www.adidasyeezyshoess.com/ Yeezy Shoes
https://www.adidasyeezyshoess.com/ Adidas Yeezy
https://www.yeezysslidess.com/ Yeezy Slides
https://www.adidasyeezys.us.com/ Adidas Yeezy
https://www.adidas-yeezy-slides.us.com/ Yeezy Slides
https://www.omegaswatches.net/ Omega Watches
https://www.moncleroutletfactory.com/ Moncler Outlet
https://www.icasejpn.com/  ルイヴィトン vuitton iphone15 proケース

Tags:Yeezy Shoes,Yeezy,Yeezy Supply,Adidas Yeezy,Yeezy Slides
 on 6/12/2024 11:05 AM

Add Comment

Title


Body *


CAPTCHA *

 

Attachments