Unable to search Skype Directory when logged in through the Edge Server after upgrading to Skype for Business Server 2015

Problem

You’ve successfully completed upgrading your Lync Server 2010 or 2013 environment to Skype for Business Server 2015 but noticed that you receive the following error when attempting to use the SKYPE DIRECTORY tab to search the Skype directory:

Search for Skype contacts by name, Skype Name, email address, phone number, and location.

An error occurred during the search. Please try again, and contact your support team if the problem continues.

image

You’ve confirmed that the Edge server properties in the Topology Builder has the following configuration enabled:

Enable Skype-Skype federation search for this Edge pool (port 4443)

Choose this option, Skype-Skype federation will have federation search enabled by default.

image

You’ve successfully recreated the Skype Public Provider with:

New-CsPublicProvider -Identity Skype -ProxyFqdn federation.messenger.msn.com –IconUrl https://images.edge.messenger.live.com/Messenger_16x16.png -NameDecorationRoutingDomain msn.com -NameDecorationExcludedDomainList “msn.com,outlook.com,live.com,hotmail.com” -VerificationLevel UseSourceVerification -Enabled $true -EnableSkypeIdRouting $true -EnableSkypeDirectorySearch $true

You’ve noticed that the SKYPE DIRECTORY search feature works when you are internally logged in:

image

Using the Remote Connectivity Analyzer tool online at https://testconnectivity.microsoft.com/ returns green status with no errors.

Solution

This issue threw me off for an hour because all the external tests I ran came back in good health yet it was apparently there was something wrong with the Edge server because searching the Skype directory worked internally.  As I began running out of ideas, I decided to check the TMG publishing rule for the Web Services and to my surprise threw the following error when I attempted to test the rule:

image

All of the required secure 4443 port publishing tests failed with the error:

image

Category: Destination server certificate error

Error details: 0x80090322 – The target principal name is incorrect.

Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

To confirm that external web services was indeed broken, I attempted to browse to the URL:

https://<domain>/groupexpansion/service.svc

… and was able to confirm I did not get a authentication prompt. After spending a bit of time reviewing the TMG publishing rule then replacing the external web services certificate to use an internally generated certificate rather than the same certificate used on the TMG that was published by an external CA, the tests were finally in good health:

image

Correcting the issue with SfB’s Web Services fixed the Skype directory lookup error when logging in through the Edge server:

image

Hope this helps anyone out there who may come across this issue as the root cause wasn’t obvious because publishing the Web Services through TMG meant using the Remote Connectivity Analyzer tool online at https://testconnectivity.microsoft.com/ returns green if the TMG is able to listen to traffic but not successfully communicate to the Lync front-end pool.

One Response