Tuesday, January 26, 2016

Skype for Business Meeting Failed: Content was blocked because it was not signed by a valid security certificate

In either Internet Explorer or other browsers you might see this issue finally popping when you try joining a Skype for Business Server Meeting if the Meeting is hosted on Premise,

This issue also pop's up with Lync Meeting, not only with Skype for Business Meetings.

Content was blocked because it was not signed by a valid security certificate

After investigation, I saw this was most likely related to changes in Skype for Business Client Update from Januar 2016: https://support.microsoft.com/en-us/kb/3114502

It implements a new and proper described certificate validation procedure for all SIMPLE URL's.
(Note: This issue can't be replicated each time, therefore you have to consider this as "possible issue")

As I described earlier in my blog: http://lyncuc.blogspot.de/2015/10/wildcard-certificate-support-in-skype.html
It is absolute curial following the infrastructure recommendations from Microsoft, regardless if it might work or not. Once there will be an update released, the not recommended setup will have issues or will fail!

A valid SAN Wildcard certificate could look like this:

CN   = fqdn.DOMAIN.COM


I took a deeper look into the assigned certificate.
Btw, it is also in hybrid Skype for Business setup required to be assigned to a local point of access for simple URL's.

We see the CN (or SN) has FQDN as *.domain.com
next screenshot show's it in detail again.
While the last screenshot show's the wildcard name repeated in the SAN (Subject Alternative Name).

I have seen several environment running this configuration without issues as they told me.
But, how they can trace the join users experience?
True, they can't and here I give the example of a situation,where it ended up in mess.

Please define your Reverse Proxy and your Edge Server certificates in the supported and best practice setup.



Saturday, January 9, 2016

Call Monitor Skype for Business Client

With the last client update from January 2016, Microsoft introduced a new feature call Call Monitor.

(first it is still a little buggy and it is also not really suitable. more annoying)

The impacted client version is:
Skype for Business 2016 MSO (16.0.6326.101)

The change introduced the Call Monitor, where the view totally changed and consumes now a huge space on your desktop.

If you switch during a call to another application and Skype is not on front any longer you will see a the two following possibilities:

simple audio call:

conference call with audio/ video:

You can, if you click the icon, still hide the huge screen part.
now you will see this little icon:

Saturday, December 12, 2015

Windows 2012 R2 Update KB2982006: The update is not applicable to your computer

Once you try installing the Skype for Business prerequisite Windows 2012 R2 Update you receive the error:
The update is not applicable to your computer.

This issue is actually not an issue, it only indicates, you haven't install the windows server Roles and Features yet.

The Update address an issue in IIS. Therefore install the windows prerequisites first. 

As you can see, the hotfix is now applied proper.

Friday, December 4, 2015

Trun off beep tone while muted - Skype for Business Client

How to turn off Skype for Business Mute Beep

I was asked how to turn off the stress tune while you headset microphone is muted.

First you need to know, this is NOT a Skype for Business Client feature.
This is only happend when you use a JABRA headset.

There is only one possible solution.
Jabra offers the PC SUITE.

Download PC Suite and start the installation

1. Go to the Jabra Control Center
2. Make sure your device is highlighted
3. On the "Headset" tab, make sure you are in Advanced View
4. Uncheck "Enable mute reminder tone"
5. Click Apply.

Bad news are:
Not every Jabra headset supports this or even the comfort noise setting.
So please test your headset before you buy them.

Wednesday, November 25, 2015

Shared Line Appearance (SLA) in Skype for Business (with busy on busy)

Very often we as MVP are asked about the Busy-On-Busy feature missing Skype for Business.

The native feature for every single device, user or other client is not yet available.
And I can't make any announcement until today if this is planned or not.

But what I can introduce is the Share Line Appearance, yes here Busy-On-Busy is available. Making S4B more look like an old fashion PBX :)

What it the Share Line Appearance.
This is a new feature introduced with the actual firmware from Polycom VVX and last Skype for Business Update November 2015.

