Skype for Business Server 2019 Modern Admin Control Panel (MACP)

Table of Contents

Error: Launching the MACP https://<your pool FQDN>/MACP, admin unable to login with an error “User has insufficient permission”

Since IE is retired and Silverlight deprecated and outdated technology, the old SFB control panel using https://<pool of FQDN>/cscp is no longer accessible.

MS articles relating to MACP

hase 1 – https://techcommunity.microsoft.com/t5/skype-for-business-blog/introducing-skype-for-business-server-2019-control-panel/ba-p/771205

Phase 2 – https://techcommunity.microsoft.com/t5/skype-for-business-blog/skype-for-business-2019-control-panel-phase-2-released/ba-p/1240564

Phase 3 – https://techcommunity.microsoft.com/t5/skype-for-business-blog/skype-for-business-server-2019-announcing-the-general/ba-p/2203816

Troubleshooting:
Collect SFB logs using CLS logging tool while reproducing the issue as shown in the image below:

Found the following in the CLS log:

Start-Line: 401 Unauthorized

Cache-Control: private

Content-Type: text/html; charset=utf-8

X-Ms-diagnostics: 28032;source="SPRTAW2K19-SFB.spat.net";reason="The web ticket is invalid.";faultcode="wsse:InvalidSecurityToken"

Resolution:

The above errors indicate there is an issue during Authentication with the Web Ticket Token acquisition.

Required TLS version was not present in the registry.

https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1

Copy/paste the following test into Notepad and rename TLSPreReq.reg or a name of your choice, then import:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

Run the following PowerShell commands one by one in elevation :

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ -Name ClientAuthTrustMode -Value 2 -propertytype "DWord"

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ -Name SendTrustedIssuerList -Value 0 -propertytype "DWord"

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ -Name EnableSessionTicket  -Value 2 -propertytype "DWord"

Reboot the SFB server
Clear the browser cache/data

Error: Launching the MACP https://<your pool FQDN>/MACP, admin unable to login with an error “User has insufficient permission”

Resolution:

You Might Also Like

Configure and Manage Windows Credential Guard

Home Network – pfSense,HP 1810-48G, UniFi UAP-AC-PRO

SharePoint 2016 Certificate Error