Skype for Business Hybrid pt.1

I’m sure there will be many more parts to this as O365 is ever “evolving”, euphemism for “it’s bloody different every time I go in there…”

An issue I recently hit when trying to connect an OnPrem Skype environment to a company’s Online counterpart, aka setting up Skype4b Hybrid, I ran into this lovely error:

Get-CsWebTicket : Failed to connect live id servers.  Make sure proxy is enabled or machine has network connection to live id servers


After verifying and re-verifying numerous items like: connectivity; access portal to verify password; review every powershell command; DNS entries; confirm moving csusers via PowerShell; and moon phases, it was time to contact support.  A week later, plus 2-4 engineers (who can keep track), I get the knowledgeable one.

Run these 3 commands, from an As Administrator CMD prompt, not PowerShell:

ICACLS %windir%\System32\config\systemprofile\AppData\Local /grant *S-1-5-20:(OI)(CI)(RA)

ICACLS %windir%\System32\config\systemprofile\AppData\Local\Microsoft\MSOIdentityCRL /grant *S-1-5-20:(OI)(CI)(IO)(F)

%windir%\system32\inetsrv\appcmd recycle apppool /

Good to go after that, no more problems signing in, and was able to complete the “Set up Hybrid with Skype Online” wizard, plus move users up and down without the use of Skype PowerShell.

This is potentially an issue with CU-259, not sure when it began or when it will be fixed, but the above commands appear to apply a missing/broken ACL.

Special shout out to Arran on his article for Online-to-Onprem setups.  His section on getting the already Online users enabled in the newly created Onprem system, saved my bacon:

Additional note for Skype Hybrid setups, when creating the new CSHostingProvider, check your Skype Online Admin Panel.  IF the URL is, your Autodiscover URL on your hosting provider will likely change to after you’ve completed the “Set up Hybrid with Skype Online” wizard.  At least that’s my experience every time.  Doesn’t matter much, just being petty I’m sure, but next time I’ll be trying this command out instead, assuming its admin1a again.

New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl


2 thoughts on “Skype for Business Hybrid pt.1”

  1. Exact same issue here, commands worked a treat. However when running initially the first command stated it could not find the required file. Rebooted the FE and ran again it then worked. Many many thanks for sharing. Like the comment about “its bloody different every time I go in there”!

Leave a Reply

Your email address will not be published. Required fields are marked *