Natasha has been in the Unified Communications space for over 14 years. She has worked on Live Meeting, OCS, Lync and Skype for Business. Her current area of expertise is with Security and Compliance features for Skype for Business.
Natasha kicked of the presentation with making sure that everyone understands the different acronyms and term. This was probably very smart to make sure that the audience was on the same page, since the session is full of acronyms and terms that might be unknown for some.
Modern Auth (MA) |
Microsoft’s implementation of OAUTH 2.0 for client/server authentication |
ADAL |
“Active Directory Authentication Library” – client library used to enable MA |
CBA, MFA, CA, MAM |
Features enabled when use MA. MA is the prereq. |
CBA |
Cert Based Auth – allows user to login without a Username/Password. IT admin must install a user based cert on the device. |
MFA |
Multi Factor Auth • Can be enabled for all apps via O365 • Can be enabled for a single app using CA (need Intune license) |
CA |
Conditional Access • Allows the IT admin to only allow access based on certain conditions, usually location based or device based. For example, only allow external devices with MFA. |
MDM/MAM |
Mobile Device Management/Mobile Application Management • Example: Allow copy/paste for managed apps only, wipe device |
More and more organizations are moving to eliminate passwords as their only method of signin and this is enabled by ADAL and Modern Authentication.
So let’s say that you want to use Certificates, Multi Factor Authentication and/or Conditional Access. Modern auth is then required to be enabled for these methods to work. The features can also be mixed as you please, so for example you could have some users that only have MFA and some that has MFA and CA. These features require MDM/MAM which is found in Intune.
To conclude, Modern auth is whats enables your organisation to move away from just passwords into a more secure and undisruptive way of signing in to services.
Often when troubleshooting authentication issues, the hardest part for us is to understand the topology being used, so that we can try and pinpoint the problem.
We have to account for both the Skype topology and also every other moving part like Exchange, Office client version or Mobile Clients and as you can see on the picture posted bellow, there are a lot of different parts to account for.
What is also important to keep in mind is that the S4B client is actually a client for both Skype for Business and also for Exchange.
So we need to match settings for everything to work smoothly for our users and not disrupt them with password prompts.
The clients that are supported for modern auth and the different features is found bellow.
There is also a great article at https://technet.microsoft.com/en-us/library/mt803262.aspx on ADAL / Modern Auth and support.
Let’s look at the different topologies.
The first one that we will look at is Online.
Online is simple, everything is fully supported, but remember that you might need to configure/enable Modern Auth in your tenant, if you have an older tenant. For newer tenants Modern Auth is enabled by default when they are created.
Also remember that you should match settings for both Exchange and Skype so either on or off for both services, (SharePoint is already enabled by default and the requirement to match is not present for SharePoint)
The second topology is Hybrid
In a hybrid topology you can mix more settings and configuration, but depending on your settings your users might receive multiple login prompts.
When troubleshooting this it’s important to look for what prompt that pops up, it could be the “old Windows” login prompt or it could be a web based prompt, where the latter is Modern Auth.
Asking your users how the prompt looks like or having them send you a screenshot of the login prompts is often key to a fast and successful troubleshooting.
This link explains this in further details Skype for Business topologies supported with Modern Authentication
Remember that not ALL four boxes can be turned on for MA right now, but Microsoft is working hard to enable it everywhere, more on this later.
And the last topology is On-Prem
For onprem there is right now limited support, meaning that its only works on windows desktop clients, mobile clients are not supported and no Exchange integration.
But this is where the news are coming.
Microsoft is working hard on enabling Modern Auth everywhere, so we will see full support in Hybrid and Full support when you are all onprem.
But if you pay attention you’ll see that the arrows from the onprem services points on the online Auth service so it’s kind of a Hybrid with regards to involving Azure AD.
If you want to enable this for Skype for Business, a public preview program was announced during the session that enables modern auth for Skype for Business onprem.
To sign up and get to know more visit Aka.ms/skypepreview
In a traditional hybrid the first place where users authenticate is onpremise, but to turn on Modern Auth in the future for hybrid in this scenario, the authentication will be against Azure AD.
Note that the Hybrid auth flow always starts with onprem since AutoDiscover and LyncDiscover points to onprem.
So, to try and explain this in a hybrid scenario.
And that’s it! Simple right? Well that it for Skype and now the S4B client needs to auth to Exchange.
EWS login
This might be confusing so I really recommend watching the recording to get a full understanding on this flow.
As mentioned above AAD provides two token, the client access token has a lifetime of 1 hour, and the refresh token is 90 days but this is configurable.
You need the client token to get in to the server. If it times out it will use the refresh token to get a new and then signin.
This is true for all online services that uses Modern Auth
As I mentioned in the auth flow there is also the SFB Certificate and the lifetime is 8 hours if your client receives the cert from online and the default for an onprem topology is 180 days (this is configurable.)
Because S4B is a realtime service it was designed this way to make sure that the clients could always connect, even if the AD is down you should be able to make a call to 911 for example.
When this cert expires the client will reauthenticate with the auth model above.
Modern auth is a global setting, it cannot be enabled per pool or user, due to security.
When its turned on it adds O-auth to the list of what the servers support, it does NOT turn off the old methods, so all your old clients can still login, for example room systems (or active sync clients to Exchange.)
Enabling Modern Auth will NOT require users to reauth, but the next time the clients auth methods times out, it will reauth with Modern Auth.
If you have an onprem topology and the the user is in onprem the auth flow is the same as above but there is no redirection to online.
Teams is cloud-only so it’s much simpler, there is just one topology and no hybrid option. And the only auth that Teams does is modern auth.
The features and clients that are supported (at the time of writing) are listed below.
Desktop |
Mobile |
Windows Web |
Mac Web |
|||||||
Scenario |
Win |
Mac |
iOS |
Android |
WinPhone |
Edge |
IE |
Chrome |
Firefox |
Chrome |
MA protocol |
x |
x |
x |
x |
x |
x |
x |
x |
x |
x |
MFA |
x |
x |
x |
x |
x |
x |
x |
x |
x |
x |
CBA |
x |
x |
x |
x |
x |
x |
x |
x |
||
CA |
x |
x |
x |
x |
x |
|||||
MAM |
x |
x |
Please ask cuestions or give feedback eithere here or at twitter https://twitter.com/itommyclarke
You can find my personal blogposts at https;//www.altitude365.com/blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.