17-08-2021

Skype For Business Mac Date Time Certificate Error

Renewing Certificates in Skype for Business Server 2015

1/25/2016

Coming back to the office after a the year-end holidays like most people, I found that the Skype4B clients, IP Phones and Video Endpoints were no longer able to register with the Skype4B front-end pool. Yes time does pass very quickly and certificates that were created and assigned during installation do expire. The default expiry date for default FE server certificates is 2 years. This article explores the renewal of these FE certificates to get the system back to normal.
First and foremost, the client error message displayed during sign-in was rather misleading as this error was not due to DNS records at all. I suspect this could be due to the fact that this was a Hybrid setup with some users hosted on-premise and others hosted online on Office365. A quick check on the lyncdiscover.domain.com and lyncdiscoverinternal.domain.com DNS records as well as the fallback SRV records _siptinernaltls._tcp.domain.dom were correctly pointed to the on-premise FE Pool. Users who are homed online simply get redirected to the Office365 pool after they first hit the on-premise servers. Since the error cannot be due to DNS, then we need to look into the FE server itself to find out what the issue was.
First thing that was noticed after logging into the FE server was that the Skype4B Front End service was not running on all the FE servers. Therefore there was no routing group quorum to get the entire pool running, which in this case comprised of 3 FE servers. Recall that for a FE Pool of 3 FE servers, we need all 3 FE pools to be started in order to achieve routing group quorum for the pool to be started:
At this stage, running the Deployment Wizard and running the '3. Request, Install or Assign Certificates' step clearly showed that the default certificate was missing along with the OAuth certificate:
To verify that the certificates were indeed expired, we open the certificates MMC and confirm that the default certificate had expired on 3 Jan 2016 while the oAuth cert had expired earlier on 26 Dec 2015:
To resolve this problem, we go back to the Certificate Wizard within the Deployment Wizard and select the three checkboxes under 'Default certificate' and click 'Request' as shown below:
This will bring up the Certificate Request page where w need to fill in the relevant details as well as select one or all of the SIP domains which we want a SAN entry for. Note that the SAN list will be automatically populated depending on the SIP domains that we select. To continue we click 'Next':
The subsequent steps are pretty straightforward and we just need to click 'Next' to continue the process:
Once we complete the certificate assignment, we should return to the certificate wizard and see a green check mark against the new Default FE certificate as shown below. Note the expiry date is 2 years from today:
This completes the renewal of the Default certificate on FE1. We now need to perform the same for FE2 and FE3, and since the steps are the same, we shall not repeat them again. Next, we proceed to renew the oAuth certificate for server to server communications. As shown below, on the certificate wizard, we select the OAuthTokenIssuer certificate and click 'Request' to begin the process:
In the next screen, it looks similar to the previous request however note that the SAN list is fixed and cannot be changed:
The subsequent steps are also straighfoward and we just need to click 'Next' to continue:
After assigning the oAuth certificate, we are returned to the Certificate Wizard and this time we see all green check marks on all certificates:
Finally, we are ready to start up the FE Pool. The easiest way to do this, instead of rebooting all 3 FE servers manually, is to open the Skype4B management shell on one of the FE servers and run the 'Start-CsPool' cmdlet as shown below. The process will take several minutes and the window will display update status information of the startup process. There's no need to panic if we see any Failed messages at this stage. Simply wait for the pool to go through the startup process:
Once the startup process completes, we can see the status of all 3 FE servers as 'Running' which is a good indication that everything went well and smoothly:
At this point, our Skype4B FE Pool is up and running and we can once again sign in from the Skype4B clients, IP Phones and Video Endpoints. As can be seen, renewing expired certificates on the FE Pool is not all that difficult or complicated as it may seem to be.
8/4/2016 08:53:58 am

Nice, You make me deploy a local certificate beside a public certicate... Nice step by step ... mess with my sfb deployment.

8/5/2016 12:05:14 am

Hi Vinicius
These steps are for renewing the internal Skype for Business certificates using an internal CA. If you are using a public certificate for your front-end servers then the steps will be slightly different.

11/21/2018 04:54:37 am

No one is making you do anything here..

11/21/2018 04:57:01 am

Many thanks for this.
Had an issue where both the Default certificate + OAuthTokenIssuer certs had expired. Having no experience of skype for business this helped me to get them renewed and assigned!

3/4/2020 05:42:48 am

I had a problem with certificates from lync this morning and your article helped.
Thanks a lot.

