Before Inspecting
Before starting the troubleshooting process, please make sure the following requirements are met:
Skype for Business Core components installed on the Admin Portal server
UCMA Installed on the Admin Portal server
the Trusted Application exists if running Get-CsTrustedApplication on the front end
A valid certificate has been assigned in the Skype for Business Deployment Wizard for the Admin Portal server.
When running Get-CsManagementStoreReplicationStatus, the Admin Portal server should appear as "True" (In case there's no replication after configuring the script, check if replication for the Admin Portal server is enabled in the topology, if running Enable-CsReplica on the Admin Portal server doesn't work, run Enable-CsReplica -Force)
Make sure to inspect the following articles from Microsoft in case you encounter issues with the Powershell script
Validate the deployment using the UCMA Utility
The Installation package comes with a UCMA testing utility under:
C:\agat\SpehereShield.Setup\Payload\Tools\UcmaUtility |
It is required to shut down the Admin Portal and Maintenance Service while testing with the UCMA Utility
In the Utility enter the details relevant to the domain and user and run fetch contacts:
Validating IM
Set the proper configuration and run Send IM.
It takes up to 10 seconds until the message is received
Validating Contact List integration
Put a proper user SIP address with contacts under the option [User SIP]
Click Fetch Contacts
Verify you see in the output
GetUserContactList <[user@domain.com]> found [number of contacts] contacts
Issues
Admin Portal can't initialize the UCMA with the error “Unable to find the SQL database: Cannot open database "xds" requested by the login. The login failed.” in the log
Issue
The Admin Portal can't access the Skype for Business database when initializing and throws the the following error in the log:
Unable to find the SQL database: Cannot open database "xds" requested by the login. The login failed |
Cause
The user running the Admin Portal doesn't have enough permission due to not being part of the "RTC Component local group"
Fix
Add the user running the Admin Portal (by default is: iis apppool\accessportal) to "RTC Component local group" in the local computer group.
Admin Portal can't initialize the UCMA with the error “SkypeShield.Skype.Ucma.UcmaService - Failed initializing UCMA environment with trusted application id "skype.ale.local". Error: The operation failed due to issues with Tls. See the exception for more information. (CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043).” in the log
Issue
The Admin Portal can't access the Skype for Business database when initializing and throws the following error in the log:
SkypeShield.Skype.Ucma.UcmaService - Failed initializing UCMA environment with trusted application id "skype.ale.local". Error: The operation failed due to issues with Tls. See the exception for more information. (CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043). |
Cause
The user running the Admin Portal's Skype application(by default is: iis apppool\accessportal) doesn't have enough permissions to access the Skype in due to not being part of the group "RTC Server Local Group"
Fix
Add the user running the Admin Portal (by default is: iis apppool\accessportal) to "RTC Server Local Group" in the local computer group.
Admin Portal can't initialize the UCMA with the error “SkypeShield.Skype.Ucma.UcmaService EXECUTING USER: NOT AVAILABLE - Failed initializing UCMA environment with trusted application id "as1.setup16.loc". Error:Application with id(as1.setup16.loc) not found or a default port has not been configured for it” in the log
Issue
The Admin Portal can't access the Skype for Business database when initializing and throws the following error in the log:
SkypeShield.Skype.Ucma.UcmaService EXECUTING USER: NOT AVAILABLE - Failed initializing UCMA environment with trusted application id "as1.setup16.loc". Error: Application with id(as1.setup16.loc) not found or a default port has not been configured for it |
Cause
The Skypeshield Trusted Application name is typed wrong or not configured in the Admin Portal or does not exist in the topology
Fix
Verify that the Application ID of the Trusted application exists in the topology by running the command at the Front-End server
Get-CsTrustedApplication
It should return output like the following
Note the name marked in green for the following step
Make sure the details of the topology are correct in the Admin Portal configuration under [Settings] > [General]
The Admin Portal is able to communicate with the Skype for Business infrastructure but the Maintenance Service unable to pull users
Issue
The UCMA is able to initialize properly and send impersonated messages but always pull 0 contacts of the user
Checking using the UCMA Utility
Check Fetch contact using the instruction for using UCMA Utility
On the output, you should find a record like the following line:
GetUserContactList <[user@domain.com]> found 0 contacts |
Checking in the logs
Deployment without SIP Filter on the Front-End
The logs will be found on the server hosting the Admin Portal either on the IIS folder in
C:\inetpub\AccessPortal\Logs\EW\ |
or in the Maintenance Service
C:\Agat\Logs\MaintenanceService\EW |
Deployment with SIP Filter on the Front-End
The logs can be found by default in the Front-End server under the folder or the folders mentioned above
C:\agat\logs\Skypeshieldsipfilter\EW" |
Cause
Unified Contact Store must be disabled on the Skype for Business Frontend pool in order for Contact List based policies to work
Fix
This can be checked by validating the output of the following command is set to "False"
$(Get-CsUserServicesPolicy -Identity global).UcsAllowed |
Run the following command in case the Unified Contact Store is enabled(i.e. the result of the previous command is set to true)
Set-CsUserServicesPolicy -Identity global -UcsAllowed $False Invoke-CsUcsRollback -Identity "User" |
More information regarding the Unified Contact List can be found in the following documentation from Microsoft