SOLVED

Skype for Business Mobile App + Smart Card Required

Copper Contributor

I'm using Skype for Business via my Office365 subscription and my domain in Office365 is federated against my on-prem ADFS-infrastructure. My user in the local AD have the option "Require Smart Card for interactive logon" enabled, which means that I do not know my own AD-password.

When I tried to login to Skype for Business on my Android phone, the app wanted my username and password to sign in, but unfortunately the password is unknown for me since I have "Require Smart Card for interactive logon" enabled in local AD.

Is there any way for me to get the Skype for Business app to work on my phone (Android & iOS) without knowing my own AD-password?

23 Replies

Have you enabled Modern authentication for your tenant (both SfB and ExO)? Also, is the password prompt directly from the app, or does it redirect you to the AD FS server first?

 

The steps to enable MA are here: https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-y...

Unfortunately, the scenario you describe is probably not supported.

 

The mobile client was not design to support Smart-Card.

 

JP

Modern authentication is not enabled in the tenant for SfB or ExO.

The password prompt is directly from the application, it does not redirect me to my ADFS login page.

Actually the SfB mobile application require a password before its even possible to sign in, I'm unable to continoue without specifing a password (the arrow button is grayed out).

 

skype.png

That's where MA should help. Though I've had limited success in actually making it work on mobile devices (well, Windows Phone).

Once you enable MA, it should redirect you to the AD FS server, where you can surface additional auth options.

best response confirmed by jocke andersson (Copper Contributor)
Solution

MA will not help in this case has the Skype Business Mobile app will still require to enter a username and password.

 

Oh well, so much for SfB supporting ADAL I guess :)

Skype for Business Online do support ADAL when MA is enable.

 

The limitation is within the Skype Mobile client.

 

 

Yup, that's what I meant, SfB mobile :) I've been doing demos with the desktop client/ADAL for a while now, but since I use Windows Phone I always assume that the limitations are specific to that version, not across all mobiles.

 

Anyway, definitely something the mobile team needs to work on, Modern auth has been around for two years now, it's unacceptable to have first-party apps that still dont support it...

Thanks a lot for your help!

Have a look at Certificate Based Authentication. This may be a suitable option for sign in as neither the username or password is required to login.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentic...

Unfortunatelly the mobile client doesnt support auth methods different from username/password, as @Jean-Philippe Breton mentioned above.

The table in the link i pasted seems to indicate CBA is supported for SfB Mobile when using SfBO.

 

Also this link here shows the supported topologys for Modern Auth which includes CBA for SfBO in the first table - Cloud Only. This is probably the best link on Technet for understanding the technical nuances between each topology and whats available with each.

 

https://technet.microsoft.com/en-us/library/mt803262.aspx

Good point Shawn....Forgot about Cert based Auth..

 

 

I have deployed ADCS Cert Based Auth as a MFA option. However it still requires the mobile client to enter username and password first. It doesn't replace that.

I contacted Alex Simons yesterday from the IDAM PG to get some more clarity on the expected behavior in SfB when using CBA. My understanding of CBA was no username/password was required as CBA is Certificate Based Auth leveraging Oauth/ADAL. (at least that was my understanding when this feature was released and when i was initially researching CBA for SfB Mobile). If a u/p still has to be entered then thats hardly any different to the native NTLM/TLS-DSK support thats been part of SfB Mobile since Lync 2013, although NTLM/TLS-DSK is obviously not MFA. Admittedly the initial auth uses NTLM but subsequent auths use the cert issued from the provisioning service. CBA has been something customers have been asking for for a while. If its use is restricted just to MFA then in my opinion that kind of makes the feature redundant especially for enteprise customers who do not allow the use of credentials or NTLM over the internet.

I've been meaning to lab this for quite some time so i can observe the behavior. Sounds like that time is now @Mark Vale ! Sorry for hijacking your thread OP!

Get it done Harry!

For anyone else following the thread the below is pertinent for CBA, although premises infrastructure is still required even for a cloud only deployment (PKI & ADFS).

 

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-certificate-based-authentic...

 

Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

 

Testing Office mobile applications

To test certificate-based authentication on your mobile Office application:

  1. On your test device, install an Office mobile application (e.g., OneDrive).
  2. Launch the application.
  3. Enter your user name, and then select the user certificate you want to use.

 

I have CBA set up and can confirm it works correctly for mobile Office apps. SfB mobile app does NOT work with it however. I've always assumed that's the case for Windows Phone only, as I am one of those retarded WP users indeed :)

 

But it does look like it's a limitation for the current ADAL implementation for SfBO mobile clients...

The link i posted says "Windows, Android or iOS device" are the supported endpoints. It doesnt explicitly say Windows Phone....? Do you have an Android or iOS device you can test on? There is an Android emulator called Bluestacks that may work as an alternative as the SfB Mobile client works inside of the Bluestack emulator.
1 best response

Accepted Solutions
best response confirmed by jocke andersson (Copper Contributor)
Solution

MA will not help in this case has the Skype Business Mobile app will still require to enter a username and password.

 

View solution in original post