500 - Internal Server Error - Skype for Business Mobility

500 - Internal Server Error - Skype for Business Mobility


this is very common error, which can be related to some of the following issue:
  • wrong internal/ external certificate
  • firewall ports 4443-443 not assigned correctly
  • firewall does a packet inspection and change (reverse proxy)
  • load balancer issue, wrong persistence, wrong ticket validity period,...
  • Direct Server Return (DRS) issue on load balancer

I could continue with this list.

But there is one issue not discussed on the blog side yet.
if you see a Error 500 in the IIS LogFile, showing the /AUTH module, possibly the IIS has a wrong configuration and it is not related to any of the other common (caused) issues.

/webticket/webticketservice.svc/auth - 4443 - 192.168.10.50 COP 500 0 0 3037

As we know, the client first receive the JSON WebService link information.
Then try to access the WebTicketService and will receive an ERROR 401, because the authentication wasn't done yet.
It now tries to connect to the webticketservice and try the authentication, which is NTLM!

If the negotiate option is first, it will fail and generate the ERROR 500.

SOLUTION:


On all Skype for Business Frontend Servers, you should check manually on the Internal and the External Website, if NTLM is the first choice for authentication and NEGOTIATE the second option.

Use the appcmd command to query the settings:
C:\Windows\System32\inetsrv>appcmd list config /section:windowsAuthentication
<system.webServer>
<security>  
<authentication>  
<windowsAuthentication enabled="true" useKernelMode="false">  
<providers>  
<add value="Negotiate" />   --> Must NOT be first!
<add value="NTLM" />  
</providers>  
<extendedProtection>
 </extendedProtection>  
</windowsAuthentication>  
</authentication>  
</security>
</system.webServer>

If you need changing this setup, please user this method:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM,Negotiate"

or:
C:\Windows\System32\inetsrv>

appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']

appcmd set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost

Comments

  1. on windows 2012R2 and up, should be "-section:system.webServer/security/authentication/windowsAuthentication"

    ReplyDelete

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

MFA with Guest Access and different tenants settings