You can't sign in to Skype for Business or Lync clients on devices that don't support Server Name Indication (SNI)

Problem

When you use Active Directory Federation Services 3.0 (ADFS) as an identity federation provider, devices that don't support Server Name Indication (SNI) won't be able to sign in.

Note

This issue currently occurs on Polycom CX phone devices and some Lync Phone Edition devices.

Workaround

To work around this issue as a Skype for Business administrator, associate the SSL certificate with the ADFS web URL for each ADFS server in your environment. To do this, follow these steps:

  1. Run the following command on the ADFS servers:

    netsh http show sslcert 
    

    The application ID and certificate hash is returned in the output. The website URL is also reported. If there's more than one website configured on the server, search for the website URL first, and then obtain the corresponding application ID and certificate hash.

  2. Run the following commands in the same window:netsh

    HTTP
    
    add SSLCert IPPORT=0.0.0.0:443 certhash=certhash appid=appid 
    

    Note

    • Replace the IP address in this command (0.0.0.0) with the IP address that you want to specify. Also replace the port value with the specific port that's configured for the website. This is typically 443 for ADFS 3.0. For most customers, binding the SSL certificate to all IP addresses is recommended.
    • The appid value must include the braces.

For more information about these commands, go to the following Microsoft websites:

More Information

This issue occurs when the following conditions are true:

  • You have a Windows Server 2012 R2-based server that has ADFS 3.0 installed.
  • There's a new Server Name Indication (SNI) feature in ADFS 3.0, but some platforms don't support this yet. Support for SNI depends on the device's operating system in question. Although the clients themselves support this new feature, the device platform may not.

Note

If you need help configuring ADFS 3.0, we recommend that you contact ADFS 3.0 technical support. We also recommended that you run the most recent versions of the ADFS 3.0 components.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Still need help? Go to Microsoft Community.