Skype Meeting Broadcast Error: “An error occurred during the Skype Meeting”

Issue

When joining a Skype Meeting Broadcast as a member of the Events Team, the following error occurs: “An error occurred during the Skype Meeting”.

skypebroadcast_error

The user is homed on-premises, and licensed in Office 365 to use Skype for Business Online.  This happens regardless of network location, tested from the corporate network and tethered with 4G.

Background

I was asked to enable Skype Meeting Broadcast for a customer who already have a hybrid configuration established with Skype for Business Online.  They are running a Skype for Business Server 2015 Standard Edition Server, Skype for Business Server 2015 Edge Server, and have directory synchronisation to Azure AD using ADFS.

I validated the existing hybrid configuration, and then implemented the following to enable the customer to use Skype Meeting Broadcasts.

Skype for Business Online Tenant (Cloud)

Connected to the Skype for Business Online Tenant (click here to see how to do this), enabled and then verified that Skype Meeting Broadcasts are enabled:

Set-CsBroadcastMeetingConfiguration -EnableBroadcastMeeting $True

Get-CsBroadcastMeetingConfiguration | fl EnableBroadcastMeeting

Open Federation is enabled in the Office 365 Tenant, however I still added the following as SIP Federated domains (allowed domains).

  • noammeetings.lync.com
  • emeameetings.lync.com
  • apacmeetings.lync.com
  • resources.lync.com

$r = New-CsEdgeDomainPattern -Domain “noammeetings.lync.com”
$s = New-CsEdgeDomainPattern -Domain “emeameetings.lync.com”
$t = New-CsEdgeDomainPattern -Domain “apacmeetings.lync.com”
$n = New-CsEdgeDomainPattern -Domain “resources.lync.com”
$newAllowList = New-CsEdgeAllowList -AllowedDomain $r,$s,$t,$n

Set-CsTenantFederationConfiguration -AllowedDomains $newAllowList

Skype for Business Server (On-premises)

Add a new SIP Federated Provider record for sipfed.resources.lync.com:

New-CsHostingProvider -Identity LyncOnlineResources -ProxyFqdn sipfed.resources.lync.com -VerificationLevel AlwaysVerifiable -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $True -IsLocal $False

Open Federation is enabled, however I still added the SIP Federated domains into the allowed list incase of rate limiting etc.

New-CsAllowedDomain -Identity “noammeetings.lync.com”
New-CsAllowedDomain -Identity “emeameetings.lync.com”
New-CsAllowedDomain -Identity “apacmeetings.lync.com”
New-CsAllowedDomain -Identity “resources.lync.com”

All required ACLs on the internet facing firewall were already in-place.

Investigation

I verified all of the above again, and then started to look at the Lync-UccApi-*.UccApilog files on the client.  The following jumped out:

02/16/2018|13:25:42.287 17D0:F88 INFO  :: SIP/2.0 504 Server time-out
ms-user-logon-data: RemoteUser
Authentication-Info: TLS-DSK qop=”auth”, opaque=”80CD9B99″, srand=”1CFCDC62″, snum=”20″, rspauth=”b9d3f407044967b13bfa5c2aa7227dabae5ab3e5″, targetname=”sfbfe01v.x500.co.uk”, realm=”SIP Communications Service”, version=4
Via: SIP/2.0/TLS 192.168.13.10:51443;received=148.252.129.18;ms-received-port=41013;ms-received-cid=E11900
Content-Length: 0
From: “SteveTest1″<sip:stevetest1@x500.co.uk>;tag=e014170fc7;epid=8c327600bc
To: <sip:AM30R04meet340@emeameetings.lync.com;gruu;opaque=app:conf:focus:id:5YQ2VR3X>;tag=4E11942B5212E6775222C5CE0FBF2719
Call-ID: ba598dbe0e7a40cdb2ae7579f51f3fba
CSeq: 1 INVITE

ms-diagnostics: 1008;reason=”Unable to resolve DNS SRV record”;domain=”x500.co.uk”;dns-srv-result=”NegativeResult”;dns-source=”InternalCache”;source=”access.x500.co.uk”

Server: RTC/6.0

Resolution

The Edge Server uses internal DNS Servers for name resolution.

The SIP domain (x500.co.uk) is different to the internal AD DNS domain (x500.local).

An authoritative AD-integrated zone exists for the SIP domain (x500.co.uk) at root level.  The domain doesn’t have a SRV record for _sipfederationtls._tcp.x500.co.uk.

I added a record into the AD-integrated zone as per the SRV record that exists in public DNS for sipfederationtls._tcp.x500.co.uk.

Type: SRV
Domain: x500.co.uk
Service: _sipfederationtls
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 5061
Host offering this service: access.x500.co.uk

After adding the record I cleared the DNS cache on the Edge Server, tested Skype Meeting Broadcasts and it worked straightaway.

I have never seen any Microsoft documentation that states this record must exist in internal DNS.  However, adding it absolutely fixes the issue.  Alternatively, I could have set the Edge Server to use Public DNS, or changed the zone to use pin-point DNS records.

Interestingly, the access.x500.co.uk record isn’t resolvable by the Edge Server, but that doesn’t matter.

 

Advertisements

One comment

  1. Update: the internal DNS records below are required for a hybrid, they are covered in this article:

    https://docs.microsoft.com/en-us/skypeforbusiness/skype-for-business-hybrid-solutions/plan-hybrid-connectivity

    DNS record: _sipfederationtls._tcp.
    Resolves to: Access Edge external IP(s)
    Resolvable by: Edge server(s)
    DNS requirement: Enable federated communication in a hybrid configuration. The Edge Server needs to know where to route federated traffic for the SIP domain that is split between on premises and online. Must use strict DNS name matching between the domain in the user name and the SRV record.

    DNS record: A record(s) for Edge Web Conferencing Service
    Resolves to: Web Conferencing Edge external IP(s)
    Resolvable by: Internal corporate network connected users’ computers
    DNS Requirement: Enable online users to present or view content in on-premises hosted meetings. Content includes PowerPoint files, whiteboards, polls, and shared notes.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s