Shared Line Appearance (SLA) enables you to configure a group of multiple devices that can each answer calls to a shared phone number (extension).
(SLA it is not supported for Skype for Business clients on computers, mobile phones, or other devices):

What does this mean to us. Well we can use busy on busy only within the VVX configured groups. But not yet between devices and client, or between soft clients.

The supported device are:
  • Polycom VVX300 with firmware update 5.4.1
  • Polycom VVX400 with firmware update 5.4.1
  • Polycom VVX500 with firmware update 5.4.1
  • Polycom VVX600 with firmware update 5.4.1
A rouge description can be found here:

The most interesting features could this:
  • Busy on Busy – excess calls are automatically rejected with a busy signal.
  • Call Forward Busy – excess calls are routed to an alternative number that's configured for the workgroup.
  • Voicemail on Busy - excess calls are automatically forwarded to Voicemail.

  • Installation:

    It needs to be installed as an Server Application based on the Pool Servers and SBA/SBS.

    New-CsServerApplication -Identity 'Service:Registrar:%FQDN%/SharedLineAppearance' -Uri http://www.microsoft.com/LCS/SharedLineAppearance  -Critical $false -Enabled $true -Priority (Get-CsServerApplication -Identity 'Service:Registrar:%FQDN%/UserServices').Priority
    Stop-CsWindowsService RTCSRV
    Start-CsWindowsService RTCSRV

    where %FQDN% is the fully qualified domain name of the pool or server.  

    Create and configure a SLA GROUP:

    First we need to create a group and assign members, as well as set the MaxNumber of Call, which will trigger the busy single once the call count is exceeded.

    Set-CsSlaConfiguration -Identity SLA_OFFICE1 -MaxNumberOfCalls 4 -BusyOption BusyOnBusy
    Add-CsSlaDelegates -Identity SLA-OFFICE1-Delegate sip:SLA_Delegate1@sipdom.com 

    Configure an SLA BUSY GROUP:

    if no busy signal is required, instead you can forward the call.

    Set-CsSlaConfiguration -Identity SLA_OFFICE1 -BusyOption Forward -Target tel:+49891234567

    Configure an SLA MISS CALLED OPTION:

    you can also decide what actually will be done if a call isn't answered:
    you can either FORWARD, set a busy signal BUSYSIGNAL, or DISCONNECT the caller.

    Set-CsSlaConfiguration -Identity SLAGroup1 -MissedCallOption Forward -MissedCallForwardTarget sip:sla_forward_number@sipdom.com

    Summary of the feature list (MSFT):

    • All delegates in the group can answer inbound calls to the same shared number. The calls can be PSTN-based or SIP-based.
    • Delegates can hold and pick up calls.
    • Delegates can transfer calls to a number outside of the SLA group.
    • Delegates can see how many calls are currently on the shared number, and view the status of each of those calls.
    • You can configure a maximum number of concurrent calls for the shared number. You can also set how you want additional calls to be handled after this maximum is reached. Excess calls can be rejected with a busy signal, forwarded to an alternate number, or forwarded to voice mail.
    • You can configure how you want missed calls (calls not picked up after a certain time) to be handled. If you enable voice mail for the group identity, missed calls automatically go to voice mail. If you do not have voice mail enabled for the group identity (shared number), you can choose for missed calls to be rejected with a busy signal, forwarded to an alternate number, or disconnected.

    Wednesday, November 4, 2015

    File Share Perfomance for Skype for Business (slow conference join, slow address book)

    Once more first.
    Really make always sure your environment is patched and up to date.

    Mainly if you have a slow Join Conference user experience. Validate your DFS or File Server.

    Just what we experienced during certain Skype for Business Updated, as well as support cases is:
    - Migration is slow
    - Join Conferencing experience is slow
    - Address Book generation is slow
    and more

    This is, if the Fileshare is not fast enough. What does this mean:
    You should ensure the IOPS as well as the network throughput is sufficient and not the bottleneck in your environment.
    Do a measurement on the file servers, see what is happen if DFS replication is kicked in, check if this is share file server, whats happen if other app's access the shares and monitor the IOPS/ bandwidth.
    Just this is not all, also just perfmon for CPU load, and Memory especially paging.

