Known Issue: Skype Directory Search Service Connections May Fail if TLS 1.2 Is Not Enabled on Edge
Published Jan 13 2020 06:13 PM 11.1K Views
Microsoft

Our investigation determined TLS 1.0/1.1 were disabled pre-maturely on Skypegraph.skype.com - based on your feedback we re-enabled those protocols.  We apologize for the inconvenience. 

 

We’re investigating an emerging issue with Skype Directory Search for Skype for Business On-Premises to Skype Consumer chat capability. When searching for a Skype account in the Skype for Business Client, you might get the following error message:

 

An error occurred during the search. Please try again, and contact your support team if the problem continues.

 

Additionally, you may find the following error in the Lync event log on the impacted Edge servers:

Log Name:      Lync Server
Source:        LS Web Components Server
Date:          1/13/2020 8:53:26 AM
Event ID:      4106
Task Category: (1074)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CE1210R2.contoso.com
Description:
The server selected for next hop could not be reached, or did not reply.

A server selected as a proxy target for HTTP traffic could not be reached or did not reply: skypegraph.skype.com. 
Performance Counter Instance:  
Failure occurrences: 4, since 1/13/2020 4:51:18 PM. 
Failure Details: WebException: The underlying connection was closed: An unexpected error occurred on a send.
Cause: The remote server may be experiencing problems or the network is not available between these servers.
Resolution:
Examine the event logs on the indicated server to determine the cause of the problem.

Based on our initial investigation it appears that the Skype Directory Search endpoints are refusing TLS 1.0 connections.

 

Workaround:

To fix this issue you need to enable your Edge servers to use TLS 1.2.  Your Lync or Skype for Business Servers may require dependency updates, including .Net framework updates.  All the requirements for enabling TLS 1.2 are documented here:

Disable TLS 1.0/1.1 in Skype for Business Server 2015

 

Note, this procedure is also supported on Lync Server 2013, for more information refer to the following blog post: 

Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1

 

Once all the pre-requisite software updates are completed, you then need to deploy the prerequisite registry keys. This will enable your Edge servers to negotiate TLS 1.2 connections to the Skype Graph web service endpoints. You do NOT need to disable TLS 1.0 on the impacted Edge servers.

 

More Information:

Our investigation determined TLS 1.0/1.1 were disabled prematurely on skypegraph.skype.com endpoints.  You should no longer have to set pre-requisites to work around this issue.  We apologize for the inconvenience.  

4 Comments
Iron Contributor

All I had to do was enter the registry keys here and reboot the edge server - took a few minutes, then started working: https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1#pre-requisite-...

Copper Contributor

I had to install the prerequisite registry keys and update .Net from 4.5 to 4.7 on the edge used for federation to resolve the issue.  We still use LPE so not disabling TLS 1.0 allowed those phones to continue working.

Brass Contributor

Any updates on this topic?

We had the issue for about a week ago and now it's working without we have to do any changes on the edge servers.

 

Did MS team found and fix something?

Microsoft

@Luis Ramos apologies for the delayed response, yes, indeed TLS 1.0/1.1 were re-enabled on skypgraph.skype.com so this should no longer be an issue.  They were disabled early by mistake.  

Version history
Last update:
‎Mar 05 2020 11:00 AM
Updated by: