Wednesday, July 19, 2017

Skype for Business Mobile Authentication Issue with IIS ARR Reverse Proxy

I haven't worked much with IIS ARR. Most of my customers prefer either a F5 or Kemp for their load balancing solution. I recently worked with a customer who did not have a solution in place and did not want to spend money on a dedicated appliance.

Necessity is the mother of invention learning something new. šŸ˜€

A colleague of mine forwarded me this article he had used previously to setup IIS ARR for another customer. While the article is several years old, it's still an excellent resource and I would recommend bookmarking it. The guide in the website linked above walked me through most of what I needed for the setup.

I finished the configuration steps and signed in on my Android phone via a test account the customer provided me. I added the customer to my contacts list and sent him an IM. Everything was working alright until my account was logged off without warning and I received the error message below:



I wasn't sure what to make of this error. My mobile phone was connected via wifi, so I thought maybe there was an issue with my home wifi network. I shut off the wifi connection on my phone to connect via my mobile network and couldn't sign back in with the same credentials. My mobile client flashed the error below:


Switching from my wifi network to my mobile network didn't help at all. I couldn't login, so if anything, I made it worse. What the heck!?! šŸ˜”

The error I received this time was different. Could 'server address' be an issue with the external DNS entries? My intial impression was no, probably not. If the external DNS entries were incorrect/misconfigured then authentication would not have worked the first time. If it's not my mobile phone network or external DNS, could it be the reverse proxy?

I double checked the reverse proxy settings again. The server certificates and port bindings were correct. What was I missing? The answer was in the server farms I created. The customer had two standalone servers and each server had its own external web services address. Each external web services server farm should have only one server listed. I accidently listed both servers in each server farm. This was clearly an oversight and rookie mistake on my part! I removed the additional entry in each farm and the authentication issues disappeared. 

Below is the correction I made on the reverse proxy (skype1 in webext-se, skype2 in webext-se2):



I hope my 'learning experience' saves you from the same mistake I made in the future.


No comments:

Post a Comment