Skype for Business Federation fails only with Office 365 domains

By | June 27, 2016

While working with a Third-Party hosted Skype for Business environment leveraging Exchange Online for Email/Voicemail, I came across an issue where federation worked except with sip domains hosted in Office 365.

Looking at the client logs from both sides of the communication in snooper, you can see constant 504 Server time-out entries:

Hosted client to Skype for Business Online trace:
SFBFF-01

Skype for Business Online to Hosted client trace:
SFBFF-02

Hosted client to Skype for Business Online 504 error detail:

  • 03/18/2016|10:11:04.993 1F2C8:20684 INFO :: Data Received -209.197.182.66:443 (To Local Address: 172.17.1.57:52011) 832 bytes:
    03/18/2016|10:11:04.993 1F2C8:20684 INFO ::
    SIP/2.0 504 Server time-out
    ms-user-logon-data: RemoteUser
    Authentication-Info: TLS-DSK qop=”auth”, opaque=”8AE5D494″, srand=”194B5A1A”, snum=”41″, rspauth=”e035cf3791629bb547cb087dde5f41d0f6ccd1d7″, targetname=”hostedfe.hdomain.com”, realm=”SIP Communications Service”, version=4
    Via: SIP/2.0/TLS 172.17.1.57:52011;received=72.29.243.33;ms-received-port=24342;ms-received-cid=1200300
    Content-Length: 0
    From: “Michael LaMontagne”michael@hdomain.com>;tag=d141844893;epid=b5f478829d
    To: michael@lamontagnesolutions.com>;tag=9B47C2FDF604DCF0E6773B737ABC04C6
    Call-ID: 07090444edc64a189aa6ce0a2c4700c4
    CSeq: 1 INVITE
    ms-diagnostics: 1063;reason=”Cannot route to blocked IM Service Provider”;domain=”lamontagnesolutions.com”;fqdn1=”sipfed.online.lync.com:5061″;source=”sip.hdomain.com”
    Server: RTC/6.0
    03/18/2016|10:11:04.993 1F2C8:20684 INFO :: End of Data Received -209.197.182.66:443 (To Local Address: 172.17.1.57:52011) 832 bytes

Skype for Business Online to Hosted client 504 error detail:

  • 03/18/2016|10:05:22.667 2148:32C4 INFO :: Data Received -132.245.1.32:443 (To Local Address: 10.100.30.182:57915) 1114 bytes:
    03/18/2016|10:05:22.667 2148:32C4 INFO ::
    SIP/2.0 504 Server time-out
    ms-user-logon-data: RemoteUser
    Authentication-Info: TLS-DSK qop=”auth”, opaque=”A8BC1734″, srand=”6BA9FCBC”, snum=”45″, rspauth=”3e7612007482289c34a09d47a3090a75be97e792″, targetname=”BL20A09FES13.infra.lync.com”, realm=”SIP Communications Service”, version=4
    Via: SIP/2.0/TLS 10.100.30.182:57915;received=10.8.148.8;ms-received-port=57915;ms-received-cid=4EBE400
    Content-Length: 0
    From: “Michael LaMontagne”michael@lamontagnesolutions.com>;tag=d97c3dc345;epid=177375e93d
    To: michael@hdomain.com>;tag=B3656182BBE3D680E2A42799A4ACBD34
    Call-ID: 8cd5cb094b5f4c3e937c2553e35ba11f
    CSeq: 1 INVITE
    ms-diagnostics: 1047;reason=”Failed to complete TLS negotiation with a federated peer server”;fqdn=”sip.hdomain.com:5061″;ip-address=”XXX.XXX.XXX.XXX”;peer-type=”FederatedPartner”;winsock-code=”10054″;winsock-info=”The peer forced closure of the connection”;source=”sipfed1A.online.lync.com”
    Server: RTC/6.0
    ms-edge-proxy-message-trust: ms-source-type=AutoFederation;ms-ep-fqdn=sipedgeBL20A.infra.lync.com;ms-source-network=federation;ms-source-verified-user=verified
    03/18/2016|10:05:22.667 2148:32C4 INFO :: End of Data Received -132.245.1.32:443 (To Local Address: 10.100.30.182:57915) 1114 bytes

Much time was spent digging into Federation settings, DNS, certificates and firewalls for both parties. It dawned on me that Skype for Business Online is ignoring Federation SRV records when communicating with verified Custom domains in Office 365. Which is fine if you have Hybrid configured for either your On-Premises or hosted Skype for Business environments, which was not this case.

This fix was to remove the Skype for Business domain purpose for the Third-Party hosted domain:

Open Office 365 Admin center, under Domains click Domain settings:
SFBFF-03

Click on Change domain purpose:
SFBFF-04

Uncheck Skype for Business for instant messaging and online meetings, complete the steps in the wizard:
SFBFF-05

5 thoughts on “Skype for Business Federation fails only with Office 365 domains

  1. Pingback: Skype for Business Federation fails only with Office 365 domains | RealtineUC – JC's Blog-O-Gibberish

  2. Nam Nguyen

    Dear Sir,
    We are facing the exact problem with SfB federation with Office 365 domain. federation with other domains work, except for the Office365 hosted domain.

    Errors from both clients (on-premise and online) are exactly as you described. Unfortunately your suggested solution didnt work in our case (disable sfb domain purpose on verified DNS domain ).

    Can you help to explain “It dawned on me that Skype for Business Online is ignoring Federation SRV records when communicating with verified Custom domains in Office 365”? Why SfB online ignoring those records, and what that have to do with our errors?
    With best regards,
    Nguyen

    Reply
  3. Jeremy B

    It’s too bad the new admin portal doesn’t offer the ability to change a domain’s purpose anymore.

    Reply
  4. Dave Lemon

    How long did it take for the issue to clear up after making this change?

    Reply

Leave a Comment