    If you experience slow conference joins, it will be the issues, mostly.
    (Sure the local SQL server also consumes performance on the Skype for Business Frontend Server)

    Broadcast Meeting Web View and App View

    (v 1.0, 4th Nov 2015)

    Today I'm digging deeper into Skype for Business Broadcast Meeting.
    As its not all about video, the presentation side is important. how to make PowerPoint visible to the audience.
    Also it is easy to handle?
    How is the user experience when a user joins via a webbrowser?

    Simply said it is excellent.

    If you need to understand how setting up a meeting, please follow my last blog article: http://lyncuc.blogspot.com/2015/11/broadcast-meetings-in-skype-for-business.html 

    Have a look and I explain what to do and how to use it.

    If you join as an authenticated user and being part of the Presenter Team, the browser checks the Desktop App and will ask you for access permission.

    As usual, if you click the "Monitor" button, it give you the option uploading a PowerPoint file and als manage the content. Once it is uploaded it is show in the preview windows, where you can also use the PowerPoint Tools e.g. the marker or others.

    Next step is the Broadcast activation, meaning you need to start broadcasting to the participants. which you do by clicking the broadcast meeting button on the right.

    Soon clicked, the broadcast is activated and streamed to the audience. From here you follow the same principals as you did with the common / classic Skype for Business Meeting or Lync Meeting.
    Whats about Bing Pulse or Yammer?
    Wenn this is managed outside the meeting right now. You need to login to Yammer and start the Social Media part from there. This is good and make it more understandable, that if you are hold a lagre meeting, please make sure do don't do it alone. You need support from multiple person. This is even different from a "normal common meeting".
    The audience joining the meeting now see the following.
    First if you join, the experience is different, no Meeting Lobby is here, you simply join based on the meeting join permission set earlier. (Maybe later a temporary picture can be presented here). 
    As described in the upper chapter, once the presenter team started the meeting, meaning start the broadcast, the PowerPoint is streamed to the attendees. and the will see the presentation listen to audio and see the video.
    Yammer as I had configured first during the meeting setup is presented now in the right frame. ere all action will be show. I had have Yammer group right now associated with my test account. But it is self explainable how this will work. 

    Tuesday, November 3, 2015

    Setup Broadcast Meetings in Skype for Business

    (Version 1.0: 3rd Nov. 2015)

    First I start with, broadcast meetings are in an very early stage and introduce only a handful of planned and great feature still coming. Therefore I ask you to read this article frequently seeing the updates will I can blog about.

    Microsoft introduced Skype broadcast meeting as an individual service aside with Office 365. It requires a dedicated login under:


    You can use Skype Broadcast Meetings in both scenarios:
    - Office 365 only (Skype for Business is 100% in the cloud)
    - Hybrid Setup

    Required is:
    - Azure Password sync or ADFS

    The Broadcast meeting relays on the Azure Media Services and must be delivered online.

    From here we are entering the main managing page for broadcast meeting:

    As you see, the scheduled meetings are visible at this level. They will appear in the three column design. Simply if you need to schedule a new meeting, click the "New Meeting" option and start configuring it.

    Here going define the meeting.

    The Time Zone is define here as the time zone your computer/ device is configured with.
    - Title of the meeting
    - Meeting time and duration (which actually doesn't matter)
    - The Event Team, the team managing the meeting. e.g. starting the broadcast or handles the IM and Q&As and more
    Note: The members must be a Office 365 enabled and license assigned user from your tenant.

    Going further, the Attendee setup will be defined. Right now at this time, the three options are available. IF you configure e.g. a not valide user, it will show this and mark the user in red.
    Here this user (marked red) is not part of the actual Office 365 tenant.

