Skip to main content

Skype for Business Hybrid – Part 1

I’m sure there will be many more parts to this as O365 is ever “evolving”, euphemism for “it’s bloody different every time I go in there…”

An issue I recently hit when trying to connect an OnPrem Skype environment to a company’s Online counterpart, aka setting up Skype4b Hybrid, I ran into this lovely error:

Get-CsWebTicket : Failed to connect live id servers.  Make sure proxy is enabled or machine has network connection to live id servers


After verifying and re-verifying numerous items like: connectivity; access portal to verify password; review every powershell command; DNS entries; confirm moving csusers via PowerShell; and moon phases, it was time to contact support.  A week later, plus 2-4 engineers (who can keep track), I get the knowledgeable one.

Run these 3 commands, from an As Administrator CMD prompt, not PowerShell:

ICACLS %windir%\System32\config\systemprofile\AppData\Local /grant *S-1-5-20:(OI)(CI)(RA)
ICACLS %windir%\System32\config\systemprofile\AppData\Local\Microsoft\MSOIdentityCRL /grant *S-1-5-20:(OI)(CI)(IO)(F)
%windir%\system32\inetsrv\appcmd recycle apppool /

Good to go after that, no more problems signing in, and was able to complete the “Set up Hybrid with Skype Online” wizard, plus move users up and down without the use of Skype PowerShell.

This is potentially an issue with CU-259, not sure when it began or when it will be fixed, but the above commands appear to apply a missing/broken ACL.

Special shout out to Arran on his article for Online-to-Onprem setups.  His section on getting the already Online users enabled in the newly created Onprem system, saved my bacon:

Additional Note

Skype Hybrid setups, when creating the new CSHostingProvider, check your Skype Online Admin Panel.  IF the URL is, your Autodiscover URL on your hosting provider will likely change to after you’ve completed the “Set up Hybrid with Skype Online” wizard.  At least that’s my experience every time.  Doesn’t matter much, just being petty I’m sure, but next time I’ll be trying this command out instead, assuming its admin1a again.

New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl

Looking for more?

Imaginet can help with Skype for Business servicing, planning, updating and scaling. View more about our offers below!

View More

View the original post here:

Korbyn Forsman

Korbyn is a Microsoft Unified Communication (UC) Technical Director with over 15 years of extensive hands on experience with communication, collaboration and telephony solutions. Korbyn possesses in-depth knowledge of the latest technologies and best practices, specifically with the Microsoft Unified Communications platform. He has a tremendous UC project experience having worked on the strategy, design, architecture and implementation of highly complex global deployments of Lync, Exchange and OCS solutions. Korbyn‘s technical leadership and business acumen often have him speaking as an industry leader at Microsoft events.

Leave a Reply

Let‘s Talk.

Let's talk!