Skype For Business Mac Date Time Certificate Error

A Skype for Business on Mac user sometimes sees a blank screen when a Skype for Business on Windows user shares the desktop in an IM conversation (peer-to-peer or group IM). Workaround: The Skype for Business on Windows user shares the program or window, or the Skype for Business on Mac user restarts the Skype for Business on Mac app. Delete the certificate, and then try to sign in to Skype for Business Online. If you can’t sign in to Skype for Business Online, go to step 2. Remove the user’s Skype for Business Online credentials from the Windows Credential Manager. To do this, follow these steps: Click Start, click Control Panel, and then click Credential Manager. 15th May 2019 Update: The date has moved from July 1st 2019 to January 15, 2020. 12th January 2020 Update: The date has moved to 15th July 2020 – details here If you have SfB Certified IP Phones (3PIP) from AudioCodes, Crestron, Polycom or Yealink signing into to Skype for Business Online (or Microsoft Teams via cloud interop), you will need to firmware update them and take one time tenant.

-->

Note: If you're signing in to Skype for Business for the first time, enter your Microsoft 365 user ID, click Sign In, enter your password, and click Sign In again. On the Skype for Business sign in screen, click Delete my sign-in info. Skype for Business in Office 2016 keeps asking for credentials Skype for Business will open and login but then a window asking for credentials will pop up even though I'm already logged in. When I enter my credentials and click 'save my credentials', Skype for Business crashes.

Important

Skype for Business Online will be retired on July 31, 2021. If you haven't upgraded your Skype for Business Online users to Microsoft Teams before that date, they will will be automatically scheduled for an assisted upgrade. If you want to upgrade your organization to Teams yourself, we strongly recommend that you begin planning your upgrade path today. Remember that a successful upgrade aligns technical and user readiness, so be sure to leverage our upgrade guidance as you navigate your journey to Teams.

To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.

What do you want to do?

Check for common causes of Skype for Business Online sign-in errors

Most sign-in issues can be traced to a small number of causes, and many of these are easy to correct. The table below lists some common causes of sign-in errors and some steps you or the users can take to resolve them.

Possible CauseResolution
During sign-in, a dialog box appears that contains the following phrase: cannot verify that the server is trusted for your sign-in address. Connect anyway?
Verify that the domain name in the dialog box is a trusted server in your organization—for example, domainName.contoso.com. Ask the user to select the Always trust this server check box, and then click Connect.
Enterprise customers can prevent this message from appearing when a user signs in for the first time by modifying the Windows registry on each user's computer. For details, see Modify TrustModelData registry keys.
Mistyped sign-in address, user name, or password
Confirm that the user's sign-in name and password are correct.
Verify that the user's sign-in name is formatted as follows: bobk@contoso.com. This may be different from the format you use to sign in to your organization's network.
Ask the user to try signing in again.
Forgotten password
Reset the user's password and notify him or her of the new temporary password.
Not licensed to use Skype for Business Online
Confirm that the user is registered as a Skype for Business Online user. If not, register the user, and then ask him or her to sign in again.
Wrong version of Skype for Business Online installed
This issue is usually associated with an error message that contains the following phrase: the authentication service may be incompatible with this version of the program.
Ask the user to uninstall and reinstall Skype for Business Online from the Microsoft 365 admin center.
Problem acquiring a personal certificate that is required to sign in
If the user's sign-in address has recently changed, they may need to delete cached sign-in data. Ask users to sign out, click the Delete my sign-in info link on the sign-in screen, and then try again.
You set up a custom domain name, and the changes may not have finished propagating through the system.
First, ensure that you have modified the Domain Name Service (DNS) records to reflect the change.
If you have already made the necessary DNS changes, advise the user to try logging in later. DNS changes can take up to 72 hours to be reflected throughout the system.
System clock out of sync with server clock
Ensure that your network domain controller is synchronizing with a reliable external time source. For details, see the Microsoft Knowledge Base article 816042, How to configure an authoritative time server in Windows Server.

