You experience federated partner issues when you use Office Communicator or Lync in Office 365 dedicated or ITAR

Symptoms

In Microsoft Office 365 Dedicated or ITAR, a user cannot communicate with a federated partner through Microsoft Lync or Microsoft Office Communications Server.

Cause

This issue occurs if there is a misconfiguration in Microsoft Online Services or a misconfiguration by the federated partner.

Resolution

Note Microsoft Online Support does not work directly with the federated partner. Microsoft Online Support cannot speak on behalf of your organization and does not support the Office Communications Server or Microsoft Lync Server environment of a federated partner.

Troubleshooting steps

  1. Request the following screen shots from the federated partner:
    • The Allow list from the instance of Office Communications Server or Lync Server
    • The Service Location (SRV)record for the federation
  2. Determine whether any other federations are working. Dedicated users are federated with Microsoft. If the Microsoft federation is working, the issue is probably with the federated partner.
  3. Determine whether this is a new federation.

    Note If this is a new federation, contact your Service Delivery Manager (SDM) to complete a configuration request (CR).
  4. Verify DNS settings:
    • Verify that the public SRV record of the Session Initiation Protocol (SIP) domain is structured as follows:
      _sipfederationtls._tcp.<domain>.com
    • Verify that the SRV record points to port 5061.
    • Verify that the SRV record points to the fully qualified domain name (FQDN) of your Access Edge (AE) server.
    • Verify that the A record of FQDN points to your AE external IP address.
    • Verify that the SIP domain and the domain in the FQDN of your AE match.

    Note You can check both the user's and the partner's SRV records. To do this, follow these steps:
    1. Open a Command Prompt window. To do this, click Start, click Run, type cmd, and then press Enter.
    2. Type Nslookup, and then press Enter.
    3. Type Set type=srv, and then press Enter.
    4. Type the following command, and then press Enter:
      _sipfederationtls._tcp.< customerdomain >.com 
    5. Type the following command, and then press Enter:
      _sipfederationtls._tcp.< partnerdomain >.com 
    Example of a valid configuration (_sipfederationtls._tcp.microsoft.com)

    The SRV service location resembles the following:
              priority       = 0
    weight = 0
    port = 5061
    svr hostname = sipfed.microsoft.com
    Example of an invalid configuration (_sipfederationtls._tcp.contoso.com):

    The SRV service location resembles the following:
              priority       = 0
    weight = 0
    port = 5061
    svr hostname = sipfed.im.contoso.com
    Note SIP domain is mismatched.
  5. Nslookup should return an FQDN for both the user and the partner. You must verify that the certificates are set up correctly for the user and the federated partner. To do this, follow these steps:
    1. Go to http://www.digicert.com/help/.



      Third-party information disclaimer
    2. Enter the FQDN of the SVR host name from step 5a.
    3. If everything comes back ok, make sure that the certification authority on the list matches one of the certification authorities on Windows Root Certificate Program Members.
  6. Obtain log files that describe the issue from the federated partner.
  7. Obtain log files from an affected user in your organization.
  8. Provide the results from the previous steps in the escalation.

Escalation steps

  1. Contact Microsoft Online Services Support by online submission or by telephone .
  2. Provide the following information to Microsoft Online Services Support:
    • Log files from both the federated user and the affected user in your organization
    • The CR number if it is a new federation
    • The following screen shots from the federated partner:
      1. The Allow list from the instance of Office Communications Server or Lync Server

        To find this information, run the following cmdlet:
        Get-CsAllowedDomain 
      2. The SRV record for the federation
  3. Describe whether any other federations are not working. Because all users are federated with Microsoft, we should check whether the issue exists with Microsoft, too.

More Information

For more information about federated partner communication issues, see the following article in the Microsoft Knowledge Base:
2615742 Problems occur when you use Lync 2010 to chat with a federated partner that uses IBM Sametime in Office 365 dedicated or ITAR
Properties

Article ID: 2605326 - Last Review: Nov 17, 2016 - Revision: 1

Microsoft Business Productivity Online Dedicated, Microsoft Business Productivity Online Suite Federal, Microsoft Office Communications Online Dedicated, Microsoft Office Communicator 2007, Microsoft Office Communicator 2007 R2, Microsoft Lync 2010

Feedback