Skype for Business Server (SfB) 2015 May 2017 cumulative update supports Hybrid Modern Authentication (HMA). To use HMA with your SfB on-premises, you will need to have on-premises Active Directory federated with Azure Active Directory (AAD). For more details, please see https://aka.ms/ModernAuthOverview.
Why would you want HMA? To enable SfB clients to obtain Access and Refresh Oauth tokens from AAD that SfB on-premises servers will accept and allow access. This sets the foundation for you to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies. To learn more details on HMA, please take a pause and read Deep Dive: How Hybrid Authentication Really Works.
To understand what is needed for HMA to work, it’s helpful to understand the authentication flow. Let’s take a look at a common sign on scenario for hybrid SfB. In this scenario the user’s SfB and Exchange applications are on-premises and the user’s sip domain is Federated. Note that in an SfB hybrid configuration, all DNS records resolve to on-premises, therefore the authentication flow will always start there.If the user’s SfB account is online, then after step 8, the authentication flow will continue like this:
After the client signs in to SfB the Exchange Web Services authentication flow will start.
If the user’s Exchange mailbox is online, then after step 16, the authentication flow will continue like this:
Bearing in mind the authentication flow, we need a few of things to make the Skype for Business authentication work:
If a proxy is needed for internet access to your FE servers, you will need to take some extra steps.
<system.net>
<defaultProxy>
<proxy
proxyaddress="http://192.168.100.60:8080"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
</configuration>
For online, follow these instructions to enable your tenant for modern authentication.
For on-premises, we will cover the steps here, but for full details, please be sure to refer to these instructions How To Configure Skype for Business On-Premises for Hybrid Modern Authentication.
Before configuring HMA, you first collect details for your on-premises SfB web service URL's as follows:
Next, configure the SPN's for the SfB Service Principal in Azure AD:
Before proceeding with enabling SfB for HMA:
Now you're ready to configure your SfB on-premises to use Office 365 Azure AD STS URL (a/ka/ EvoSTS) for Oauth tokens.
If you run into a problem and need a quick escape route, simply run Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity and configure the Oauth server to how it was set previously.
To avoid additional prompts for authentication against Exchange Web Services, you will also need to configure Exchange for Modern Authentication. For details on Exchange, please refer to this blog on hybrid modern authentication for exchange on premises. Note that Modern Authentication is enabled for Exchange online by default.
During testing of HMA for SfB, two common errors appeared:
How can you prevent these errors from happening to you?
First double check that you have configured all SPN's in Azure AD for internal and external web service URL's for all deployed SfB pool authentication servers, Front Ends and Directors following instructions above.
Second, confirm the web browser settings on FE’s do not have proxy settings and that the servers have direct access to https://login.windows.net. If the FE’s do require a proxy, follow the instructions above for configuring the web components with the proxy IP and port.
If you run into problems and are at a loss for what went wrong, then taking an HTTPS decrypted trace with Fiddler, or a similar tool, can assist in pinpointing the issue. If you have not used Fiddler before, then be sure to read the guidance on the Fiddler site for how to configure it to capture a decrypted HTTPs trace.
If you have ADFS configured for a federated domain, then be sure to set Fiddler to Skip decryption for the ADFS sign in URL defined in your deployment before capturing SfB Sign in. This is set in the HTTPS tab in Fiddler options. If you miss this step, then sign in will fail as ADFS default security for enhanced token protection will detect the Fiddler HTTPS certificate and prevent the authentication process from occurring.
Once Fiddler is installed and configured, sign out of the SfB Client, delete the sign in info, then start the Fiddler capture and sign back into the SfB client.
If SfB sever has Oauth setup correctly, you should find the Oauth_Policy in the 200 Post to the SfB Server pool web service as follows:
<wsp:Policy wsu:Id="OAuth_policy">
<wsp:ExactlyOne>
<wsp:All>
<af:OAuth af:authorizationUri="https://login.windows.net/common/oauth2/authorize" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />
<af:Binding xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
If you do not see this policy, then confirm your SfB server Oauth Configuration by running the following two cmdlets in SfB Management shell and confirm the output matches the expected configuration per our documentation.
If the SPN’s are missing or incorrectly configured, then the Fiddler trace will show a 302 response back from login.microsoftonline.com with information that “The application named ‘https://webserviceURL’ was not found in the tenant named…”
In this case, you will want to connect to the MsolService and run the Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 cmdlet to confirm the SPN’s configured. The devil is in the details so be sure that the problem is not a simple typo. Remember, use copy/paste!
If you suspect FE connectivity, you may need to run a CLS logging trace on your SfB FE pool(s). Use the UCWA scenario which includes the WebInfrastructure components for tracing. When you obtain the results search for JwtSecurityToken. If the FE server cannot connect to login.windows.net, the logs will show the request but not the response for retrieving the mex data for: https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml.
Take your time, cross your t’s, dot your i’s and get ready for a more secure and seamless sign on experience for your SfB users.
To automate collection of URL's and creation on SPN's in Azure AD.
## Requirements to run this script:
## Run from SfB Management Shell with read permissions to SfB configuration
## Azure AD PowerShell installed (Install-Module AzureAD)
## Office 365 Global Tenant Administrative Permissions
## Script Overview
## First the script will obtain SfB internal and external web service urls
## Second use these URL's to create the required Service Principal Names in the SfB Service Prinicpal in Azure in the Office 365 Tenant
## Obtain SfB web service URL's and return to array variable
$WebServices = Get-CsService -WebServer
$WebServicesFqdns = $WebServices | foreach {$_.ExternalFqdn.tostring()}
$WebServicesFqdns += $WebServices | foreach {
if ($_.InternalFqdn -ne $null)
{$_.InternalFqdn.tostring()}
else
{$_.PoolFqdn.tostring()}
## Connect to AzureAD. DO NOT specify -Credential parameter. This will call Windows's native sign in dialog, where you can select and sign in with whatever method is required by your organization.
Connect-AzureAD
# Get/update ServicePrincipal in memory and Update SPN if it doesn't already exist
$SfBAppId = "00000004-0000-0ff1-ce00-000000000000"
$SfBServicePrincipal = Get-AzureADServicePrincipal -Filter "appid eq '$SfBAppId'"
foreach ($WebServicesFqdn in $WebServicesFqdns)
{
If ($SfBServicePrincipal.ServicePrincipalNames.Contains("https://$webServicesFqdn/")) {continue}
$SfBServicePrincipal.ServicePrincipalNames.Add("https://$WebServicesFqdn/")
}
Set-AzureADServicePrincipal -ObjectId $($SfBServicePrincipal.ObjectId) -ServicePrincipalNames $($SfBServicePrincipal.ServicePrincipalNames) -Verbose
# Confirm SPNs
Get-AzureADServicePrincipal -Filter "appid eq '$SfBAppId'" | select -ExpandProperty ServicePrincipalNames
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.