You can't sign in to Skype for Business or Lync clients on devices that don't support Server Name Indication (SNI)
When you use Active Directory Federation Services 3.0 (ADFS) as an identity federation provider, devices that don't support Server Name Indication (SNI) won't be able to sign in.
This issue currently occurs on Polycom CX phone devices and some Lync Phone Edition devices.
To work around this issue as a Skype for Business administrator, associate the SSL certificate with the ADFS web URL for each ADFS server in your environment. To do this, follow these steps:
Run the following command on the ADFS servers:
netsh http show sslcert
The application ID and certificate hash is returned in the output. The website URL is also reported. If there's more than one website configured on the server, search for the website URL first, and then obtain the corresponding application ID and certificate hash.
Run the following commands in the same window:netsh
HTTP add SSLCert IPPORT=0.0.0.0:443 certhash=certhash appid=appid
- Replace the IP address in this command (0.0.0.0) with the IP address that you want to specify. Also replace the port value with the specific port that's configured for the website. This is typically 443 for ADFS 3.0. For most customers, binding the SSL certificate to all IP addresses is recommended.
- The appid value must include the braces.
For more information about these commands, go to the following Microsoft websites:
- How to publish Lync Server 2013 Web Services with Windows Server 2012 R2 Web application proxy
- How to: Configure a port with an SSL certificate
This issue occurs when the following conditions are true:
- You have a Windows Server 2012 R2-based server that has ADFS 3.0 installed.
- There's a new Server Name Indication (SNI) feature in ADFS 3.0, but some platforms don't support this yet. Support for SNI depends on the device's operating system in question. Although the clients themselves support this new feature, the device platform may not.
If you need help configuring ADFS 3.0, we recommend that you contact ADFS 3.0 technical support. We also recommended that you run the most recent versions of the ADFS 3.0 components.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Still need help? Go to Microsoft Community.