    Access options:
    - Anonymous: everyone who knows the "join link" can join this meeting.
    - Secure: only defined users from our tenant can join
    - All Company: here the users with in your tenant can join.

    The Video recording, enables you the recording an later the publishing on Azure Media Services.
    Right now you cannot truncate any of the video.

    Configuring the advanced features:

    A meeting can require more defined/ individual settings. If you need the Audience app having a different view and better a different Social Content Access (either BING or YAMMER) you will have to configure this here.
    More than, the URLs you like to have presented to the Attendees is focusing on a Company Identity. You set the Troubleshooting/ Support URL and or the Customer join link.

    As already said the APP used for managing social media can be defined as YAMMER or BING PULSE:
    You can define it for up to 2 app's.

    As you are familiar with YAMMER, I have provided the definition for the YAMMER APP. Just provide the Group information you have previously defined in SharePoint (Yammer). Letting your audience get in touch with you during the meeting.


    After your configured the meeting, you can actively show the JOIN MEETING URL.
    Just now copy this URL and setup manually a OUTLOOK meeting with the copied link, send it to the audience which should join your meeting.

     Joining the Broadcast Meeting:

    I will only provide the important new and experiences users. How to join a Skype for Business meeting should be quite clear and didn't change here, especially the part of how to activate audio/ video in Skype for Business Client.
    Once you click the link to join the meeting, you will see two different webpages, depending on the client (if you have desktop app) and if you are join a meeting in your organization or an external meeting.
    Internal Meeting, same Org:

    External Meeting, different Org:
    You client will be connected to the meeting, if you have installed one. Else the web based client will be started.
    As usual we active e.g. our own video:
    (same applies for the PowerPoint Content)
    Now we come to the point starting the video broadcast.
    Therefore you need to RIGHT click your video:
    Your video will now be set active:

    Form there you have to click the "Start Broadcast" button with led you to finally broadcast it.

    Here we are:
    The broadcast is live and 10.000+ user can follow you

    Tuesday, October 20, 2015

    Skype for Business and SQL Server 2014 licensing

    With Skype for Business Server 2015, the usability for SQL Server has advanced once more.

    We have now a couple of possibilities. Today I'm going to discuss all of them and will advice the actual licensing strategy based on SQL Server 2104 in regards to Skype for Business Server 2015 recommendations.

    The general licensing guides are available here: http://www.microsoft.com/en-us/licensing/product-licensing/sql-server-2014.aspx

    One generic topic I have to discuss first. In many cases we are using Hyper Visor technologies, meaning the SQL servers are virtualized. Here one important consideration you should keep in mind.
    If the SQL Server is virtual AND you use CPU CORE licensing, you can run as many virtual SQL on a single PHYSICAL host as you want. You only need to license the physical CPU of that host.
    This applies to all physical hosts uses.
    Say you have 3 VMWare/ Hyper-V physical servers, and you run three SQL server. You will position 1 and 2 on 2 physical hosts only (not on the third one), you only need to license 2, instead of 3 SQL servers

    Why I mention this is, you need to unterstand that the licensing model and might be adjusted with the described scenarios if you run SQL virtualized. You might save costs if you position SQL servers optimized within a virtual environment.


    Please consult the actual licensing guide if you license pro core. It is a difference between physical and virtual CPUs.
    Additionally, there is FACTOR you need to consider the core license counts, based on the CPU type.
    The minimum core license is:
    physical CPU Core        -> min 2 CORE Licenses
    virtual CPU Core (VM) -> min. 4 CORE Licenses

    Licensing general terms based on Microsofts advanced licensing description:

     All SQL Server version provide high availability feature as clustering (only two-node), backup log shipping and  mirroring.
    Always On (advanced HA feature) is only available in the Enterprise Edition. Additionally this includes support for multiple, active (readable) secondary servers, as well as for multi-site failover clustering.
    in Skype for Business Server 2015, it is important to remember that a Multi-Site Pool Failover is not supported within a single Pool. Only Pool Paring is supported. Therefore I don't recognize any multi-site failover scenario for SQL in regards with Skype for Business.

