Best-in-class authentication in Skype for Business and Microsoft Teams – BRK 4001
Published Sep 28 2017 08:45 AM 8,234 Views
Brass Contributor

Natasha has been in the Unified Communications space for over 14 years. She has worked on Live Meeting, OCS, Lync and Skype for Business. Her current area of expertise is with Security and Compliance features for Skype for Business.

 

Natasha kicked of the presentation with making sure that everyone understands the different acronyms and term. This was probably very smart to make sure that the audience was on the same page, since the session is full of acronyms and terms that might be unknown for some.

 

Modern Auth (MA)

Microsoft’s implementation of OAUTH 2.0 for client/server authentication

ADAL

“Active Directory Authentication Library” – client library used to enable MA

CBA, MFA, CA, MAM

Features enabled when use MA.  MA is the prereq.

CBA

Cert Based Auth – allows user to login without a Username/Password.  IT admin must install a user based cert on the device.

MFA

Multi Factor Auth

•        Can be enabled for all apps via O365

•        Can be enabled for a single app using CA (need Intune license)

CA

Conditional Access

•        Allows the IT admin to only allow access based on certain conditions, usually location based or device based. For example, only allow external devices with MFA.

MDM/MAM

Mobile Device Management/Mobile Application Management

•        Example: Allow copy/paste for managed apps only, wipe device

 

More and more organizations are moving to eliminate passwords as their only method of signin and this is enabled by ADAL and Modern Authentication.
So let’s say that you want to use Certificates, Multi Factor Authentication and/or Conditional Access. Modern auth is then required to be enabled for these methods to work. The features can also be mixed as you please, so for example you could have some users that only have MFA and some that has MFA and CA. These features require MDM/MAM which is found in Intune.

To conclude, Modern auth is whats enables your organisation to move away from just passwords into a more secure and undisruptive way of signing in to services.

 

What is supported?

Often when troubleshooting authentication issues, the hardest part for us is to understand the topology being used, so that we can try and pinpoint the problem.
We have to account for both the Skype topology and also every other moving part like Exchange, Office client version or Mobile Clients and as you can see on the picture posted bellow, there are a lot of different parts to account for.

What is also important to keep in mind is that the S4B client is actually a client for both Skype for Business and also for Exchange.
So we need to match settings for everything to work smoothly for our users and not disrupt them with password prompts.

 

3.png

The clients that are supported for modern auth and the different features is found bellow.

 

4.png

 

There is also a great article at https://technet.microsoft.com/en-us/library/mt803262.aspx on ADAL / Modern Auth and support.

 

Topologies

Let’s look at the different topologies.


The first one that we will look at is Online.

Online is simple, everything is fully supported, but remember that you might need to configure/enable Modern Auth in your tenant, if you have an older tenant. For newer tenants Modern Auth is enabled by default when they are created.

Also remember that you should match settings for both Exchange and Skype so either on or off for both services, (SharePoint is already enabled by default and the requirement to match is not present for SharePoint)


5.png

 

 

The second topology is Hybrid

In a hybrid topology you can mix more settings and configuration, but depending on your settings your users might receive multiple login prompts.

When troubleshooting this it’s important to look for what prompt that pops up, it could be the “old Windows” login prompt or it could be a web based prompt, where the latter is Modern Auth.
Asking your users how the prompt looks like or having them send you a screenshot of the login prompts is often key to a fast and successful troubleshooting.

This link explains this in further details Skype for Business topologies supported with Modern Authentication

Remember that not ALL four boxes can be turned on for MA right now, but Microsoft is working hard to enable it everywhere, more on this later.

 6.png

 

 

And the last topology is On-Prem

 

For onprem there is right now limited support, meaning that its only works on windows desktop clients, mobile clients are not supported and no Exchange integration.

7.png

 

But this is where the news are coming.

Microsoft is working hard on enabling Modern Auth everywhere, so we will see full support in Hybrid and Full support when you are all onprem.

 

8.png

But if you pay attention you’ll see that the arrows from the onprem services points on the online Auth service so it’s kind of a Hybrid with regards to involving Azure AD.

 

If you want to enable this for Skype for Business, a public preview program was announced during the session that enables modern auth for Skype for Business onprem.

