Cannot Sign-in to Office 365 in SfB Control Panel – Exception of type ‘Microsoft.LiveID.IDCRL.IDCRLException’ was thrown

In a new Skype for Business Server 2015 lab we tried to sign-in to Office 365 in the Skype for Business Control Panel:

sfboffice365-exception-01

But after a few seconds we got the following error message:

sfboffice365-exception-02

We couldn’t log in to your Office 365 account. Please check the errors and then select OK to try again:
Get-CsWebTicket: Exception of type ‘Microsoft.LiveID.IDCRL.IDCRLException’ was thrown.

Also in the Event Viewer > Windows Logs > Application the following errors were present:

sfboffice365-exception-03

Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 11/28/2016 12:00:04 PM
Event ID: 1325
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: sfbfe.uclobby.com
Description:
An unhandled exception occurred and the process was terminated.

Application ID: DefaultDomain

Process ID: 30668

Exception: System.Runtime.Serialization.SerializationException

Message: Type ‘Microsoft.LiveID.IDCRL.IDCRLException’ in Assembly ‘Microsoft.Rtc.Management.OnlineConnector.AuthenticationHelper, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ is not marked as serializable.

StackTrace: at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitSerialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.Serialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.ObjectWriter.Serialize(Object graph, Header[] inHeaders, __BinaryWriter serWriter, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph, Header[] headers, Boolean fCheck)
at System.Runtime.Remoting.Channels.CrossAppDomainSerializer.SerializeObject(Object obj, MemoryStream stm)
at System.AppDomain.Serialize(Object o)
at System.AppDomain.MarshalObject(Object o)

sfboffice365-exception-04

Log Name: Application
Source: .NET Runtime
Date: 11/30/2016 6:32:21 PM
Event ID: 1026
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: sfbfedr.uclobby.com
Description:
Application: w3wp.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.LiveID.IDCRL.IDCRLException
at Microsoft.LiveID.IDCRL.NativeIdcrlWrapper.Uninitialize()
at Microsoft.Rtc.Admin.Authentication.ManagedIdcrl.Dispose(Boolean)
at Microsoft.Rtc.Admin.Authentication.ManagedIdcrl.Finalize()

To fix this issue we need to add the following permissions to the NETWORK SERVICE account (Please add the permissions in all Front Ends):

Read

%windir%\System32\config\systemprofile\AppData\Local\Microsoft

sfboffice365-exception-05

Full Control

%windir%\System32\config\systemprofile\AppData\Local\Microsoft\MSOIdentityCRL

sfboffice365-exception-06

After this we need recycle the LyncIntManagement application pool. We can do this in the Internet Information Service (IIS) Manager > Applications Pools:

sfboffice365-exception-07

Or with the following PowerShell cmdlet:

Restart-WebAppPool -Name LyncIntManagement
https://technet.microsoft.com/en-us/library/ee790580.aspx

sfboffice365-exception-08

Now we can successfully sign in to Office 365 in the Skype for Business Control Panel:

sfboffice365-exception-09