Troubleshooting UCMA
Before inspecting
Before starting the troubleshooting process, please make sure the following requirements are met:
Skype for Business Core components installed on the Access Portal server
UCMA Installed on the Access Portal server
the Trusted Application exists if running Get-CsTrustedApplication on the front end
A valid certificate has been assigned in the Skype for Business Deployment Wizard for the Access Portal server.
When running Get-CsManagementStoreReplicationStatus, the Access Portal server should appear as "True" (In case there's no replication after configuring the script, check if replication for the Access Portal server is enabled in the topology, if running Enable-CsReplica on the Access Portal server doesn't work, run Enable-CsReplica -Force)
Make sure to inspect the following articles from Microsft in case you encounter issues with the Powershell script
Access Portal can't initialize the UCMA with the error “Unable to find the SQL database: Cannot open database "xds" requested by the login. The login failed.” in the log
Issue
The Access Portal can't access the Skype for Bussiness database when initializing and throw the the following error in the log:
Unable to find the SQL database: Cannot open database "xds" requested by the login. The login failed |
Cause
The user running the Access Portal doesn't have enough permission due to not being part of the "RTC Component local group"
Fix
Add the user running the Access Portal (by default is: iis apppool\accessportal) to "RTC Component local group" in the local computer group.
Access Portal can't initialize the UCMA with the error “SkypeShield.Skype.Ucma.UcmaService - Failed initializing UCMA environment with trusted application id "skype.ale.local". Error: The operation failed due to issues with Tls. See the exception for more information. (CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043).” in the log
Issue
The Access Portal can't access the Skype for Bussiness database when initializing and throw the following error in the log:
SkypeShield.Skype.Ucma.UcmaService - Failed initializing UCMA environment with trusted application id "skype.ale.local". Error: The operation failed due to issues with Tls. See the exception for more information. (CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043). |
Cause
The User running the Access Portal's Skype application(by default is: iis apppool\accessportal) doesn't have enough permissions to access the Skype in due to not being part of the group "RTC Server Local Group"
Fix
Add the user running the Access Portal (by default is: iis apppool\accessportal) to "RTC Server Local Group" in the local computer group.
Access Portal can't initialize the UCMA with the error “SkypeShield.Skype.Ucma.UcmaService EXECUTING USER: NOT AVAILABLE - Failed initializing UCMA environment with trusted application id "as1.setup16.loc". Error:Application with id(as1.setup16.loc) not found or a default port has not been configured for it” in the log
Issue
The Access Portal can't access the Skype for Bussiness database when initializing and throw the following error in the log:
SkypeShield.Skype.Ucma.UcmaService EXECUTING USER: NOT AVAILABLE - Failed initializing UCMA environment with trusted application id "as1.setup16.loc". Error: Application with id(as1.setup16.loc) not found or a default port has not been configured for it |
Cause
The Skypeshield Trusted Application name is typed wrong or not configured in the Access Portal or not existing in the topology
Fix
Verify that the Application ID is of the Trusted application exist in the topology by running the command at the Front-End server
Get-CsTrustedApplication
It should return output like the following
Note the name marked in green for the following step
Make sure the details of the topology are correct in the Access Portal configuration under [Settings] > [General]
The Access Portal is able to communicate with the Skype for Bussiness infrastructure but the Maintenace Service unable to pull users
Issue
The UCMA is able to initialize properly and send impersonated messages but always pull 0 contacts of the user
Checking using the UCMA Utility
The Installation package is coming with a UCMA testing utility by default under:
C:\agat\SpehereShield.Setup\Payload\Tools\UcmaUtility |
It is required to shut down the Access Portal and Maintenace Service while testing with the UCMA Utility |
In the Utility enter the details relevant to the domain and user and run fetch contacts:
On the output, you should find a record like the following line:
GetUserContactList <[user@domain.com]> found 0 contacts |
Checking in the logs
Deployment without SIP FIlter on the Front-End
The logs will be found In the server hosting the Access Portal either on the IIS folder in
C:\inetpub\AccessPortal\Logs\EW\ |
or in the Maintenance Service
C:\Agat\Logs\MaintenanceService\EW |
Deployment with SIP FIlter on the Front-End
The logs can be found by default in the Front-End server under the folder or the folders mentioned above
C:\agat\logs\Skypeshieldsipfilter\EW" |
Cause
Unified Contact Store must be disabled on the Skype for Bussines Frontend pool in order for Contact List based policies to work
Fix
This can be checked by validating the output of the following command is set to "False"
$(Get-CsUserServicesPolicy -Identity global).UcsAllowed |
Run the following command in case the Unified Contact Store is enabled(i.e. the result of the previous command is set to true)
Set-CsUserServicesPolicy -Identity global -UcsAllowed $False Invoke-CsUcsRollback -Identity "User" |
More information regarding the Unified Contact List can be found in the following documentation from Microsoft