Select Page

Skype for business 2015 – Cumulative Update List – September 2015

Here is a precise list of what is on S4B Updates.

Latest Skype for business update download :


Do not forget to run the Install-CsDatabase cmdlet!

Cumulative Update S4B Server Version Date Released Associated KB Security bulletin Updates Server to Apply Resolutions
RTM 6.0.9319.0 RTM NA     All S4B Servers  
CU 1 6.0.9319.55 June 2015 3061059     All S4B Servers  
CU 2 6.0.9319.72 September 2015 3061064 MS15-104 Core Components
UCMA 5.0
Front End Server and Edge Server
Conferencing Server
Web Components Server
Web Conferencing Server
Mediation Server
Call Park Service
Backup Service
Central Management Server
Windows Fabric
Bandwidth Policy Service
Conferencing Attendant
Response Group Service
All S4B Servers Windows 10 users who use Edge can’t join a meeting from Skype for Business Web App.


Skype for Business 2015 – Server Prerequisites

Here are a few prerequisites needed for each Skype for business server installation:

Windows PowerShell 3.0 Download
Microsoft .NET Framework 4.5 Download
Windows Identity Foundation
Remote Server Administration Tools




Netscaler ADC : Kerberos Authentification with KCD

I will tried to give some key point you must to accomplish to configure your Netscaler. KCD for Kerberos Constraint Delegation can authenticate your user using service account to deliver TGT. This TGT will be use for SSO and to authenticate the user to the backend server (e.g. : Exchange or web server).


Prepare Netscaler and Service Account

To start this configuration some prerequisite must be implement before you start configuration :

  • NTP server must be set to synchronise time from the PDC
  • DNS resolution must be implement
  • LDAP authentication must be also setup on a AAA vserver
  • KCD Service Account

This Service Account must be correctly configure.

Create your service account like normal user using Active Directory tool. Once your user is setup you must configure the SPN and generate keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the simple way to setup KCD on the Netscaler.

Script like this (.bat) can be generate by the Netscaler in KCD tab :

Once you have this script you must use to a CMD into your Domain Controller with sufficient right to launch it and set the service account.

You can check directly after if the configuration is correct.



On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).


Setup KCD into the Netscaler

After you configure the KCD account to your LDAP, you must configure AAA vserver. For this you must follow this step :
1 – add KCD account to the Netscaler

Screen Shot 2015-05-02 at 00.30.54

2 – Create a session policy (or Traffic policy bound globally)

First, setup the profile

Screen Shot 2015-05-02 at 00.33.08

Second, setup the policies :

Screen Shot 2015-05-02 at 00.33.24

3 – Configure your AAA vServer, in my example I using the same  I used for LDAP authentication. So you juste need to add your Session profile.

Screen Shot 2015-05-02 at 00.36.57
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression  !

Screen Shot 2015-05-02 at 00.39.55

Screen Shot 2015-05-02 at 00.41.03


You can use the following expression to match the URL :


Third configure your Loadbalancing Server

No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :

When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and unable to connect to your backend server after LDAP authentication :




Two thing to know for troubleshoot KCD to the Netscaler.

First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :

Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :

Netscaler ADC : Certificate authentication with AAA vserver

The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!

You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:

  1. Internal Root & Intermediate certification to instal on Netscaler
  2. Do not forget to bind them together (Root & intermediate)
  3. Which username does the user use to log in? (UserPrincipalName, other?)
  4.  Is this username present on the certificate?
  5. An Ip address (public) with its A record (public) for the vserver AAA provided for the authentification by certificate.
  6. The authentification by LDAP has already been configured? If no, start from there 🙂
  7. Finally, if you do your authentification with the UserPrincipalName for the certificate and you ask for SamAccountName in the LDAP, this won’t work. Therefore, it is possible that you will have to configure a specific policy for the LDAP so that it logs in with the right field.

Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.

Create a new server with value :

Create a simple policy :

Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.

Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.


The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.

1 – The bind of LDAP and CERT :

2 – The root certificate bound to the AAA vserver :

3 – The process to get the certificate for authentification :

Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.

Do not forget to configure the Client Certificate field in the SSL Parameters .

Screen Shot 2015-04-21 at 00.24.15

If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.

Screen Shot 2015-04-21 at 00.22.24

For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :

Lync 2013 – Oauth On-Premises (Lync Server 2013 and Exchange 2013)

What is this?

Since Lync Server 2013, there is a new prerequisite on the Lync Servers for Exchange 2013 interconnection: This will allow you to use :

  • Unified Contact Store (UCS)
  • Exchange OWA IM and presence Integration

Windows Identity Foundation

  “It’s a new extension to the Microsoft .NET Framework that makes it easy for developers to enable advanced identity capabilities in the .NET Framework applications.” This feature has been created to support server to server authentication. It is used by and Windows Communication Foundation applications. (In our situation, by Lync server 2013 and Exchange Server 2013)   In order to configure Oauth, you must do two things:

  • Assign a certificate to Lync Server’s
  • Set Exchange as a partner application.

