teams

Teams CAA20004 and Network Connectivity Errors

Resolution Checklist

  • 1 Understand the CAA20004 Error
  • 2 Verify Network Connectivity and DNS
  • 3 Configure Firewall and Proxy Settings
  • 4 Clear Cached Credentials and Auth Tokens
  • 5 Resolve TLS and Certificate Issues

Teams CAA20004 and Network Connectivity Errors

The error code CAA20004 in Microsoft Teams typically appears during sign-in and indicates a network connectivity problem. The full message often reads “We weren’t able to connect. Please check your network connection and try again. (CAA20004)”. This error means Teams cannot reach Microsoft’s authentication or service endpoints due to DNS issues, firewall rules, proxy misconfigurations, or TLS problems.

Step 1: Understand the CAA20004 Error

The CAA20004 error is an authentication-stage network failure. Teams contacts several endpoints during sign-in, and if any are unreachable, this error appears.

Common causes include:

  • Corporate firewalls blocking required Microsoft 365 endpoints
  • Proxy servers that require authentication or do not support WebSocket connections
  • DNS resolution failures for Microsoft domains
  • Expired or misconfigured TLS certificates intercepting HTTPS traffic
  • VPN split-tunnel configurations that route Microsoft traffic incorrectly

The error may appear intermittently if network conditions fluctuate, or consistently if a configuration is fundamentally blocking access.

Step 2: Verify Network Connectivity and DNS

Start by confirming that your computer can reach the Microsoft 365 infrastructure.

  1. Open a terminal or command prompt and test DNS resolution:
:: Windows
nslookup teams.microsoft.com
nslookup login.microsoftonline.com
# macOS
dig teams.microsoft.com
dig login.microsoftonline.com

  1. Both queries should return valid IP addresses. If they fail or return unexpected IPs, your DNS may be misconfigured or intercepted.

  2. Test HTTPS connectivity to key endpoints:

curl -I https://teams.microsoft.com
curl -I https://login.microsoftonline.com

  1. Try switching your DNS to a public provider:

    • Google DNS: 8.8.8.8 and 8.8.4.4
    • Cloudflare DNS: 1.1.1.1 and 1.0.0.1

  2. Flush your DNS cache:

:: Windows
ipconfig /flushdns
# macOS
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

Step 3: Configure Firewall and Proxy Settings

Teams requires access to specific Microsoft endpoints. Corporate networks frequently block these inadvertently.

Required endpoints for Teams:

  • *.teams.microsoft.com — Teams services
  • *.skype.com — Media and signaling
  • login.microsoftonline.com — Authentication
  • *.office365.com — Microsoft 365 services
  • *.microsoft.com — General Microsoft services

Required ports:

  • TCP 443 (HTTPS) — Required for all traffic
  • UDP 3478-3481 — Required for audio/video media

If your organization uses a proxy server:

  1. Ensure the proxy supports WebSocket connections (required by Teams).
  2. Add Microsoft 365 URLs to the proxy bypass list — Teams performance degrades significantly through proxies.
  3. If the proxy requires authentication, Teams may not be able to provide credentials. Configure a PAC file to bypass the proxy for Microsoft endpoints.
# Windows: Check current proxy settings
netsh winhttp show proxy

Step 4: Clear Cached Credentials and Auth Tokens

Stale or corrupted authentication tokens can trigger CAA20004 even when the network is working correctly.

On Windows:

  1. Open Credential Manager (search from Start menu).
  2. Under Windows Credentials, find and remove all entries containing:
    • teams
    • microsoft
    • login.microsoftonline.com
  3. Also clear the Teams auth cache:
rmdir /s /q "%appdata%\Microsoft\Teams\Cache"
rmdir /s /q "%appdata%\Microsoft\Teams\databases"
rmdir /s /q "%appdata%\Microsoft\Teams\Local Storage"

On macOS:

  1. Open Keychain Access.
  2. Search for microsoft and teams.
  3. Delete all related keychain entries (passwords and certificates).
  4. Clear the Teams cache:
rm -rf ~/Library/Application\ Support/Microsoft/Teams
  1. Restart Teams and attempt to sign in again.
  • If your organization uses Conditional Access policies, the sign-in may fail if your device does not meet compliance requirements (e.g., no MDM enrollment). Contact your IT admin.

Step 5: Resolve TLS and Certificate Issues

Some networks use TLS inspection (SSL interception) that can break Teams connectivity.

  1. Check if your organization performs TLS inspection:

    • In Chrome, visit https://teams.microsoft.com, click the padlock icon, and view the certificate.
    • If the issuer is your company’s firewall appliance (e.g., Palo Alto, Zscaler) rather than Microsoft, TLS inspection is active.

  2. Ask your IT admin to add Microsoft 365 endpoints to the TLS inspection bypass list. Microsoft explicitly recommends against inspecting Teams traffic.

  3. Ensure your system’s root certificates are up to date:

# Windows: Update root certificates
certutil -generateSSTFromWU roots.sst

  1. On macOS, ensure no custom certificate profiles are interfering:

    • Check System Settings > General > Profiles for any network configuration profiles.

  2. Verify your system clock is accurate — TLS connections will fail if the system time is significantly off:

# macOS: Sync system time
sudo sntp -sS time.apple.com
:: Windows: Sync system time
w32tm /resync
  • If TLS inspection cannot be disabled for your network, try connecting through a different network (personal hotspot, home Wi-Fi) to confirm this is the cause.