Abstract: Following up on our announcement today about new features available with updated Lync 2013 Mobile clients, we are excited to share more details about Lync 2013 Mobile client’s support for certificate authentication and passive authentication.
Author: Kaushal Mehta, Sr. Lync Beta Engineer
Publication date: 10/08/2013
Product version: Lync 2013
Introduction
Some customers prefer to limit the use of Active Directory (AD) username and password credentials in order to address a range of security concerns, including those associated with the use of smartphones and tablets. It has been challenging for these customers to take advantage of Lync mobile clients which have until now relied on AD credentials for authentication.
With the updated Lync 2013 mobile clients (version 5.2, now available for iOS and Windows Phone), customers can now take advantage of the support for Lync Server Certificate Authentication or Passive Authentication and configure their environment for enabling mobility scenarios. Notably, we are addressing these concerns in a way that minimizes the impact for end users.
Certificate Authentication
This is a proven solution since Lync Server 2010 release and Lync desktop clients already support this authentication method.
Figure 1: Lync 2013 Mobile Client Certificate Authentication flow diagram
In this method, the Lync user signs in using AD Credentials (same as before) but in the background we also get a Lync Certificate which is used for ongoing authentication. The AD credentials are only stored as a long as the current Lync application session is running, and that once either Lync or the device is restarted, only the certificate is stored locally.
Advantages
- AD password is no longer needed for Lync server access (while signed in)
-
Certificate can be renewed without AD credentials.
- The Lync Certificate is stored in a location that does not allow access from other applications.
-
The Lync certificate is scoped to Lync resources only (limits risk).
Furthermore, a certificate is revocable by a Lync Admin using Lync PowerShell cmdlet. This limits exposure in the case where device is compromised (stolen/hacked).
-
In combination with AllowSaveCredentials inband policy for mobile clients, the “save my password” option can be disabled.
- If password is already set, it gets cleared from device storage when policy is downloaded; without any user interaction.
Please note: When this in-band policy is enabled or in general when credentials aren’t stored on the device, Lync mobile client cannot authenticate against Exchange Web Services (EWS).
For more details about Lync Server Certificate Authentication in general, please visit Certificate Authentication in Lync Server 2010 and Enterprise PKI .
Passive Authentication
This type of authentication offers the customers to have their users authenticate passively and hence customize the authentication experience as desired. Passive auth is handled using AD FS 2.0 that does the initial authentication. User signs in by typing sign in address only ( no password ), taps sign in and then gets redirected to ADFS for authentication. AD FS server passes back a Lync server trusted authentication token that is used by the mobile client for signing in. As we can see, there are no user credentials stored in the devices’ encrypted memory or other mobile storage location. The subsequent authentication between the Lync mobile client and Lync server is handled using the certificate retrieved during the initial sign-in.
Figure 2: Lync 2013 Mobile Client Passive Authentication flow diagram
When signing in from a Windows Phone, below is the expected user experience when AD FS configuration is set for “forms” based authentication.
Figure 3: Client Sign in
AD FS server can be configured to enable other forms of authentication (for two-factor authentication). This includes customized forms of authentication as well as support for third party AD FS based solutions. Please note that, smart card based authentication is not possible on a smart phone device at present.
Configuration and Setup
For detailed step by step instructions on how to configure your Lync deployment for passive authentication, see the blog post, Microsoft Lync 2013 for Mobile and Passive Authentication by Jens Trier Rasmussen .
Summary
We truly believe that Lync 2013 Mobile client support for Certificate and Passive authentication will help address key Enterprise IT security concerns and, more importantly, without having the users worry about security policies. The following table that demonstrates this.
|
Lync Mobile 2013 with Kerberos/NTLM |
Lync Mobile 2013 with certificate authentication |
Lync Mobile 2013 with passive authentication |
Eliminates need to store AD Credentials on device |
X |
√ |
√ |
Restricts use of AD Credentials to corporate network only |
X |
X |
√ |
Eliminates need to have users configured with AD credentials |
X |
X |
√* |
Provides option for Two Factor Authentication |
X |
X |
√* |
√* - Passive authentication using AD FS in combination with customized authentication or third-party two-factor authentication solutions required.