A description of the new HttpProxyControlFlags GPO settings in the registry

Summary

After you apply one of the following security updates, a new HttpProxyControlFlags Group Policy Object (GPO) is added to resolve Microsoft Office O365 authentication issues:

• December 8, 2015 security update (KB3114351) for Microsoft Lync 2013 (Skype for Business)

• December 8, 2015 security update (KB3114372) for Skype for Business 2016

These issues occur in Microsoft Lync 2013 or Microsoft Skype for Business 2015 or 2016 organizational environments that use HTTP proxy service, enable automatic detection feature by setting proxy auto-configuration (PAC) files or equivalent mechanism), or use a proxy service that requires authentication.

In these environments, a Lync 2013 or Skype for Business client uses the correct proxy settings to sign in to Office 365 by using Microsoft Online Services Sign-In Assistant (MOS SIA) Identity Client Runtime Library (IDCRL). However, in some environments in which Lync 2013 or Skype for Business client is running behind two or more proxies, Skype for Business can choose the wrong proxy settings for IDCRL to use. This may block the authentication or otherwise require additional proxy authentication. To resolve this situation, you can use this GPO setting to resolve the authentication issues.

How to locate the GPO setting

The registry type of the GPO setting is DWORD. Depending on the client that you use, the setting will be located in one of the following registry subkeys on a given client computer:

For Lync 2013 (Skype for Business 2015)

• HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync

• HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\15.0\Lync 

For Skype for Business 2016

• HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync

• HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\Lync

How the GPO setting works

• First bit (0x1)

  • When it isn't set: Use named HTTP proxy from Internet Explorer.

  • When it's set: Disable named proxy usage from Internet Explorer.

• Second bit (0x2)

  • When it isn't set: Use the HTTP proxy that's used for SIP over HTTPS as the named proxy for IDCRL.

  • When it's set: Do not use the HTTP proxy that's used for SIP over HTTP.

    • If the second bit is not set, the HTTP proxy from SIP detection might be used as an alternative proxy.

• Third bit (0x4)

  • When it isn't set: Share the HTTP proxy credentials that are collected by Lync 2013 or Skype for Business clients with IDCRL.

  • When it's set: Do not share the proxy credentials with IDCRL.

    • Setting this bit can cause IDCRL to fail if proxy credentials are required by local proxy.

• Other bits are reserved for future use and must be set to 0!

The examples of the GPO settings

• When the value of the new GPO is set to 0 (the default value), MOS SIA uses either the named proxy or the proxy that's used by SIP over HTTPS, and it shares proxy credentials.

• When the value of the new GPO is set to 1, MOS SIA disables the named proxy, but uses the SIP over HTTPS proxy if this is detected, and shares the HTTP Proxy credentials if they are available to Lync 2013 or Skype for Business clients. (That is, it reverts to the legacy behavior the previous KB 3040493.)

• When the value of the new GPO is set to 3, MOS SIA disables sharing of both named proxy and SIP over HTTPS proxy with IDCRL, but enables sharing of proxy credentials that are collected by Lync 2013 or Skype for Business clients with IDCRL.

• When the value of the new GPO is set to 7, MOS SIA completely disables the proxy control by Lync 2013 or Skype for Business clients, and fully relies on IDCRL library logic to auto-detect and authenticate against the HTTP proxy.