When setting up a Skype for Business hybrid environment for the first time, I have frequently received the following error when attempting to sign into Office365 in the Control Panel.
“We couldn’t log in to your Office 365 account. Please check the errors and then select OK to try again: Get-CsWebTicket: Exception of type ‘Microsoft.LiveID.IDCRL.IDCRLException’ was thrown.”
This error will coincide with errors in the Application event logs, specifically Event IDs: 1325 and 1026 on the Skype for Business FrontEnd server.
As explained in this Microsoft Technet Article, the fix is to adjust permissions for the Network Service account on the Skype For Business Front End servers.
Make sure that the Network Server has read permissions on the following directory and I recommend just having it propagate to all subfolders as well.
%windir%\System32\config\systemprofile\AppData\Local\Microsoft
You will also want to add full control permissions to the MSOIdentityCRL folder and all of its subfolders as well.
In the article written by David Paulino, he recommended recycling the application pool for Lync Internal Management; however, I have not always had to do this. If you do need to restart it, the PowerShell command is Restart-WebAppPool -Name LyncIntManagement.
One last note, before you start this process, make sure that the account you are using to attempt to sign into Office 365 actually exists in Office 365 and has the appropriate Global Admin permissions.
Lucas Guth, PEI