To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.

Follow resolution steps for a specific error (Enterprise only)

Important

These instructions are intended primarily for Microsoft Office 365 Plan E customers. If you are an Office 365 Plan P customer, continue to the following section, Collect more information and seek additional help.

If the user cannot sign in after you have tried the suggestions in the previous section, then you can do additional troubleshooting based on the type of error. The table below lists the most common error messages and possible causes. Following the table are detailed procedures to address each issue.

Error messagePossible causeResolution
Sign-in address not found
Sign-in requests from the Microsoft Online Services Sign-On Assistant (msoidsvc.exe) are not going through your external firewall, or proxy server.
Add a firewall entry for msoidsvc.exe to your proxy server
Server is temporarily unavailable
If your organization has a custom domain, the necessary Domain Name System (DNS) settings may be missing or incorrect.
Update DNS settings
Server is temporarily unavailable
If your organization is using single sign-on with Active Directory Federation Services (ADFS), you may have used a self-signed Secure Socket Layer (SSL) certificate rather than one from a third-party certification authority.
Install a third-party SSL certificate on your ADFS server
Problem acquiring a personal certificate that is required to sign in
If you've already removed the cached server data used to sign in and the error continues to appear, the user's security credentials may be corrupted, or an RSA folder on the user's computer may be blocking authentication.
Update security credentials
A certificate trust dialog box appears when a user signs in for the first time.
This dialog box appears if your Skype for Business server is not yet listed in the TrustModelData registry key.
Modify TrustModelData registry keys
User is not SIP enabled
If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.
Update user settings in Active Directory

Add a firewall entry for msoidsvc.exe to your proxy server

This procedure is a possible fix for the following error message: Sign-in address not found.

Note

ForSkype

The following steps assume you are using Microsoft Forefront Threat Management Gateway (TMG) 2010. If you have a different web gateway solution, use the settings described in step 4 below.

To create an application entry for Msoidsvc.exe in Forefront TMG 2010, follow these steps:

  1. In the Forefront left pane, click Networking.

  2. Click the Network tab. Under the Tasks tab in the right pane, click Configure Forefront TMG Client Settings.

  3. In the Forefront TMG Client Settings dialog box, click New.

  4. In the Application Entry Setting dialog box, configure the following rules:

ApplicationKeyValue
msoidsvc
Disable
0
msoidsvc
DisableEx
0

For details, see the Microsoft Knowledge Base article 2409256, You cannot connect to Skype for Business Online because an on-premises firewall blocks the connection.

Update DNS settings

Skype For Business Mac Date Time Certificate Error

If your organization has a custom domain, this procedure is a possible fix for the following error message: Server is temporarily unavailable.

  • Contact your domain name registrar for information on how to add the following CNAME record to your domain:

    • DNS record type: CNAME

    • Name: sip

    • Value/Destination: sipdir.online.lync.com

For details, see the Microsoft Knowledge Base article 2566790, Troubleshooting Skype for Business Online DNS configuration issues in Microsoft 365 or Office 365.

Install a third-party SSL certificate on your ADFS server

To install a third-party SSL certificate on your Active Domain Federation Services (ADFS) server, follow these steps:

  1. Obtain an SSL certificate from a third-party certification authority such as VeriSign or Thawte.

  2. Install the certificate on your ADFS server by using the ADFS management console.

Update security credentials

This procedure is a possible fix for the error message Problem acquiring a personal certificate required to sign in.

To eliminate possible certificate or credential problems, first renew the user's certificate in Windows Certificate Manager. To do this, follow these steps:

  1. Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.

  2. Double-click Personal, and then double-click Certificates.

  3. Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.

