Tuesday, January 26, 2016

Skype for Business Meeting Failed: Content was blocked because it was not signed by a valid security certificate

In either Internet Explorer or other browsers you might see this issue finally popping when you try joining a Skype for Business Server Meeting if the Meeting is hosted on Premise,


This issue also pop's up with Lync Meeting, not only with Skype for Business Meetings.


Error:
Content was blocked because it was not signed by a valid security certificate




After investigation, I saw this was most likely related to changes in Skype for Business Client Update from Januar 2016: https://support.microsoft.com/en-us/kb/3114502


It implements a new and proper described certificate validation procedure for all SIMPLE URL's.
(Note: This issue can't be replicated each time, therefore you have to consider this as "possible issue")
 
 

As I described earlier in my blog: http://lyncuc.blogspot.de/2015/10/wildcard-certificate-support-in-skype.html
It is absolute curial following the infrastructure recommendations from Microsoft, regardless if it might work or not. Once there will be an update released, the not recommended setup will have issues or will fail!


A valid SAN Wildcard certificate could look like this:

CN   = fqdn.DOMAIN.COM
+

SAN = fqdn.DOMAIN.COM
SAN = surl.DOMAIN.COM
SAN = *.DOMAIN.COM



 
I took a deeper look into the assigned certificate.
Btw, it is also in hybrid Skype for Business setup required to be assigned to a local point of access for simple URL's.


We see the CN (or SN) has FQDN as *.domain.com
next screenshot show's it in detail again.
While the last screenshot show's the wildcard name repeated in the SAN (Subject Alternative Name).


I have seen several environment running this configuration without issues as they told me.
But, how they can trace the join users experience?
True, they can't and here I give the example of a situation,where it ended up in mess.


Please define your Reverse Proxy and your Edge Server certificates in the supported and best practice setup.

 

 






1 comment:

  1. Hi,

    Lync sign in for specific user has suddenly stopped working... I tried removing and re-adding user on lync server, I have also removed lync user certificate and cleared cache on local system. however this user is not able to sign in to lync 2013 using any system, I have pasted sign logs of that user below.

    ........................................................................................................................................................................................

    1 Login: FAIL (hr = 0x1)
    Executing wws method with windows auth auth, asyncContext=00625328,
    context: WebRequest context@ :492665640
    MethodType:4
    ExecutionComplete? :1
    Callback@ :125E67FC
    AsyncHResult:80f10041
    TargetUri:https://xx.domain.child.local/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
    Error:
    There was an error communicating with the endpoint at 'https://xx.domain.child.local/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
    The server understood the request, but cannot fulfill it.

    .CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x18F63F00 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=abc.xyz@bbb.com:specific:LAD:1, upn=abc@domain.child.local
    1.1 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
    Executing wws method with windows auth auth, asyncContext=00625328,
    context: WebRequest context@ :492665640
    MethodType:4
    ExecutionComplete? :1
    Callback@ :125E67FC
    AsyncHResult:80f10041
    TargetUri:https://xx.domain.child.local/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
    Error:
    There was an error communicating with the endpoint at 'https://xx.domain.child.local/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
    The server understood the request, but cannot fulfill it.

    .
    1.2 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
    CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x18F63F00 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:uri=abc.xyz@bbb.com:specific:LAD:1, upn=abc@domain.child.local

    ..................................................................................................................................................................................

    Kindly help.

    Regards,

    Dhananjay

    ReplyDelete