No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Lync on premises - Some functionality broken after enabling SSO and dirsync

This question is not answered This question is not answered

I hope someone can assist me because I can't seem to figure this one out. Here's my situation :


I have an on-premises Lync server that we've been using for several years (upgraded from OCS 2007). This server has public IM federation, as well as open federation and explicit federation to Everything used to work fine, including communication with outside federated domains, both on-premise and those using Lync Online.


I was recently asked to configure single sign-on and dirsync on our domain, so we could use SharePoint Online. Our Lync is integrated with our phone system, so we can't use Lync Online, it has to remain on-premise. After configuring SSO and dirsync (no change to the DNS yet!), some Lync errors popped up.


In particular, we can't seem to view presence information for outside users using Lync Online. IM works, but most things like desktop sharing and audio are only working one way. If a user using Lync Online wants to share his desktop, it works fine. But if a user from our inside organization tries to share his desktop with a Lync Online user, it fails with "A screen sharing error occured". Yet, everything is still working for non Lync Online external users (other companies with their own servers). Since there was no DNS change, I can't figure what the problem might be. Does anyone have any idea?


Edit : it seems that when I try to do a desktop sharing request to a Lync Online user, replies with 403 Forbidden. Interesting...

All Replies
  • Hi mafortier,
    According to your description, you need to check your Lync online configuration, including make sure that domain federation is enabled in the Lync Online Control Panel for both the tenant and the individual user. For more information about how to configure domain federation, see the following Office 365 Help topic: And check your network for Lync online with the help from

    Best Regards
    Martin Xu
    Microsoft Office 365 Support

  • I guess I didn't explain properly. We are *not* using Lync Online in any fashion. The problem is with external federated users who are using Lync Online.

  • Hi Mafortier,

    Lync technology does not support coexistence between Lync Online and Lync Server using a single domain. Therefore, it is not possible to deploy a subset of users in Lync Online and other users on-premises using a single domain name. Lync federation can be used to enable users to communicate between Lync Online and Lync on-premises deployments, using different domain names.

    For more information, see Microsoft Lync™ Online for Enterprises Service Description page 18.

    If the external federated user who using Lync Online is using different domain with you, to troubleshoot the issue, you can refer the article:

    Monica Tong

  • Hi mafortier,
    Did our answers help you? Let us know if you need further assistance from us.

    Best Regards
    Martin Xu
    Microsoft Office 365 Support

    0 out of 1 people found this post helpful.

  • No, your answer does not help me. I'll explain again : we are *not* using Lync Online, and we have no plan to use Lync Online. Not for any of our users. We are using our on-premise lync servers, which we want to keep using. The only part of Office 365 we want to use is SharePoint and potentially Exchange down the road.

    My problem is that, since I enabled single-sign on for our domain, our Lync users aren't able to communicate with users from other organizations who are using Lync online. It used to work fine before, but now federation with Office 365 seems broken. Direct federation with other organizations that aren't using Lync Online still works. If I try to, for example, start a desktop sharing session with an Office 365 user, returns a 403 SIP error and the request fails. Similarly, we can't view their online status or pretty much do anything with them.

    I hope this clarifies my problem better.

  • Hello Mafortier,

    So let me summarize your issue to make sure I fully understand where you are coming from.

    You are running a Lync On-Premises Server that you recently setup DirSync and SSO on.  Once you setup these services on your server you are now having issues when you attempt to Desktop Share with a Federated contact.  The federated contact can Desktop Share to you but you are unable to Desktop Share to them.  You are also experiencing issues seeing the presence of Federated contacts.  Since the setup of DirSync and SSO you have not changed any other settings within your network.

    The issue sounds to be a problem with your Lync On-Premises Server being able to communicate properly with the Cloud.  Since your Lync On-Premises Server/network is the common link between the various users you have attempted this with, the issue sounds to be with your server/network not within the Cloud.

    Make sure within your network configuration all of the ports required for communication to Lync Online and Office365 are open and not blocked.  Here is a link to all of the network configurations required for Lync On-Premises:;en-US;2409256

    The only other option I can suggest, since this is the Community forum for Lync Online issues, is to contact Lync On-Premises Support @ 1-800-936-4900 if you require any further support.  I will keep this Forum post open, just in case an On-Premises agent does decide to provide you with support on here.

    Charlie Gaither
    Microsoft Lync Online Support

  • The federation with Office 365 users was working perfectly before I activated the SSO, so it's definitely related to Lync Online somehow. I suspect that that some Active Directory fields used by our Lync on-premise were replicated to the online directory, causing some confusion with the Lync Online services, which now thinks that our users are activated on Lync Online or some such.

  • Hello Mafortier,

    As stated in my previous post, this is an issue that you are experiencing with your Lync On-Premise setup.  This Community Forum is intended for support for issues regarding accounts that are within Lync Online only.  If you do require support for your issue you will need to contact Lync On-Premise Support @ 1-800-3-936-4900.

    Charlie Gaither
    Microsoft Lync Online Support

  • Mafortier,

    Off the SSO topic, but related FYI,  I've experienced this problem since Lync Online was rolled out.  Any communications from a Lync Online to an On Premise Lync Server seems to be inconsistent at best.  Usually, it has intermittant problems with Audio, Video and Desktop Sharing. Presence can be affected, too, but IMs almost always work.

    Lync On Premise to Lync On Premise - internal, external, AND federated - works best.  

    Lync Online to Online usually works OK, but can be intermittant.

    Federation with other Lync Online users is about the same as same domain Lync Online users.  

    Lync On Premise to Lync Online is almost always problematic. (I don't recommend important Video conferences on that scenario.)

    I was shocked today when I did a fairly long Audio conference call between several Lync On Premise and several Lync Online Federated users and it worked flawlessly the entire time.

    I have a customer that has an On Premise Lync Server and a completely seperate Office 365 account for a subsidiary. Many of them use both.  They prefer the On Premise system.  Their observation; 'It works better.'   (And they don't like that they can't make PSTN calls from the Office 365 system.)

    Overall, On Premise Lync Server more robust than than Lync Online, IMO.  On Premise to Online might work today, and might not work tomorrow. It's frustrating, but I'll have to admit it's getting better than it was a year ago.  Microsoft appears to be throwing money at the Lync Online problems which I'm pretty sure is related to latency due to congestion (you know how Sharepoint can slow to a crawl from time to time).  Lync hates that and doesn't work properly on anything s.l.o.w.

    You just increase your Office 365 traffic by adding SSO.  Might that be part of the problem?

  • We had run into the same problem, and ended up opening a support case with PSS. It bounced around inside Microsoft support for 3 months, when we finally got an Office 365 engineer who recognized the problem. You need to enable Lync federation within your Office 365 tenant domain, even if you are fully on-prem for Lync and not using Lync Online. Once we did this, the 403 Forbidden errors disappeared and full functionality between our on-prem Lync and Office 365/Lync Online resumed.

    1 out of 1 people found this post helpful.