To sign up and get to know more visit Aka.ms/skypepreview

9.png

 

 

Authentication Flows

In a traditional hybrid the first place where users authenticate is onpremise, but to turn on Modern Auth in the future for hybrid in this scenario, the authentication will be against Azure AD.

 

10.png

Note that the Hybrid auth flow always starts with onprem since AutoDiscover and LyncDiscover points to onprem.

 

So, to try and explain this in a hybrid scenario.

  1. If a mobile client wants to login, it will ask the DNS for LyncDiscover, that will then send the client to SfB Onprem
  2. The SfB server will look for a trust and see that it trusts AAD and says, “get a token from AAD”, where the client will be redirected to.
  3. Since AAD is federated with ADFS, it sends the client back to your ADFS servers onprem.
  4. The user enters creds, ADFS verifies (Since you use ADFS the users get prompted and depending on configuration the users will login with pass or Cert.)
  5. Your ADFS servers then gives a token to the client and the client is then redirect to AAD
  6. The client then goes to AAD with the ADFS token
  7. AAD gives the client an access token (with one hour lifetime) and one refresh token (with 90 days lifetime)
  8. The client gives the client access token to SfB Onprem
  1. SfB validates the token signing authority with AAD
  1. SfB Onprem validates the user, that then redirects it to SfB Online
  2. SfB Online redirects the client back to AAD
  3. The client gives the refresh token to AAD.
  4. AAD gives the client access token to SfB client
  5. The client then gives the client access token to SfB Online
  6. The user is logged in to SfB,  SfB cert is then given to SfB client (lifetime for this cert is 8 hours in Online and 180 days in onprem)

And that’s it! Simple right? Well that it for Skype  and now the S4B client needs to auth to Exchange.

EWS login

  1. AutoDiscover sends the client to Exchange onprem
  2. Exch server says “get a token from AAD” and redirects.
  3. The client sends the refresh token to AAD.
  4. AAD gives the client access token to the SfB client
  5. The client gives the client access token to Exchange onprem
  6. Exchange onprem validates the user and redirects to EXO
  7. EXO redirects the client to AAD
  8. The client gives the refresh token to AAD.
  9. AAD gives the client access token to SfB client
  10. The client gives the client access token to EXO
  11. The user is logged in to Exchange onprem

 

This might be confusing so I really recommend watching the recording to get a full understanding on this flow.

 

Tokens and lifetimes

 

As mentioned above AAD provides two token, the client access token has a lifetime of 1 hour, and the refresh token is 90 days but this is configurable.

You need the client token to get in to the server. If it times out it will use the refresh token to get a new and then signin.

This is true for all online services that uses Modern Auth

 

As I mentioned in the auth flow there is also the SFB Certificate and the lifetime is 8 hours if your client receives the cert from online and the default for an onprem topology is 180 days (this is configurable.)
Because S4B is a realtime service it was designed this way to make sure that the clients could always connect, even if the AD is down you should be able to make a call to 911 for example.

When this cert expires the client will reauthenticate with the auth model above.

 

Modern auth is a global setting, it cannot be enabled per pool or user, due to security.

When its turned on it adds O-auth to the list of what the servers support, it does NOT turn off the old methods, so all your old clients can still login, for example room systems (or active sync clients to Exchange.)

Enabling Modern Auth will NOT require users to reauth, but the next time the clients auth methods times out, it will reauth with Modern Auth.

 

 

If you have an onprem topology and the the user is in onprem the auth flow is the same as above but there is no redirection to online.

 

 

Teams

Teams is cloud-only so it’s much simpler, there is just one topology and no hybrid option. And the only auth that Teams does is modern auth.

The features and clients that are supported (at the time of writing) are listed below.

 

 

Desktop

Mobile

Windows Web

Mac Web

Scenario

Win

Mac

iOS

Android

WinPhone

Edge

IE

Chrome

Firefox

Chrome

MA protocol

x

x

x

x

x

x

x

x

x

x

MFA

x

x

x

x

x

x

x

x

x

x

CBA

x

 

x

x

 

x

x

x

x

x

CA

x

 

x

x

 

x

x

     

MAM

   

x

x

           

 

 

Resources and links.

 

 

 

 

 Please ask cuestions or give feedback eithere here or at twitter https://twitter.com/itommyclarke

 

You can find my personal blogposts at https;//www.altitude365.com/blog

Version history
Last update:
‎Sep 28 2017 08:45 AM
Updated by: