This issue occurs in the following scenario:
You disable Windows Challenge/Response (NTLM) for external authentication of Microsoft Skype for Business 2016 or Microsoft Lync 2013 clients.
You are running virtual private network (VPN) split-tunneling that forces all traffic to pass through an Edge server and an encrypted VPN tunnel.
If the validity period for the client certificates that are issued for TLS-DSK authentication is 180 days, the client certificates incorrectly begin to renew within 12 hours before they expire. The correct date of renewing should be 30 days or one-third of the validity period before the expiration date.
When this issue occurs, if a certificate expires when the user device is offline, the user cannot remotely sign in to Skype for Business 2016 or Lync 2013 on the device by using the expired certificate.
This issue also occurs in Microsoft 365 versions of Office.
This issue occurs because Skype for Business 2016 or Lync 2013 calculates the threshold of when client certificates are renewed incorrectly.