Skype UC Phones Won't Log In - TLS 1.0
Updated: Jul 7, 2021
After a year of working from home, making changes to our network, security, infrastructure, our UC Skype phones decided to not let a different user sign into them.
We would receive this error when trying to sign in:
Well, what changed caused this?? Only the Skype Gods know....
Current, logged in phones work. You can log out of a current logged in phone and log it back in with the same extension. But you cannot log it in with a different extension.
What I have done so far:
Read everything by the infamous Jeff Schertz. He's seriously amazing and documents how to troubleshoot UC Phones extensively. This blog was very helpful http://blog.schertz.name/2012/03/troubleshooting-lync-phone-edition-issues/.
One of the first steps to do when you start troubleshooting is to run Test-CSPhoneBootstrap. Unfortunately, (I don't say this often) there were no errors. This one time, I wanted an error. Something to go off of at least.
One change, that is always worrisome....certificates. I did update the Skype Server certificate earlier this year. I had hoped that was my issue! But everything seems to be set up correct. I can see the phones are getting the correct certificate.
Next step, logs...
I started with Polycom phone logs. These logs are meant for Polycom support technicians, but I had zero luck getting any help from them to understand what was going on. So it was up to me! Luckily, Jack Stromberg showed me the way https://jackstromberg.com/2013/09/how-do-i-analyze-log-files-off-polycom-phones/ .
After a week of going through logs and logs and logs, researching every error, I was lead down the rabbit hole of DHCP.
Unfortunately....yet again....our DHCP options were correct. Again, another instance where I just need something to go off of.
And nothing against my love of Skype for Business, but the logs for phones on the servers, were very little, to no help.
One change that was done, right before the pandemic, was a firmware update on the phones. I followed the correct process though! Tested the update on 2 phones, logged in and out with different extensions, waited a week before pushing the update to all the phones. Everything seemed to have gone well! Then...we didn't enter our buildings, change phones, add phones for almost a year.
After a lot of time and energy on this issue. We finally figured out it was a tls 1.0 issue. By using a different Poly brand phone that supports tls 1.2. Microsoft did depreciate 1.0 support. https://docs.microsoft.com/en-us/lifecycle/announcements/transport-layer-security-1x-disablement. But I could not figure out, where in our company, this had been disabled. Truth is, we never did find out where it is getting blocked. Which is a problem for moving to TeamsOnly using the Admin center as well (search for related blog post). But this issue turned out to be a blessing in disguise! I started to question the need for physical phones anymore. With enterprise voice, we carry our phones on our laptops, why not just plug in a usb, Teams/Skype support external speaker, join your meeting on your laptop and be done! So that is where we are going! It's always good to question what is 'usual' or 'normal' and ask why?