When joining a Skype Meeting Broadcast as a member of the Events Team, the following error occurs: “An error occurred during the Skype Meeting”.
The user is homed on-premises, and licensed in Office 365 to use Skype for Business Online. This happens regardless of network location, tested from the corporate network and tethered with 4G.
I was asked to enable Skype Meeting Broadcast for a customer who already have a hybrid configuration established with Skype for Business Online. They are running a Skype for Business Server 2015 Standard Edition Server, Skype for Business Server 2015 Edge Server, and have directory synchronisation to Azure AD using ADFS.
I validated the existing hybrid configuration, and then implemented the following to enable the customer to use Skype Meeting Broadcasts.
Skype for Business Online Tenant (Cloud)
Connected to the Skype for Business Online Tenant (click here to see how to do this), enabled and then verified that Skype Meeting Broadcasts are enabled:
Set-CsBroadcastMeetingConfiguration -EnableBroadcastMeeting $True
Get-CsBroadcastMeetingConfiguration | fl EnableBroadcastMeeting
Open Federation is enabled in the Office 365 Tenant, however I still added the following as SIP Federated domains (allowed domains).
$r = New-CsEdgeDomainPattern -Domain “noammeetings.lync.com”
$s = New-CsEdgeDomainPattern -Domain “emeameetings.lync.com”
$t = New-CsEdgeDomainPattern -Domain “apacmeetings.lync.com”
$n = New-CsEdgeDomainPattern -Domain “resources.lync.com”
$newAllowList = New-CsEdgeAllowList -AllowedDomain $r,$s,$t,$n
Set-CsTenantFederationConfiguration -AllowedDomains $newAllowList
Skype for Business Server (On-premises)
Add a new SIP Federated Provider record for sipfed.resources.lync.com:
New-CsHostingProvider -Identity LyncOnlineResources -ProxyFqdn sipfed.resources.lync.com -VerificationLevel AlwaysVerifiable -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $True -IsLocal $False
Open Federation is enabled, however I still added the SIP Federated domains into the allowed list incase of rate limiting etc.
New-CsAllowedDomain -Identity “noammeetings.lync.com”
New-CsAllowedDomain -Identity “emeameetings.lync.com”
New-CsAllowedDomain -Identity “apacmeetings.lync.com”
New-CsAllowedDomain -Identity “resources.lync.com”
All required ACLs on the internet facing firewall were already in-place.
I verified all of the above again, and then started to look at the Lync-UccApi-*.UccApilog files on the client. The following jumped out:
02/16/2018|13:25:42.287 17D0:F88 INFO :: SIP/2.0 504 Server time-out
Authentication-Info: TLS-DSK qop=”auth”, opaque=”80CD9B99″, srand=”1CFCDC62″, snum=”20″, rspauth=”b9d3f407044967b13bfa5c2aa7227dabae5ab3e5″, targetname=”sfbfe01v.x500.co.uk”, realm=”SIP Communications Service”, version=4
Via: SIP/2.0/TLS 192.168.13.10:51443;received=184.108.40.206;ms-received-port=41013;ms-received-cid=E11900
CSeq: 1 INVITE
ms-diagnostics: 1008;reason=”Unable to resolve DNS SRV record”;domain=”x500.co.uk”;dns-srv-result=”NegativeResult”;dns-source=”InternalCache”;source=”access.x500.co.uk”
The Edge Server uses internal DNS Servers for name resolution.
The SIP domain (x500.co.uk) is different to the internal AD DNS domain (x500.local).
An authoritative AD-integrated zone exists for the SIP domain (x500.co.uk) at root level. The domain doesn’t have a SRV record for _sipfederationtls._tcp.x500.co.uk.
I added a record into the AD-integrated zone as per the SRV record that exists in public DNS for sipfederationtls._tcp.x500.co.uk.
Port number: 5061
Host offering this service: access.x500.co.uk
After adding the record I cleared the DNS cache on the Edge Server, tested Skype Meeting Broadcasts and it worked straightaway.
I have never seen any Microsoft documentation that states this record must exist in internal DNS. However, adding it absolutely fixes the issue. Alternatively, I could have set the Edge Server to use Public DNS, or changed the zone to use pin-point DNS records.
Interestingly, the access.x500.co.uk record isn’t resolvable by the Edge Server, but that doesn’t matter.