Skype for Business anonymous join failure when meeting organizer is disabled for federation

By | October 15, 2016

Before we start, I highly recommend you first read Scott Stubberfield’s “Anonymous join from Skype for Business and Lync Clients” blog post: https://blogs.technet.microsoft.com/scottstu/2015/04/03/anonymous-join-from-skype-for-business-and-lync-clients/

Now that you understand the anonymous join process, we’ll go into one scenario that I’ve been tracking since Lync Server 2013 RTM (almost 4 years…).

Scenario:

  • Company A has Federation Enabled
  • User at Company A has an External Access Policy set to have Federated User Access disabled
  • This User schedules a meeting and sends the invite to an external participant
  • External participant is running the Lync or Skype for Business client
  • External participant tries joining the meeting, but is greeted with “An error occurred during the Skype Meeting”
  • External participant is able to join the meeting if forcing connection via Web App in browser (appends ?sl=1 to the end of the meeting URL)

ff-2
ff-1

Let’s compare some client logs for the External participant:

  • Company A Federation Enabled and Meeting organizer Enabled for Federated User Access (Successful federated join):
    ff-5

    ff-6

  • Company A Federation Disabled or External participant’s domain is blocked (Successful anonymous join):
    ff-3

    ff-4

  • Company A Federation Enabled and Meeting organizer Disabled for Federated User Access (Failed anonymous join):
    ff-7

    ff-1

As per Scott’s blog, the following table lists the valid SIP response or diagnostic codes that the client will use to trigger the anonymous join process:
ff-8

So we have the External participant’s client triggering anonymous join when seeing 504 or 404, but not the 403 response that is received when the meeting organizer is disabled for federation.

3 thoughts on “Skype for Business anonymous join failure when meeting organizer is disabled for federation

  1. Brent Gunn

    So how do people get around this. Been struggling myself. Found a product called Ethical Wall that allows you to control it at the edge but I want external recipients to join my non external enabled users meetings natively. Any work arounds.
    Thanks

    Reply
  2. AM

    I’m testing similar scenarios and seeing frustrating results i’m hoping you could clarify.

    User A Federation Enabled, meeting organizer enabled for federated user access, HOWEVER the attendee domain is not on the federated allowed list. (failing anonymous join)

    In this scenario i would expect Anonymous join to kick in. I’ve analysed the attendee domain client logs and I’m seeing a valid ms-diagnostic code (504) return to trigger anonymous join. The client then attempts the DNS look ups in the order explained in Scotts article. The A record for sip.domain.com is resolved and an attempt to route to our external edge over IP is made. This then fails authentication, of which we now believe to be their internet proxy.

    Going back to Scott’s article the client should fail back to 5061 which i don’t see. As far as i can work out this is the process, if i have missed anything, or if you have observed similar and know a way around it i’d be grateful to hear?

    Thanks

    Reply
  3. Pavan Jain

    Hi Michael,

    Is it possible to see the SIP logs for the anonymous join case? I am trying to get this working but failing to do so.

    Regards,
    PJ

    Reply

Leave a Comment