Scenario
User cannot sign-in to Skype for Business via client and has error:
Per KB2581291 Microsoft suggests to make sure that the computer's clock and time zone settings are set correctly. And it's correct article except the fact that the registry key 'ClockSkew' is located under another registry path:
In my particular case users messed with time and had unchecked 'Daylight Saving Time' setting.
'Cannot sign in to Skype for Business because your computer clock is not set correctly. To check your computer clock settings, open Date and Time in the Control Panel.' Solution Per KB2581291 Microsoft suggests to make sure that the computer's clock and time zone settings are set correctly. And it's correct article except the fact that the.
- (This certificate must have a subject name or subject alternative name that identifies the user and must be issued by a Root CA that is trusted by servers running Skype for Business Server, be within the certificate's validity period, and not have been revoked.) To be authenticated, users only need to type in a personal identification number (PIN).
- Certificate authentication requires your Mac’s time be in sync with the server you are connecting to, so if for some reason your Mac’s time is off, then you may get these errors. To fix this, go to the Date & Time system preferences, and ensure the option to “Set date and time automatically” is checked (click the lock to authenticate if.
- It is literally only her account, only on her Surface that is presenting problems. I get the error: 'There was a problem verifying the certificate from the server.' I've tried deleting login info, resetting IE settings to get rid of old certificates, running Microsoft 'auto-fixes'. Nothing seems to be working. Any help would be appreciated.
User cannot sign-in to Skype for Business via client and has error:
'Cannot sign in to Skype for Business because your computer clock is not set correctly. To check your computer clock settings, open Date and Time in the Control Panel.'Solution
Per KB2581291 Microsoft suggests to make sure that the computer's clock and time zone settings are set correctly. And it's correct article except the fact that the registry key 'ClockSkew' is located under another registry path:
HKEY_CURRENT_USERSoftwareMicrosoftMSOIdentityCRL
instead of documented:
HKEY_USERS.DEFAULTSoftwareMicrosoftMSOIdentityCRLIn my particular case users messed with time and had unchecked 'Daylight Saving Time' setting.
The Time Zone, the 'Daylight Saving Time' settings were corrected, time synchronization were completed, registry key 'ClockSkew' was deleted and Skype for Business client could sign-in.
References
I've been having this issue for quite some time as well, and have been working with a Microsoft Skype for Business (SfB) support engineer on it. To be certain it's the same, or similar-enough issue, here's the setup I've been working with (or against it seems):
* Skype for Business 2016 (any version, including latest in the insider 'Fast Ring' releases)
* Macbook Pro - Early 2011
* OS X 'El Capitan' - v10.11.6
* Corporate domain is on Azure AD (Active Directory)
* When signing in with the AD account, you are either a) Given a choice between 'Work or school account' or 'Personal account), b) usually automatically redirected to the company branded signon page.
If that matches up, the next step is to check the certificate which is on domain's federation services (ADFS) host. This may require getting IT involved to find it, or reviewing the SfB logs.
Skype For Business Configuration Settings
When you get the host name, for example, 'adfs.mycompany.com', go to that address via HTTPS in Safari. So you'd go to 'https://adfs.mycompany.com'. Once there, click on the lock to the left of the address in the address bar and click the 'Show Certificate' button. Make sure that the selected certificate, in the tree view at the top, is the bottom-most one. The bottom pane should show some brief certificate info (Issued by, Expires, 'This certificate is valid' type message, etc.). Expand the 'Details' section in that lower pane, and look for the 'Signature Algorithm' line, which should be, roughly, the 12th one down. If on that line, you have something similar to 'SHA-512 with RSA Encryption' (forget about the long number afterward), then that is the source of the issue with logging on, and also, activating Office 365 (if you have a company account for it).
OS X prior to 10.12 (Sierra) does not *natively* support 512 bit certificate signatures. So while browsers and everything else shows that, yes, the certificate is good, valid, unexpired, etc, the low level network stack in OSX, which is used by SfB to initially connect, does not, so it cannot validate that the certificate is valid, thus causing this issue.
Unfortunately, at this time, there doesn't appear to be a way to wedge in support for 512 algorithms in OSX, and that includes forcibly upgrading/linking openssl. The only way I've found to date, to use SfB on anything less than 10.12.x, is to essentially MITM yourself, using a proxy application, such as Charles, which will create its own fake certificate which you must trust, to connect.
Skype For Business Server Certificate Error
I apologize for such a long writeup, but given that despite my hours and hours and hours spent over months of researching the issue, I hope to provide as much useful and helpful information as possible for any future Googlers/Bingers/DuckDuckGoers/etc.