SOLVED

Skye for Business App on IOS and Android Cert based Authentication to Exchange

Brass Contributor

Our Company policy dictates that we must lock down our exchange with 2 factor authentication.  So we force a pin number to our devices and configure exchange active sync to authenticate via a user certificate (Certificate based authentication).

 

Currently there are no options within the skype for business app to connect to exchange using a certifcate.  So on launching the application we are prompted with the message (We cant connect to your exchange please try again later). 

 

We can connect to Exchange using certificates for email on the devices using the inbuilt stock email apps.  

Q)  Are there any plans to implement certificate based authentication for exchange within the skype for business app ?

 

 

 

 

18 Replies
best response confirmed by Matthew Lane (Brass Contributor)
I did read the blog before posting. The thread Talks about office 365 accounts (which I don't have) connecting to Skype for business using certificate based authentication. Exchange active sync already supports cert based authentication to exchange. So it wouldn't take much to update the Skype for business phone apps to support this method also. No backend changes are required it's purely an app update. I currently don't need cert based authentication for Skype business yet and again Microsoft always seems to be pushing o365. With on premise fixes coming much later
For some reason the reply has accepted the response as a solution. (Which its not). It's not an accepted solution as we don't have Azure (we use on premise). And also add said previous no changes are needed to the backend to resolve the issue. (Although it's pointless now as we have scrapped the idea of rolling the app to users as in its current state it's not fit for purpose as the phones do not ring when in standby (on premise). (This is already raised in another thread).

Hi Matthew,

 

To be more precise on your ask:

 

"We can connect to Exchange using certificates for email on the devices using the inbuilt stock email apps.  Q)  Are there any plans to implement certificate based authentication for exchange within the skype for business app ?"

 

But i think your real question is: Skype for Business MFA with EWS  (you need ex 2016 or EXO with MA enabled for onprem)

For CBA we are in online in preview (i think you can signup). For onpremises it's on the roadmap.

 

Does this help?

 

 

 

 

Thanks but I don't need cert based authentication for Skype its not required in my environment. Also we are not in a position yet to upgrade to exchange 2016. Anyhow even if I did upgrade it still would not work as the App does not have the functionality to connect to exchange using a cert.

I have exchange working via Certificate based authentication already, no need to start from fresh.
The stock email apps connect to exchange using a cert.
Other email applications on ios and Android can connect to exchange using a cert.
The Skype for Business app on android and IOS does not have this functionality, signing up to the online preview will still not give me the functionality unless the insider preview has updated skype for business apps (APK) or (IPA) files which support cert based authentication for the apps.

Just to add even with Exchange 2016 configured for Certificate Based Authentication the skype for business APP for IOS and Android  does not support connecting to this configuration. 

 

IT IS THE SKYPE 4 BUS APPLICATION THAT NEEDS TO BE UPDATED.....(to connect to exchange using CBA).

Thanks for the link but we have all on premise (no azure).  We have also scrapped the rollout of skype for business on mobiles as its not fit for purpose.  

 

Such as not be able to answer repsonse groups.  

Response groups ringing on the mobile app.    (if its not supported why ring). 

No connection to exchange via certificates.   plus many other minor issues.

 

Until it has basic functionality and  not erroring because the app can't connect to exchange and not being able to answer the phone when it rings (response groups).  its not fit for purpose so have decided to scrap it for now,    We may re-visit the mobile phone side  functionality in a couple of years.

Hi Matthew,

 

PLease watch this recording on ignite from one of our PM's.

 

https://myignite.microsoft.com/sessions/53262?source=sessions

 

It explains the roadmap for onprem customers only (it's coming)

As for SfB RGS you are correct, we should not ring if it's not supported.

 

Let me know if the recording answers your auth questions in any way.

 

Ivan

yes the video was very enlightening.  A very informative roadmap of whats to come.     It would be pointless to go down this route though as we would need still need to setup a new Skype for Business Server and go down the modern  authentication path.,  Create at least 1 account for azure (possibly 10 accounts for Admins to use).  A new Exchange server. and even when we do that the on premise Exchange and Skype still does not fully support the mobile skype for business client.  Also this is far too much work (I dont even require modern auth).   I just need the skype for business application on the mobile phone  be able to authenticate to the exchange server in the same way which other stock apps already authenticate to exchange using Certificate Based Authentication.

 

Surely the people who write the code for the skype for business application can add some code to connect to exchange using a user Certificate.    Maybe Microsoft should fix CBA before moving onto MA

Matthew,

 

Just to understand your requirement precise. You are searching for a solution where you have CBA enabled for EWS and expect SfB to leverage that? Because SfB leverages EWS. 

 

I believe on your exchange setup you enabled CBA only for activesync. Is it a hard requirements that EWS needs to be protected by CBA?

Yes that's exactly my predicament.  We have Certificate Based Authentication configured only for Exchange Active Sync and yes unfortunately this is a requirement.  

 

And yes we would like the Skype for Business app to also be able to connect to the EWS for Exchange Active Sync using  the same method (CBA).

 

 

 

I'm a bit confused. If you have CBA only protecting ActiveSync then EWS should work as it's not protected by CBA. 

 

I looked in our internal database and figured out that EWS with CBA is not supported. In some scenario EWS it might work but i believe the supported scenario's are described in the following article only: 

https://msdn.microsoft.com/en-us/library/office/dn903761(v=exchg.150).aspx

 

So, to answer it finally. If you have EAS protected by CBA and EWS not then SfB mobile would use EWS without an issue. If your requirement remains to have EWS protected by CBA i would recommend then to open a support case and perhaps file a formal request for an answer from the Exchange Product Group. But as stated before you start implementing this as stated before, there is no supportability for it.

Sorry should have said that our EWS is not internet facing only active sync is.

Well, that explains it :) I believe the story is clear then. CBA on EWS is a no go, then you are routed to MA where you need to have synced up users to leverage EvoSTS otherwise i believe there is no other solution. We can't update the SfB app to support something which isn't supported by Exchange :)

 

 

Hi any updates for a solution? I have on prem sfB and Android skype clients but I need cert based authentication. How can we achieve this , any such feature over the years?
skype for business has gone end of life. you need to migrate to teams
1 best response

Accepted Solutions
best response confirmed by Matthew Lane (Brass Contributor)