4/5/2020 04:06:48 pm

Hey! This helped me a lot, thanks.

7/20/2020 11:47:45 pm

Thanks, it's help

10/23/2020 03:07:52 pm

You post make my day, Thanks


Your comment will be posted after it is approved.

Leave a Reply.

-->

Certificate authentication requires your Mac’s time be in sync with the server you are connecting to, so if for some reason your Mac’s time is off, then you may get these errors. To fix this, go to the Date & Time system preferences, and ensure the option to “Set date and time automatically” is checked (click the lock to authenticate if.

Scoping the problem

Let's assume that you want to troubleshoot issues that occur when users try to join a Skype for Business Online (formerly Lync Online) meeting by using Lync 2010, Lync 2013, the Lync for Windows Store app, or Lync for Mac 2011. Before you start, ask yourself and any external users who are experiencing the issue the following questions:

  • How many users does the problem affect?
  • Are the users internal or external to your organization?
  • Can the affected users reproduce the problem on a single computer or on multiple computers?

When you have the answers to these questions, see the following table to determine the kind of issue that you're dealing with. This table is provided to help scope the problem to a certain category. However, some categories may be outside the technical support boundaries of a Skype for Business Online support engineer.

Read the table as in the following example:

  1. Skype for Business in Office 2016 keeps asking for credentials Skype for Business will open and login but then a window asking for credentials will pop up even though I'm already logged in. When I enter my credentials and click 'save my credentials', Skype for Business crashes.
  2. Fix PC errors, repair virus damage and identify hardware/stability issues using RESTORO – a unique PC Repair tool using a patented technology to replace damaged or missing Windows system files, which often are the real cause of annoying Windows errors.

Multiple users... (but not a single user) ...from outside our organization...Can't join a Skype for Business Online meeting from multiple computers: (is usually caused by) Lync federation issue or external network issue.

Be aware that each column and each row are mutually exclusive. That is, the issue affects either a single user or multiple users, and the issue can be reproduced either on one computer or on multiple computers.

IssueA single user from inside our organizationA single user from outside our organizationMultiple single user from inside our organizationMultiple users from outside our organizationMultiple users from both inside and outside our organization
Can't join a Skype for Business Online meeting from a single computerClient issueClient issueClient issueClient issueClient issue
Can't join a Skype for Business Online meeting from multiple computersUser identity issue or provisioning issueLync federation issue or external network issueNetwork issue or Service outageLync federation issue or external network issueService outage or network issue

Problem

Note

If you don't experience one of the symptoms that are listed in the following table, use the scoping table in the 'Scope' section to narrow the problem to a specific kind of issue. Then, you can troubleshoot the issue by following the steps that are outlined here.

SymptomCategoryTroubleshooting
When you try to click the Join Online Meeting link in a meeting invitation in Skype for Business Online, you receive 'Page not found' or 'Page cannot be displayed' in Microsoft Internet Explorer.Network connectivityTroubleshoot network issues
When Skype for Business Online tries to start an online meeting, the client program freezes.Client issueTroubleshoot client issues
When you try to click the Join Online Meeting link in a meeting invitation, you are repeatedly presented with a security warning and can't join the meeting.Client issueTroubleshoot client issues
When you try to click the Join Online Meeting link in a meeting invitation, you receive the error 'Meeting URL is not valid'.User Identity or Provisioning IssueTroubleshoot identity issues
When you use Skype for Business Online to join a Lync conference that is organized by another company, you receive the error 'reference ID 43 (source ID 241)'.Lync Federation issueMake sure that Domain Federation or External Communications are configured correctly
When you click the Join Online Meetinglink in a meeting invitation, a File Opendialog box appears. Additionally, Skype for Business Online doesn't start the online meeting.Incorrect file associationFixing OCSMEET file associations in Windows
You tried all steps in this document and still can't join the Skype for Business Online meeting. You are determined to connect to the conference, even if you can't participate in audio, video, or chat.Not applicableJoin meetings by using the Lync Web App

Troubleshooting Windows client issues

To resolve any client or computer issue, first make sure that the computer is up to date. The computer should have the latest operating system updates, audio and video drivers, and software application updates to make connecting to a Skype for Business Online meeting a successful experience. To do this, follow these steps:

  1. Run Windows Update, and then verify that all optional hardware updates are installed. Specifically, make sure that video, audio, and network drivers are up to date.

