During some troubleshooting relating to Exchange integration with Skype for Business, I ran into the infamous error 50043 whilst running Test-CSExStorageConnectivity -SIPUri “sip:testuser@contoso.com”
The test results reportt that Skype for Business is having issues communicating with the Exchange Server.
Troubleshooting
There are a number of components that are involved in integrating Exchange and Skype for Business server that could be causing error 50043.
First things first, let’s check to ensure Skype has the correct Exchange Autodiscover address:
In the Exchange Management Shell, run:
Get-ClientAccessServer | Select *uri*
That’s the autodiscover address that Skype will use to connect your Exchange environment. Notice how address ends in autodiscover.xml? Make a note of this address, as you’ll need it shortly.
Next, test the autodiscover service by browsing to it from your Skype for Business server. If you receive certificate errors, check to ensure your IIS certificate in Exchange contains the correct SAN’s, and is either trusted by your Skype for Business server (if internally signed), or is publicly signed.
Next check the current partner application settings in Exchange by running:
Get-PartnerApplication -identity Lync* | Select auth*
The AuthMetadataURL should point to your front end pool or standard edition server /metadata/json/1.
Browse to this address and check that you receive a file named “1” that contains the x509 oAuth certificate.
Next you’ll check and confirm the OAuth and Partner application settings in Skype for Business.
Open a Skype for Business shell, and run:
Get-CSOAuthConfiguration
The Exchange Autodiscover URL should be returned.
Important: Note that the URL ends with autodiscover.svc and not autodiscover.xml (a small, but vital detail).
Now run:
Get-CSPartnerApplication | select Auth*
Browse to the returned AuthToken value from your Skype for Business server in Internet Explorer. The URL should return the local domain information, along with the current x509 Certificate being used, and the autodiscover address used to connect to Exchange.
Alright. Everything looks ok so far, but you’re still getting error 50043 when running Test-CSExStorageConnectivity. What did we miss?
Explanation
This issue occured when an additional SIP domain was added to Skype for Business, and new users were being created using this new SIP domain.
Exchange was configured to accept the new SIP domain, but would not accept connectivity for any Skype for Business users who’s UPN contained this new SIP domain.
The issue occured due to the oAuth certificate that Skype for Business was presenting as authentication to Exchange. After adding the additional SIP domain, the oAuth certificate was never re-created, and so never contained the updated SIP domain. Because the request was effectively coming from a different Realm, Exchange rejected the connection.
Solution
A simple fix! Remove and re-create the oAuth certificate on one of the Skype for Business front end servers using the Skype Deployment Wizard, ensuring the additional SIP domain is added.
Once done, an Invoke-CSManagementStoreReplication ensures the new oAuth certificate is promptly deployed.
Test-CSEXStorageConnectivity -SIPURI “sip:testuser@contoso.com” then passed the test.