  4. Right-click the certificate, and then click Delete.

Next, if the user is running Windows 7, remove their stored credentials in Windows Credential Manager. To do this, follow these steps:

  1. Click Start, click Control Panel, and then click Credential Manager.

  2. Locate the set of credentials that is used to connect to Skype for Business Online.

  3. Expand the set of credentials, and then click Remove from Vault.

  4. Sign in again and reenter the user's credentials.

Finally, if the user still cannot sign in after you've updated their credentials, try deleting the RSA folder on the user's computer, because it could be blocking completion of the user authentication process:

  1. Sign in to the user's computer using an administrator account.

  2. If necessary, turn on the folder view option Show hidden files.

  3. Type the following into the address bar of File Explorer: C:Documents and SettingsUserNameApplication DataMicrosoftCryptoRSA, where UserName is your Windows sign-in name.

  4. Delete any folder that begins with the name S-1-5-21- followed by a string of numbers.

Modify TrustModelData registry keys

When a user signs in for the first time, they may receive a dialog box that contains something like the following: Cannot verify that the server is trusted for your sign-in address. Connect anyway? This is a security feature, and not an error. However, you can prevent the dialog box from appearing by using a Group Policy Object (GPO) to update users' machines with your domain name before they sign in for the first time. To accomplish this, do the following:

  • Create and deploy a GPO that appends your Skype for Business domain name—for example, domainName.contoso.com—to the current value of HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftCommunicatorTrustModelData.

Important

You must append your domain name to the existing value, not simply replace it.

For details, see the Microsoft Knowledge Base article 2531068, Skype for Business (Lync) cannot verify that the server is trusted for your sign-in address.

Update user settings in Active Directory

If your organization had a previous installation of Microsoft Office Communications Server or Microsoft Lync Server 2010, you may not have deleted your users from the server before decommissioning it. As a result, the msRTCSIP-UserEnabled attribute is still set to FALSE in Active Directory Domain Services.

To fix this issue, follow these steps:

  1. Update the msRTCSIP-UserEnabled attribute for all affected users to TRUE.

  2. Rerun the Microsoft Online Services Directory Synchronization Tool (DirSync). For details, see AIntegrate your on-premises directories with Azure Active Directory.

To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.

Use the Microsoft Support troubleshooting guide

If you're still not able to resolve the user's sign-in problems, review the suggestions in Microsoft Knowledge Base article 2541980, How to troubleshoot sign-in issues in Skype for Business Online.

Collect more information and seek additional help

If you've followed the guidance above and still can't resolve your sign-in issues, you must collect additional information and contact technical support. To do this, follow these steps:

  1. Obtain the log files and Windows Event log details from the user's machine. For step-by-step instructions, see the end-user help topic Turn on error logs in Lync.

  2. Send the log files and detailed information about the error to Microsoft technical support.

You may be asked to supply additional diagnostic information by installing the Microsoft Online Services Diagnostic and Logging (MOSDAL) Support Toolkit on the affected user's machine. For details, see Using the MOSDAL Support Toolkit.

To troubleshoot Skype for Business Online sign-in errors, start by eliminating the most common causes of sign-in difficulty. If necessary, you can then follow specific resolution steps based on the type of error. If the user still cannot sign in, collect additional information, and then seek additional help.