    Especially for Always On, but for other scenarios too, per active SQL server the equal number of passive SQL server is free of charge. You need to name the server, list it in your assessment sheets, but do not need to pay for those server a licensing fee.
    Passive means in the licensing terms: TRULY PASSIVE.

    Truly passive mean and do NOT allow for example the following services:
    • Reporting
    • Backup
    • Running procedures

    In case of say a setup, were you run an Always On configuration and have one active and two passive node, e.g. in two different physical location. you need 2x SQL server licensed and 1x don't requires a license.
    Even this is not a scenario wich you will consider with Skype for Business.

    Core license:
    You need to count the v-host with the most CPU in any case. Explaining, only the vCPU (virtual CPU) are counted.

    Explaining a license shift:
    In the even of a failure, where the passive, the secondary node becomes active, the assigned license is automatically (dynamically) moved to the secondly node. (Named: License Mobility with Server Farm SA Benefit) 

    Remember at the end, you require an active Software Assurance contract for those setups:
    Failover Servers: SA customers are allowed to run passive SQL Server 2014 instances on a separated OSE or server for high availability.

    Finally we can have a look into the possible Skype for Business Backend Server recommendations.

    1. Scenario - SINGLE SQL Server

    Well this scenario is may be suitable for a Test LAb, but not for production.
    Just for licensing, you only need to license:

    2x SQL Server 2014 Std/Ent per Core or Server

    2. Scenario - Clustered SQL Server

    Still a common scenario, you should consider the availability for your storage. But say assuming your storage ist redundant, even maybe mirrored, this could be still a very suitable scenario.
    As its the best description for a cluster, the failover clustering is not on the database level, it is on the server level. Meaning the SQL Server themselves are clustered.

    2x SQL Server 2014 Std/Ent per core or server

    3. Scenario - MIRROW SQL Server (without witness)

    This is the first setup, where we do not have a server cluster itself, we mirror the database. Meaning we log ship the primary database to a secondary (only secondary) database.
    The high availability is based on the database itself!

    But in this setup, in the event of a server or database failure on the primary node, the database will NOT switch automatically. We have not witness and we have to initiate the switch manually.

    1x SQL Server 2014 Std/Ent per core or server

    4. Scenario - MIRROR SQL Server (recommended)

    Here it come with an fully automated failover setup. The principals are still the same as describe in scenario 3, but we utilize a third server as witness. Therefore a systems can recognize a failure and identify a possible split brain issue.

    1x SQL Server 2014 Std/Ent per core or server
    1x SQL Server 2014 Express Edition (free of charge) 

    5. Scenario - ALWAYS ON SQL Server

    Why we don't need a witness (quorum) an SQL?
    The Always On configuration relies on WSFC (Windows Server Failover Clustering) and here we must have a FileShareWitness configured. So the Witness is the Share not a dedicated Server an more.

    1x SQL Server 2014 Enterprise per core or server

    Monday, October 12, 2015

    Wildcard Certificate Support in Skype for Business

    Coming back to the most common question about certificates in Skype for Business and Lync Server.

    Can we use Wildcard Certificates in Skype for Business or Lync Server?

    Simple answer is: YESNO

    First lets have a look into a certificate:

    A Certificate has a Common Name (CN) and Subject Alternative Names (SAN)
    A classic wildcard certificate is a certificate where the CN look like: CN=*.domain.com

    In Skype for Business the main reason for certificate use is TLS/MTLS data encryption and the other point it the server authentication/ validation.
    Skype for Business is using the Common Name CN for authentication/ validation trusts.

    Only if a server with in the Topology or for Federation purposes presents a valid certificate with its matching Common Name (CN) the entire traffic can be used with TLS/MTLS.

    Therefor we understand a CN identifier as FQDN of the Server or the Pool is RECOMMENDED!