Please note : “It should also be pointed out that you do not need to use server-to-server authentication: server-to-server authentication is not required in order to deploy Lync Server 2013. If Lync Server 2013 does not need to communicate with other servers (such as Exchange 2013) then server-to-server authentication is not needed.” Source   Also note that “your Lync Server 2013 default certificate can also be used as the OAuthTokenIssuer certificate” Source


There is two ways to install the WIF : Windows Server 2008 R2    Install with the Windows Identity Foundation (KB974405) installer.   Windows Server 2012    Server Manager Go to Add Roles and Features Wizard, select Features. Select Windows Identity Foundation 3.5 from the list. Click Next, then click Install.   Powershell

Once WIF has been installed you can run Deployment Wizard and Assign the Lync default certificate to Oauth certificate.


Description of Windows Identity Foundation ( Microsoft TechNet – Lync Server 2013 (

Lync 2013 Server – Cumulative Updates List – September 2015

I needed a precise list of what is on Lync Updates so I managed to insert every useful data in one table.

As well, I give you a simple script which allows you to get the CU version on the Lync Server actually deployed.

Latest update download :


Do not forget the Install-CsDatabase cmdlet if you install the Cumulative Update from October.

Security Update5.0.8308.927September 20153080353Update for Web Components Server

Cumulative Update Lync Server Version Date Released Associated KB Updates Server to Apply
CU 1 5.0.8308.291  February 2013  2781547 Address Book Web Query service
ABS databases
location policy
CU 2 5.0.8308.420  July 2013  2819565 Update for Persistent Chat server
Update for Conferencing server
Update for Unified Communications Managed API 3.0 Workflow APIs
CU 3 5.0.8308.556 October 2013  2881684 Update for Mediation server
Update for Conferencing Announcement
Update for Call Park Service
CU 4 5.0.8308.577 January 2014  2910244 Update for Backup Service
Update for Central Management Server
CU 5 5.0.8308.738 August 2014  2937310 Update for Windows Fabric
Update for Web Conferencing server
Update for Administrative Tools
CU 6 5.0.8308.815 September 2014  2987510 Update for Conferencing Attendant
Update for Core Components
Update for Web Components server
Update for Unified Communications Managed API 4.0, Core Runtime 64-bit
Update for Standard or Enterprise Edition server (Front End Servers and Edge Servers)
CU 7 5.0.8308.831 October 2014 3001616 Update for IM
CU 8 5.0.8308.834 November 2014 3010032 Update for
CU 9 5.0.8308.857 December 2014 3018158 Update for
CU 10 5.0.8308.871 February 2015 3031061 Update for Conference Service
Update for Conference Service
CU 11 5.0.8308.887 May 2015 3051949 Update for URL filter policy (“http://” not filtered)
CU 12 5.0.8308.920 July 2015 3066655 Update for XMPP Gateway
Update for XMPP Proxy
Update for Application Host
Update for Audio Test service
Update for Core Management Server
Update for Backup Service
Update for Unified Communications Managed API 4.0 Runtime
Update for web components server
Update for core components
Update for Call Park service
Update for Conferencing Announcement
Update for Conferencing Attendant
Update for Mediation Server
Update for Administrative Tools
Update for Web Conferencing server
Update for UCMA 3.0 Workflow APIs
Update for Conferencing Server
Update for Persistent Chat
Update for Bandwidth Policy service
Update for Reponse Group Service
Standard Edition server
Enterprise Edition – front-end server and back-end server
Edge server
stand-alone Mediation server
Director server
Persistent Chat front-end server
Administration Tools
Security Update 5.0.8308.927 September 2015 3080353 – MS15-104 Update for Web Components Server


Lync – Get-MCsPool

When you look for a simple way to get all Lync Server topology, you probably will do a Get-CsPool command. But here, you don’t see the sites and the output is not coming in a easily readable way.

The script below will let you Show all information at once.

Get-MCsPool will show you your infrastructure in an easy way :



Communication Server versions tested
Office Communication Server 2007
Microsoft Lync Server 2010 OK
Microsoft Lync Server 2013 OK


Lync 2013 – Activate Unified Contact Store


This post will explain the Unified Contact Store on Microsoft Lync 2013 and Exchange 2013 deployments.


What is this?

This is a feature who will share the contacts between all the Microsoft Office products. In fact, it will store all contact information in Exchange 2013 and make it available for :

  • Lync Client 2013
  • Exchange 2013
  • Outlook 2013
  • Outlook Web Access 2013

This makes the contacts available globally in the organization.



You must be running Microsoft Lync Server 2013 and Exchange 2013.

  • Users must use Lync 2013 to initiate the migration of contacts from Lync Server 2013 to Exchange 2013.
  • User mailboxes must be migrated to Exchange 2013.
  • You must have server-to-server authentication (Oauth) configured between Lync Server 2013 and Exchange 2013.
  • Lync 2010 Client and older versions will not be able to work with UCS (they can only read contacts).

I will explain the process of creating an Oauth partnership with Exchange 2013 in my next post.


Ensure you get all the prerequisites before activating.

In order to test it, create a User Policy that you will assign to you before enabling everyone :

After you see everything is working fine, you can activate UCS for all users, you only need to change the Global User Service Policy using PowerShell:




On outlook 2013, got to Contacts and verify you have the Lync Contacts folder as in the picture :


UCS Outlook

On Lync Client, check the Lync Configuration Information page (Pres Ctrl and right click the Lync icon, then go to Configuration Information).

It may be an entry named Contact List Provider. It may have changed to UCS instead of Lync Server.


UCS Lync Configuration Info