Related topics

Skype For Business Mac Certificate Error

Renewing Certificates in Skype for Business Server 2015

1/25/2016

Coming back to the office after a the year-end holidays like most people, I found that the Skype4B clients, IP Phones and Video Endpoints were no longer able to register with the Skype4B front-end pool. Yes time does pass very quickly and certificates that were created and assigned during installation do expire. The default expiry date for default FE server certificates is 2 years. This article explores the renewal of these FE certificates to get the system back to normal.
First and foremost, the client error message displayed during sign-in was rather misleading as this error was not due to DNS records at all. I suspect this could be due to the fact that this was a Hybrid setup with some users hosted on-premise and others hosted online on Office365. A quick check on the lyncdiscover.domain.com and lyncdiscoverinternal.domain.com DNS records as well as the fallback SRV records _siptinernaltls._tcp.domain.dom were correctly pointed to the on-premise FE Pool. Users who are homed online simply get redirected to the Office365 pool after they first hit the on-premise servers. Since the error cannot be due to DNS, then we need to look into the FE server itself to find out what the issue was.
First thing that was noticed after logging into the FE server was that the Skype4B Front End service was not running on all the FE servers. Therefore there was no routing group quorum to get the entire pool running, which in this case comprised of 3 FE servers. Recall that for a FE Pool of 3 FE servers, we need all 3 FE pools to be started in order to achieve routing group quorum for the pool to be started:
At this stage, running the Deployment Wizard and running the '3. Request, Install or Assign Certificates' step clearly showed that the default certificate was missing along with the OAuth certificate:
To verify that the certificates were indeed expired, we open the certificates MMC and confirm that the default certificate had expired on 3 Jan 2016 while the oAuth cert had expired earlier on 26 Dec 2015:
To resolve this problem, we go back to the Certificate Wizard within the Deployment Wizard and select the three checkboxes under 'Default certificate' and click 'Request' as shown below:
This will bring up the Certificate Request page where w need to fill in the relevant details as well as select one or all of the SIP domains which we want a SAN entry for. Note that the SAN list will be automatically populated depending on the SIP domains that we select. To continue we click 'Next':
The subsequent steps are pretty straightforward and we just need to click 'Next' to continue the process:
Once we complete the certificate assignment, we should return to the certificate wizard and see a green check mark against the new Default FE certificate as shown below. Note the expiry date is 2 years from today:
This completes the renewal of the Default certificate on FE1. We now need to perform the same for FE2 and FE3, and since the steps are the same, we shall not repeat them again. Next, we proceed to renew the oAuth certificate for server to server communications. As shown below, on the certificate wizard, we select the OAuthTokenIssuer certificate and click 'Request' to begin the process:
In the next screen, it looks similar to the previous request however note that the SAN list is fixed and cannot be changed:
The subsequent steps are also straighfoward and we just need to click 'Next' to continue:
After assigning the oAuth certificate, we are returned to the Certificate Wizard and this time we see all green check marks on all certificates:
Finally, we are ready to start up the FE Pool. The easiest way to do this, instead of rebooting all 3 FE servers manually, is to open the Skype4B management shell on one of the FE servers and run the 'Start-CsPool' cmdlet as shown below. The process will take several minutes and the window will display update status information of the startup process. There's no need to panic if we see any Failed messages at this stage. Simply wait for the pool to go through the startup process:
Once the startup process completes, we can see the status of all 3 FE servers as 'Running' which is a good indication that everything went well and smoothly:
At this point, our Skype4B FE Pool is up and running and we can once again sign in from the Skype4B clients, IP Phones and Video Endpoints. As can be seen, renewing expired certificates on the FE Pool is not all that difficult or complicated as it may seem to be.
8/4/2016 08:53:58 am

Nice, You make me deploy a local certificate beside a public certicate... Nice step by step ... mess with my sfb deployment.

8/5/2016 12:05:14 am

Hi Vinicius
These steps are for renewing the internal Skype for Business certificates using an internal CA. If you are using a public certificate for your front-end servers then the steps will be slightly different.

11/21/2018 04:54:37 am

No one is making you do anything here..

11/21/2018 04:57:01 am

Many thanks for this.
Had an issue where both the Default certificate + OAuthTokenIssuer certs had expired. Having no experience of skype for business this helped me to get them renewed and assigned!

3/4/2020 05:42:48 am

I had a problem with certificates from lync this morning and your article helped.
Thanks a lot.

4/5/2020 04:06:48 pm

Hey! This helped me a lot, thanks.

7/20/2020 11:47:45 pm

Thanks, it's help

10/23/2020 03:07:52 pm

You post make my day, Thanks


Your comment will be posted after it is approved.

Leave a Reply.