    A valid SAN Wildcard certificate could look like this:



    A dedicated article to Skype for Business does not exits yet, you have to refer to: Environmental requirements for Skype for Business Server 2015.
    Still an internal deployment guide exists here https://technet.microsoft.com/en-us/library/dn933910.aspx 
    It will address the same issue in the same way as it was with Lync 2010 and Lync 2013.


    Please carefully consider the use of a wildcard certificate. Even if you figure out the CN wildcard certificate is working, due to the feature required and named above it is NOT supported. Therefor make use of SAN wildcard only. Some other interface like the internal Edge NIC for example do never support a wildcard, also not if this is defined optional.

    If you follow a simple advice, make use for wildcard certificates ONLY on the Reverse Proxy and NOT on the internal / Edge servers at anytime.

    As reference:
    Lync 2010:
    Lync 2013:

    Skype for Business Server 2015:

    Exchange UM and UC Integration is not covered in this article yet. Please check with your Exchange department first if they support wildcard.

    Wednesday, August 12, 2015

    Skype for Business File Share: Failed to save permissions during Topology publishing

    While your are installing and publishing a Skype for Business Server 2015 Topology, you have to create a File Share for all important services.

    In this example the File Share is located on the same server which will later host the Skype for Business Standard Server. But in larger or other setup, where the File Share is located on SAN, DFS or File Cluster, you might experience the same issue.

    File Share and Folder Prerequisites:

    The share name can either a normal share as well as a administrative share$

    Share Permission:


    Folder (Security Settings):

    SYSTEM and CREATOR: must be Windows Server defaultInstalling user: FULL CONTROLlocal Server Administrators: FULL CONTROL

    Skype for Business Topology Builder:

    Must be started with: "Run as administrator"

    Example and problem description:

    This example applies to a Windows Server 2012 R2, where we are installing in Single Domain Forest with an Domain Admin. The Domain Administrator Group was placed in the local Member Server Groups for Administrators.

    Next step I personally do is setting the User Access Control UAC to NEVER, meaning switching it off entirely.

    Next step after defining the Topology is going to publish it, either with the PoC's Standard Server or with the Primary Pool associated SQL Backend Store.
    Doing so resulted in the describe issue below:

    Role: FileStore:1
    Acl: "Accesswrite" permission for "RTCHSUniversialServices" on \\fileshareServer\SkypeShare$
    Acl: Committed permission changes for \\fileshareServer\SkypeShare$\WinFabDumpFiles.
    ACLError: Access permission error.
    Error: Failed to save permissions on \\fileshareServer\SkypeShare$

    The funny part is, that most of the Directories where created successfully during this point.
    Next important check are link with Lync 2013 the share permission, well EVERYONE is READ, and the local ADMINISTRATORS have FULL CONTROL, CHANGE and READ
    Next to share permissions, we also have to check the file/ folder permission. Here the Admin we logged on with can normally stay in the permission for file7 folders, just as a test we removed the administrator from the tap.
    This resulted in the normal issue with Windows Server 2012 and 2012 R2, where the Access Control prevents the user/ admin accessing this folder. Once you click the Continue button, the admin will be part of the permissions again.
    Therefor I DID NOT ADD the ADMIN the permissions!
    Than we executed the Topology publishing task again and ran in a very interesting issue:
    Role: FileStore:1
    InvalidFolder: Invalid Share.
    Error: Caller does not have required permission to create directory \\fileshareServer\SkypeShare$\WinFabTraceFiles. Verify that your user account has administrative privileges and that you selected "Run as administrator" when your started Windows PowerShell.

     This is a very good hint, but remember we were Domain Admin, local Server Admin and had switched of the UAC.

    Finally due to the hint I stared the Topology Builder with the option "Run as administrator"
    As expected the Wizard finished without any issue or error.
    Once I tried to access the folder for the Skype for Business File Share, the same warning popped up again and I granted access myself.
    In the last picture, you can see the correct permission and also the correct groups were set to the file share and folders finally.