  2. Verify that Lync is up to date. See Lync Downloads and Updates for the latest Lync updates.

    Select your version (2013 or 2010), and then select Lync client under Category.

Now that the computer is up to date and meets all minimum system requirements, clear any cached credentials or certificates from previous logons:

  1. Verify that the user has the correct certificates in Certificate Manager. To do this, follow these steps:

    1. Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
    2. Expand Personal, and then expand Certificates.
    3. Sort by the IssuedBy column, and then look for a certificate that is issued by Communications Server.
    4. Verify that the certificate is present and that it isn't expired.
    5. Delete the certificate, and then try to sign in to Skype for Business Online. If you can't sign in to Skype for Business Online, go to step 2.

  2. Remove the user's Skype for Business Online credentials from the Windows Credential Manager. To do this, follow these steps:

    1. Click Start, click Control Panel, and then click Credential Manager.
    2. Locate the set of credentials that are used to connect to Skype for Business Online.
    3. Expand the set of credentials, and then click Remove from Vault.
    4. Try to sign in to Skype for Business Online, and then type the new set of credentials.

Skype for Business Online falls back to 'anonymous join' if it can't authenticate. As long as anonymous participants aren't explicitly blocked from joining the meeting, they should always be able to join the meeting.

Troubleshooting network issues

  1. Verify that the computer is connected to the network. Determine whether the computer can access other websites.
  2. Verify that the network meets the requirements for connecting to Skype for Business Online. For more information, see You can't connect to Skype for Business Online, or certain features don't work, because an on-premises firewall blocks the connection .

Fixing OCSMEET file associations in Windows

  1. Verify that Skype for Business Online is the default program that is used to open .ocsmeet files. To do this, follow these steps:

    1. Click Start, click Control Panel, and then click Default Programs.
    2. Click Associate a file type or protocol with a program.
    3. Scroll down to .ocsmeet, and then verify that **Microsoft Lync **is selected as the Current Default option.

  2. If step 1 doesn't resolve the issue, perform an Repair an Office application, or reinstall Lync 2010.

Troubleshooting Identity issues

This specific issue occurs when two users of the same Office 365 organization share the same user name (alias). Because of how Lync generates meeting URLs, two users on the same Office 365 organization who have the same user name will share the same meeting URLs. This causes the Skype for Business Online conference to become corrupted.

Skype For Business Mac Certificate Error

To resolve this issue, change the user name of one of the users who has the duplicate user name.

Mac

Troubleshooting Lync federation issues

If external users (and only external users) can't join a Skype for Business Online meeting, first determine whether they're trying to join as authenticated users or as anonymous users.

Skype For Business Mac Date Time Certificate Error

Skype For Business Mac Date Time Certificate Error
  • If the user is trying to join as an authenticated user from another Lync or OCS organization:
    • Your Skype for Business Online organization must have External Communications enabled, and external communication must be completely open. Or, the external user's domain must be in the Allow list.
    • The external organization must have federation configured correctly from their side, too.
    • For more information about federating with a Skype for Business Online organization, go to the following Microsoft TechNet website: Configuring Federation support for a Skype for Business Online customer
    • If authenticated join doesn't work, Lync should automatically try to join as an anonymous or guest user.
  • If the user is trying to join as an anonymous user from Lync Attendee, or if the Lync Web App or is dialing in to a Skype for Business Online conference with an ACP access number:
    • For anonymous join to work, a specific DNS SRV record must be present in DNS.
    • For various methods of confirming your Skype for Business Online DNS records, see Troubleshooting Skype for Business Online DNS configuration issues in Office 365.

Joining meetings by using the Lync Web App

If these troubleshooting steps don't resolve the issue, and if joining the meeting immediately is a bigger concern, use the Lync Web App. Be aware that the Lync Web App doesn't include Voice over IP (VoIP) functionality. That means that participants can only view sharing sessions. To do this, follow these steps:

  1. Copy the Join URL from the meeting invite, and then paste it into Internet Explorer. (Warning: Don't press Enter yet.)

  2. Add '?sl=1' to the end of the URL, and then press Enter.

    Note

    You must have Silverlight installed to use the advanced features of the Lync Web App.

Troubleshooting issues with third-party software

If you're using third-party software, you may be asked to update, disable, or remove the software as a troubleshooting step. If the issue is resolved after you take one of these actions, you may be referred to the third-party manufacturer for more help or to perform additional troubleshooting.

Still need help? Go to Microsoft Community.