Symptoms
This issue occurs in the following scenario:
-
You disable Windows Challenge/Response (NTLM) for external authentication of Microsoft Skype for Business 2016 or Microsoft Lync 2013 clients.
-
You are running virtual private network (VPN) split-tunneling that forces all traffic to pass through an Edge server and an encrypted VPN tunnel.
If the validity period for the client certificates that are issued for TLS-DSK authentication is 180 days, the client certificates incorrectly begin to renew within 12 hours before they expire. The correct date of renewing should be 30 days or one-third of the validity period before the expiration date.
When this issue occurs, if a certificate expires when the user device is offline, the user cannot remotely sign in to Skype for Business 2016 or Lync 2013 on the device by using the expired certificate.
This issue also occurs in Microsoft 365 versions of Office.
Cause
This issue occurs because Skype for Business 2016 or Lync 2013 calculates the threshold of when client certificates are renewed incorrectly.
Resolution
To resolve this issue, install one of the following updates:
-
The October 6, 2020, update (KB4486669) for Skype for Business 2016.
-
The May 12, 2015, security update for Lync 2013. (Note Lync 2013 was upgraded to Skype for Business in April 2015.)
-
For Microsoft 365 versions of Office, install Office version 2008 (16.0.13127.21032) or later.
For Office version 2008, to enable this fix, create a policy by using one of the following options.
1. Create the following registry key on the client computers:
Root: HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Key: Software\Policies\Microsoft\Office\16.0\Lync
Value Type: DWORD
Value Name: EnableExpiryThresholdInMinutes
Value Data: 0x00000001
2. Create the following client policy entry by using the Skype for Business PowerShell:
$x = New-CsClientPolicyEntry -Name "EnableExpiryThresholdInMinutes" -Value "true"
Set-CsClientPolicy -Identity "<ClientPolicyName>" -PolicyEntry @{Add=$x}
Note For Office version 2009 and later, this policy is not needed.