Federation with O365 Domains Fail

Description:

I’ve come across issues when using Lync 2010 on-prem environments and permitting federation to O365 domains.  Originally I was able to set a O365 domain, ie; verizonwireless.com as an Allowed federated domain and not designated the Access Edge Server, permitted DNS to lookup the SRV record to find the edge server FQDN (sipfed.online.lync.com for O365 domains).  This appeared to fail randomly for me the first week of January 2014.

After a case with Microsoft’s support their final answer and fix was to manually set the access edge server to sipfed.online.lync.com.  This was an acceptable work around for a few months until attempting to upgrade to Lync 2013 which no longer permits admins to have sipfed.online.lync.com listed as an access edge server for any federated domain and listed as a hosting provider.

Please note this issue has occurred only on two 2010 environments that were on CU7.  A permanent fix may be updating to the latest CU however, this is still pending to be completed.  I will provide an update if this resolves the issue in the near future.

Symptoms:

This occurs while any O365 domain is manually listed as a federated domain and the access edge service (FQDN): field is blank, federation fails for Lync users.

fedvwi

Additionally, the client shows status unknown and SIP logs have the following 504 Server time-out error;

ms-diagnostics: 1009;reason=”No match for domain in DNS SRV results”;domain=”verizonwireless.com”;fqdn1=”sipfed.online.lync.comtrue5061″;source=”sip.mycompany.com”

The current configuration of the Lync Online hosting provider settings had HostsOCSUsers and EnabledSharedAddressSpace set to FALSE.

cshostingprovider

Resolution (work around):

Modify the LyncOnline Hosting Provider attributes, “HostsOCSUsers” and “EnabledSharedAddressSpace” to TRUE.  I have not discovered the exact reason why this works as my understanding is these attributes are only used for shared address space setups which neither of my environments were.  I noticed this change opened up federation to ALL O365 domains which is why this is more of a work around than any exact fix.

Set-CsHostingProvider -identity “LyncOnline” -HostsOCSUsers $TRUE -EnabledSharedAddressSpace $TRUE

cshostingprovider2

*Note: I originally planned to only set HostsOCSUsers to TRUE, however this caused an error stating I was also required to set EnabledSharedAddressSpace to TRUE as well.

After enabling these two attributes I noticed I could simply delete the O365 federated domain as an “allowed” domain or leave it there and only remove the access edge service FQDN.  Both worked.  Per quick research it appears leaving it there is the better option as it won’t be capped by any threshold which I believe is 20 messages per second.

 

 

1 thought on “Federation with O365 Domains Fail”

  1. Quick update on this: I had to modify the HostsOCSUsers and EnabledSharedAddressSpace when “Lync Online” when enabled as a domain purpose within O365. When the config was updated and Lync online was removed as a domain purpose, I had to re-disable both attributes within the CSHostingProvider. The more you know….

Leave a Reply