SOLVED
Home

Skype for Business Mobile App + Smart Card Required

jocke andersson
New Contributor

Skype for Business Mobile App + Smart Card Required

I'm using Skype for Business via my Office365 subscription and my domain in Office365 is federated against my on-prem ADFS-infrastructure. My user in the local AD have the option "Require Smart Card for interactive logon" enabled, which means that I do not know my own AD-password.

When I tried to login to Skype for Business on my Android phone, the app wanted my username and password to sign in, but unfortunately the password is unknown for me since I have "Require Smart Card for interactive logon" enabled in local AD.

Is there any way for me to get the Skype for Business app to work on my phone (Android & iOS) without knowing my own AD-password?

  • Devices
  • Federation
  • Mobile Client
  • Sign-in
23 Replies

Re: Skype for Business Mobile App + Smart Card Required

Have you enabled Modern authentication for your tenant (both SfB and ExO)? Also, is the password prompt directly from the app, or does it redirect you to the AD FS server first?

 

The steps to enable MA are here: https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-y...

Re: Skype for Business Mobile App + Smart Card Required

Unfortunately, the scenario you describe is probably not supported.

 

The mobile client was not design to support Smart-Card.

 

JP

Re: Skype for Business Mobile App + Smart Card Required

Modern authentication is not enabled in the tenant for SfB or ExO.

The password prompt is directly from the application, it does not redirect me to my ADFS login page.

Actually the SfB mobile application require a password before its even possible to sign in, I'm unable to continoue without specifing a password (the arrow button is grayed out).

 

skype.png

Re: Skype for Business Mobile App + Smart Card Required

That's where MA should help. Though I've had limited success in actually making it work on mobile devices (well, Windows Phone).

Once you enable MA, it should redirect you to the AD FS server, where you can surface additional auth options.

Solution

Re: Skype for Business Mobile App + Smart Card Required

MA will not help in this case has the Skype Business Mobile app will still require to enter a username and password.

 

Re: Skype for Business Mobile App + Smart Card Required

Oh well, so much for SfB supporting ADAL I guess :)

Re: Skype for Business Mobile App + Smart Card Required

Skype for Business Online do support ADAL when MA is enable.

 

The limitation is within the Skype Mobile client.

 

 

Re: Skype for Business Mobile App + Smart Card Required

Yup, that's what I meant, SfB mobile :) I've been doing demos with the desktop client/ADAL for a while now, but since I use Windows Phone I always assume that the limitations are specific to that version, not across all mobiles.

 

Anyway, definitely something the mobile team needs to work on, Modern auth has been around for two years now, it's unacceptable to have first-party apps that still dont support it...

Re: Skype for Business Mobile App + Smart Card Required

Thanks a lot for your help!

Re: Skype for Business Mobile App + Smart Card Required

Have a look at Certificate Based Authentication. This may be a suitable option for sign in as neither the username or password is required to login.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentic...

Re: Skype for Business Mobile App + Smart Card Required

Unfortunatelly the mobile client doesnt support auth methods different from username/password, as @Jean-Philippe Breton mentioned above.

Re: Skype for Business Mobile App + Smart Card Required

The table in the link i pasted seems to indicate CBA is supported for SfB Mobile when using SfBO.

 

Also this link here shows the supported topologys for Modern Auth which includes CBA for SfBO in the first table - Cloud Only. This is probably the best link on Technet for understanding the technical nuances between each topology and whats available with each.

 

https://technet.microsoft.com/en-us/library/mt803262.aspx

Re: Skype for Business Mobile App + Smart Card Required

Good point Shawn....Forgot about Cert based Auth..

 

 

Re: Skype for Business Mobile App + Smart Card Required

I have deployed ADCS Cert Based Auth as a MFA option. However it still requires the mobile client to enter username and password first. It doesn't replace that.

Re: Skype for Business Mobile App + Smart Card Required

I contacted Alex Simons yesterday from the IDAM PG to get some more clarity on the expected behavior in SfB when using CBA. My understanding of CBA was no username/password was required as CBA is Certificate Based Auth leveraging Oauth/ADAL. (at least that was my understanding when this feature was released and when i was initially researching CBA for SfB Mobile). If a u/p still has to be entered then thats hardly any different to the native NTLM/TLS-DSK support thats been part of SfB Mobile since Lync 2013, although NTLM/TLS-DSK is obviously not MFA. Admittedly the initial auth uses NTLM but subsequent auths use the cert issued from the provisioning service. CBA has been something customers have been asking for for a while. If its use is restricted just to MFA then in my opinion that kind of makes the feature redundant especially for enteprise customers who do not allow the use of credentials or NTLM over the internet.

I've been meaning to lab this for quite some time so i can observe the behavior. Sounds like that time is now @Mark Vale ! Sorry for hijacking your thread OP!

Re: Skype for Business Mobile App + Smart Card Required

Get it done Harry!

Re: Skype for Business Mobile App + Smart Card Required

For anyone else following the thread the below is pertinent for CBA, although premises infrastructure is still required even for a cloud only deployment (PKI & ADFS).

 

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-certificate-based-authentic...

 

Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

 

Testing Office mobile applications

To test certificate-based authentication on your mobile Office application:

  1. On your test device, install an Office mobile application (e.g., OneDrive).
  2. Launch the application.
  3. Enter your user name, and then select the user certificate you want to use.

 

Re: Skype for Business Mobile App + Smart Card Required

I have CBA set up and can confirm it works correctly for mobile Office apps. SfB mobile app does NOT work with it however. I've always assumed that's the case for Windows Phone only, as I am one of those retarded WP users indeed :)

 

But it does look like it's a limitation for the current ADAL implementation for SfBO mobile clients...

Re: Skype for Business Mobile App + Smart Card Required

The link i posted says "Windows, Android or iOS device" are the supported endpoints. It doesnt explicitly say Windows Phone....? Do you have an Android or iOS device you can test on? There is an Android emulator called Bluestacks that may work as an alternative as the SfB Mobile client works inside of the Bluestack emulator.

Re: Skype for Business Mobile App + Smart Card Required

The link is not specific to SfB though, as I mentioned mobile Office apps such as Word work just fine with CBA.

Re: Skype for Business Mobile App + Smart Card Required

Just had it confirmed from the Identity PG that CBA is supported for SfB Mobile against SfBO using a certificate to authenticate and no combination of username and password is required as per the links I've already posted.

Re: Skype for Business Mobile App + Smart Card Required

Do we have SfBO mobile support for CBA documented?

Re: Skype for Business Mobile App + Smart Card Required