Skype for Business is one of the primary communication channels within a corporate environment. It can impact company productivity if it’s not working properly. Skype for Business desktop clients connect to the server through many components and several configuration settings. In this article, we’ll look at what needs to be done to fix authentication (connection) issues.
Why can’t your tenants log into Skype for Business?
Office 365 offers a Single Sign ON (SSO) as part of the ADFS (Active Directory Federation Service). It connects the Active Directory with Office 365 and provides users with a single sign-on for Office 365 services on desktops and mobile devices.
Single Sign-On essentially provides a generic single sign-on solution by storing and transmitting encrypted user credentials across the network boundaries. Therefore end users do not have to sign in (and remember different credentials) each time they log in to a different environment/application. (Outlook, Skype, OneDrive etc).
In order to do that, it uses the Office 365 credentials previously cached in the Windows Credentials manager. More on that later.
SSO is also capable of Office 365 provisioning; it offers Security Compliance, license pairing, Multi-factor Authentication and it is fast.
Office 365 brings these three main identity models to set up and manage user accounts:
Cloud identity, Synchronized identity, and Federated identity.
The Federated Identity model brings with it Single Sign On capabilities.
Users working for big organizations, for instance, would most probably use an Office 365 implementation based on Federate Identity, and on the process to migrate from an on-premises infrastructure (Local Servers, NOT cloud servers) to the MS cloud solution (Office 365).
The problem arises when locally cached passwords don’t match.
Office 365 (SSO) caches the access password on the Windows credential manager while the browser will cache it in itself. Moreover, corporate environments very often require a password change, which means that password changes will also occur in Active Directory, and there will be collateral issues due to password replication disruption or latency.
Has been noticed that a mismatch between the credentials stored by those components, won’t allow an SSO connect to its O365 server.
To fix this, one needs to clear all the credentials data previously cached locally on the machine and try to log in again using the latest available credentials (ID plus Password).
How to troubleshoot Skype for Business login
1) Internet Explorer: Clear the cache
(The same applies when using different browsers)
On Internet Explorer, click on the 3 dots in the upper right and go to Settings.
Clear Browser data, click on: Choose what to clear.
Select all the checkboxes and click on Clear.
2) Windows Credential Manager: Clear the stored passwords
Windows Credential manager is a tool that allows a user to store names and passwords used to login to any websites or to the network.
Credentials are saved in a special folder called Vaults. This data is then used by Windows itself or other applications, such as Windows Explorer, Office 365, Internet Explorer, and a few others when running the authentication processes.
Go to start. In the search box, type: Credential manager.
Expand each password field, and remove the stored password by clicking on Remove.
Repeat the process for each stored password.
3) Sign out from Skype and click on ‘Delete my sign-in info’
4) Verify the Proxy Auto Configuration
The Proxy Auto Config (PAC) setup defines how web browsers and other user agents (like Skype) can automatically choose the proxy server assigned to them. The PAC configuration is one primary network check that we need to perform in order to ensure that we are compliant with the corporate network policies and configurations.
Open Internet Explorer, Tools >> Internet Options >> Connections >> Lan Settings >> verify PAC configuration:
If everything is OK, (check if your network infrastructure relies on a proxy server) we can exclude the PAC configuration as the root cause and proceed with troubleshooting.
5) Clear the DNS cache
The DNS cache stores the IP addresses of the servers containing web pages and services you have recently used. If the server IP address changes before the entry is stored in the DNS cache, the access is no longer allowed on the server.
Go to Start. On the search box type: cmd.
Type: ipconfig /flushdns, and press Enter.
6) Make sure cookies aren’t blocked on your browser
On Internet Explorer, click on the 3 dots on the upper right and go to Settings.
Go to: Advanced Settings.
Make sure the Cookies status is set on: Don’t block cookies.
Close Internet Explorer.
7) Check your firewall settings
There may be a firewall blocking your access to Skype.
Click Start > Control Panel and double-click Windows Firewall.
Ensure that Don’t allow exceptions is unticked.
Go to the Exception tab, and check if Skype is included among the exceptions:
In this case, if Skype is displayed in the Programs and Services list, highlight it and click Delete.
Click Yes and OK.
Sign into Skype again. If the Windows Firewall asks to block Skype, click Unblock.
8) Clear the SIP Profile
The SIP Profile contains the configuration and user data for the corresponding Skype Connect™ service.
Go to C:\Users\user$\AppData\Local\Microsoft\Office\15.0\Lync
Delete the Folder: email@example.com
Restart your pc and see if you can now access Skype correctly.
If the issue persists, do the following.
9) Repair the Office 365 Pack
Click Start > Control Panel > Programs > Programs and Features.
Select the Office Pack you want to repair, and then click Change.
Click either on Quick Repair or Online Repair.
Restart your pc and see if Skype can now be accessed correctly.
10) Verify the Lyncdiscover CNAME record
The Lyncdiscover CNAME is a parameter present in the Domain Name System (DNS) records. One needs to verify that is properly registered.
Select the test you want to run (SfB/ Lync) and select the first option: Skype for Business Server Remote Connectivity test.
Provide your Office 365 credentials and start the test.
If any issues are detected, check your DNS configuration settings.
11) Check the Office 365 Health Status Portal
Last but not least, remember: Always keep an eye on the Office 365 Health Status Portal.
Why? These are the 2 reasons:
- Avoid wasting your (and your user’s) time: The Health Status Portal gives you the overview of any general issue going on the Office cloud platform. If for instance, maintenance is being run on the Server mail-flow performances, you’ll know that before the user calls in reporting he is not receiving his emails on time. It will be enough to provide the user with such information and kindly ask to wait a while. No remote troubleshooting sessions will, therefore, be necessary.
- The daily interaction with the Health Status Portal will give you more confidence and know-how in approaching any Office 365 issue.
Sign in with your Office 365 admin account at https://login.microsoftonline.com
In the Office 365 admin center, go to Health > Service health.
The site provides information about the known issues and maintenance activities in progress by Microsoft for each Office 365 environment. It’s a good habit to always keep it at hand, since it might spare you long (and worthless) troubleshooting sessions on Skype for Business trying to pinpoint a problem that is actually taking place at the server level.
What other problems do you experience with Skype for Business? Contact us and we’ll do our best to diagnose them.