This article applies to:

Lync 2013 client on Android devices

Skype for Business service hosted on Office 365

user logging into Office 365 via Active Directory Federation Services (ADFS)

 

PROBLEM

A user is unable to login to Skype for Business Service hosted on Office 365 from his Android mobile device using the Lync 2013 client

The same user is able to login without any problem from the desktop Skype for Business client, or Skype for Business client on an iOS mobile device.

 

CAUSE

The https connection request sent by the Android device does not contain the Server Name Indication (SNI) and therefore the cannot be processed properly on the server side.

 

SOLUTION

On the ADFS Proxy Server, use NETSH to add a binding for ip address 0.0.0.0 port 443. This will allow for proper processing of request that do not contain the SNI.

Detailed steps:

  1. On the ADFS Proxy Server, start the command prompt with the Run As Administrator option.
  2. Type the following command to show the current SSL certificate bindings:
netsh http show sslcert

The command will give an answer that looks similar to this:

SSL Certificate bindings:
————————-

Hostname:port                : sts.mydomain.com:443
Certificate Hash             : 177866c8d8827f2b66d02e3e2e67bc860a4ca638
Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : AdfsTrustedDevices
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

Hostname:port                : sts.mydomain.com:49443
Certificate Hash             : 177866c8d8827f2b66d02e3e2e67bc860a4ca638
Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Enabled

2. Note/copy the values of the certificate hash and the application ID fields used by the ADFS service.

3. Create a new binding by typing the following command (use values noted in step 2)

netsh http add sslcert ipport=0.0.0.0:443 certhash=177866c8d8827f2b66d02e3e2e67bc860a4ca638 appid={5d89a20c-beab-4389-9447-324788eb944a}

How to check if this worked?

Type

netsh http show sslcert

If the command was executed successfully you will get a new entry in the SSL bindings list looking similar to this:

SSL Certificate bindings:
————————-

IP:port : 0.0.0.0:443
Certificate Hash : 177866c8d8827f2b66d02e3e2e67bc860a4ca638
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

Dejan Foro