12-06-2016 08:12 AM
12-06-2016 08:12 AM
Our Company policy dictates that we must lock down our exchange with 2 factor authentication. So we force a pin number to our devices and configure exchange active sync to authenticate via a user certificate (Certificate based authentication).
Currently there are no options within the skype for business app to connect to exchange using a certifcate. So on launching the application we are prompted with the message (We cant connect to your exchange please try again later).
We can connect to Exchange using certificates for email on the devices using the inbuilt stock email apps.
Q) Are there any plans to implement certificate based authentication for exchange within the skype for business app ?
12-15-2016 10:51 PMSolution
PLease take a look at this:
To answer your question : Yes
12-16-2016 10:58 PM
12-16-2016 11:09 PM
12-17-2016 05:21 AM
To be more precise on your ask:
"We can connect to Exchange using certificates for email on the devices using the inbuilt stock email apps. Q) Are there any plans to implement certificate based authentication for exchange within the skype for business app ?"
But i think your real question is: Skype for Business MFA with EWS (you need ex 2016 or EXO with MA enabled for onprem)
For CBA we are in online in preview (i think you can signup). For onpremises it's on the roadmap.
Does this help?
01-03-2017 09:24 AM
10-09-2017 04:54 AM - edited 10-09-2017 06:56 AM
Just to add even with Exchange 2016 configured for Certificate Based Authentication the skype for business APP for IOS and Android does not support connecting to this configuration.
IT IS THE SKYPE 4 BUS APPLICATION THAT NEEDS TO BE UPDATED.....(to connect to exchange using CBA).
10-18-2017 08:48 AM
Thanks for the link but we have all on premise (no azure). We have also scrapped the rollout of skype for business on mobiles as its not fit for purpose.
Such as not be able to answer repsonse groups.
Response groups ringing on the mobile app. (if its not supported why ring).
No connection to exchange via certificates. plus many other minor issues.
Until it has basic functionality and not erroring because the app can't connect to exchange and not being able to answer the phone when it rings (response groups). its not fit for purpose so have decided to scrap it for now, We may re-visit the mobile phone side functionality in a couple of years.
10-18-2017 08:53 AM
PLease watch this recording on ignite from one of our PM's.
It explains the roadmap for onprem customers only (it's coming)
As for SfB RGS you are correct, we should not ring if it's not supported.
Let me know if the recording answers your auth questions in any way.
10-27-2017 04:17 AM - edited 10-27-2017 08:02 AM
yes the video was very enlightening. A very informative roadmap of whats to come. It would be pointless to go down this route though as we would need still need to setup a new Skype for Business Server and go down the modern authentication path., Create at least 1 account for azure (possibly 10 accounts for Admins to use). A new Exchange server. and even when we do that the on premise Exchange and Skype still does not fully support the mobile skype for business client. Also this is far too much work (I dont even require modern auth). I just need the skype for business application on the mobile phone be able to authenticate to the exchange server in the same way which other stock apps already authenticate to exchange using Certificate Based Authentication.
Surely the people who write the code for the skype for business application can add some code to connect to exchange using a user Certificate. Maybe Microsoft should fix CBA before moving onto MA
11-24-2017 01:35 PM
Just to understand your requirement precise. You are searching for a solution where you have CBA enabled for EWS and expect SfB to leverage that? Because SfB leverages EWS.
I believe on your exchange setup you enabled CBA only for activesync. Is it a hard requirements that EWS needs to be protected by CBA?
11-27-2017 04:10 AM
Yes that's exactly my predicament. We have Certificate Based Authentication configured only for Exchange Active Sync and yes unfortunately this is a requirement.
And yes we would like the Skype for Business app to also be able to connect to the EWS for Exchange Active Sync using the same method (CBA).
11-27-2017 06:30 AM
I'm a bit confused. If you have CBA only protecting ActiveSync then EWS should work as it's not protected by CBA.
I looked in our internal database and figured out that EWS with CBA is not supported. In some scenario EWS it might work but i believe the supported scenario's are described in the following article only:
So, to answer it finally. If you have EAS protected by CBA and EWS not then SfB mobile would use EWS without an issue. If your requirement remains to have EWS protected by CBA i would recommend then to open a support case and perhaps file a formal request for an answer from the Exchange Product Group. But as stated before you start implementing this as stated before, there is no supportability for it.
11-27-2017 07:55 AM
11-27-2017 09:45 AM
Well, that explains it :) I believe the story is clear then. CBA on EWS is a no go, then you are routed to MA where you need to have synced up users to leverage EvoSTS otherwise i believe there is no other solution. We can't update the SfB app to support something which isn't supported by Exchange :)