Forum Discussion

jocke andersson's avatar
jocke andersson
Copper Contributor
Jul 07, 2017
Solved

Skype for Business Mobile App + Smart Card Required

I'm using Skype for Business via my Office365 subscription and my domain in Office365 is federated against my on-prem ADFS-infrastructure. My user in the local AD have the option "Require Smart Card ...
devices
Federation
Mobile Client
Sign-in
  • Jean-Philippe Breton's avatar
    Jean-Philippe Breton
    Jul 12, 2017

    MA will not help in this case has the Skype Business Mobile app will still require to enter a username and password.

     

Jean-Philippe Breton's avatar
Jean-Philippe Breton
Iron Contributor
Jul 27, 2017

Good point Shawn....Forgot about Cert based Auth..

 

 

MarkVale's avatar
MarkVale
Iron Contributor
Jul 27, 2017

I have deployed ADCS Cert Based Auth as a MFA option. However it still requires the mobile client to enter username and password first. It doesn't replace that.

  • shawn harry's avatar
    shawn harry
    Iron Contributor
    Jul 27, 2017

    I contacted Alex Simons yesterday from the IDAM PG to get some more clarity on the expected behavior in SfB when using CBA. My understanding of CBA was no username/password was required as CBA is Certificate Based Auth leveraging Oauth/ADAL. (at least that was my understanding when this feature was released and when i was initially researching CBA for SfB Mobile). If a u/p still has to be entered then thats hardly any different to the native NTLM/TLS-DSK support thats been part of SfB Mobile since Lync 2013, although NTLM/TLS-DSK is obviously not MFA. Admittedly the initial auth uses NTLM but subsequent auths use the cert issued from the provisioning service. CBA has been something customers have been asking for for a while. If its use is restricted just to MFA then in my opinion that kind of makes the feature redundant especially for enteprise customers who do not allow the use of credentials or NTLM over the internet.

    I've been meaning to lab this for quite some time so i can observe the behavior. Sounds like that time is now MarkVale ! Sorry for hijacking your thread OP!

    • shawn harry's avatar
      shawn harry
      Iron Contributor
      Jul 27, 2017

      For anyone else following the thread the below is pertinent for CBA, although premises infrastructure is still required even for a cloud only deployment (PKI & ADFS).

       

      https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-certificate-based-authentication-get-started

       

      Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

       

      Testing Office mobile applications

      To test certificate-based authentication on your mobile Office application:

      1. On your test device, install an Office mobile application (e.g., OneDrive).
      2. Launch the application.
      3. Enter your user name, and then select the user certificate you want to use.

       

      • VasilMichev's avatar
        VasilMichev
        MVP
        Jul 27, 2017

        I have CBA set up and can confirm it works correctly for mobile Office apps. SfB mobile app does NOT work with it however. I've always assumed that's the case for Windows Phone only, as I am one of those retarded WP users indeed :)

         

        But it does look like it's a limitation for the current ADAL implementation for SfBO mobile clients...

    • MarkVale's avatar
      MarkVale
      Iron Contributor
      Jul 27, 2017

      Get it done Harry!

Resources