07-07-2017 06:37 AM
07-07-2017 06:37 AM
I'm using Skype for Business via my Office365 subscription and my domain in Office365 is federated against my on-prem ADFS-infrastructure. My user in the local AD have the option "Require Smart Card for interactive logon" enabled, which means that I do not know my own AD-password.
When I tried to login to Skype for Business on my Android phone, the app wanted my username and password to sign in, but unfortunately the password is unknown for me since I have "Require Smart Card for interactive logon" enabled in local AD.
Is there any way for me to get the Skype for Business app to work on my phone (Android & iOS) without knowing my own AD-password?
07-07-2017 11:10 AM
Have you enabled Modern authentication for your tenant (both SfB and ExO)? Also, is the password prompt directly from the app, or does it redirect you to the AD FS server first?
The steps to enable MA are here: https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-y...
07-10-2017 10:10 AM
Unfortunately, the scenario you describe is probably not supported.
The mobile client was not design to support Smart-Card.
07-11-2017 12:58 AM
Modern authentication is not enabled in the tenant for SfB or ExO.
The password prompt is directly from the application, it does not redirect me to my ADFS login page.
Actually the SfB mobile application require a password before its even possible to sign in, I'm unable to continoue without specifing a password (the arrow button is grayed out).
07-11-2017 12:13 PM
That's where MA should help. Though I've had limited success in actually making it work on mobile devices (well, Windows Phone).
Once you enable MA, it should redirect you to the AD FS server, where you can surface additional auth options.
07-12-2017 05:30 AMSolution
MA will not help in this case has the Skype Business Mobile app will still require to enter a username and password.
07-13-2017 12:03 PM
Skype for Business Online do support ADAL when MA is enable.
The limitation is within the Skype Mobile client.
07-13-2017 12:15 PM
Yup, that's what I meant, SfB mobile :) I've been doing demos with the desktop client/ADAL for a while now, but since I use Windows Phone I always assume that the limitations are specific to that version, not across all mobiles.
Anyway, definitely something the mobile team needs to work on, Modern auth has been around for two years now, it's unacceptable to have first-party apps that still dont support it...
07-26-2017 05:53 AM
Have a look at Certificate Based Authentication. This may be a suitable option for sign in as neither the username or password is required to login.
07-26-2017 10:29 AM
Unfortunatelly the mobile client doesnt support auth methods different from username/password, as @Jean-Philippe Breton mentioned above.
07-26-2017 11:39 AM - edited 07-27-2017 06:27 AM
The table in the link i pasted seems to indicate CBA is supported for SfB Mobile when using SfBO.
Also this link here shows the supported topologys for Modern Auth which includes CBA for SfBO in the first table - Cloud Only. This is probably the best link on Technet for understanding the technical nuances between each topology and whats available with each.
07-27-2017 05:58 AM
I have deployed ADCS Cert Based Auth as a MFA option. However it still requires the mobile client to enter username and password first. It doesn't replace that.
07-27-2017 06:16 AM - edited 07-27-2017 06:19 AM
I contacted Alex Simons yesterday from the IDAM PG to get some more clarity on the expected behavior in SfB when using CBA. My understanding of CBA was no username/password was required as CBA is Certificate Based Auth leveraging Oauth/ADAL. (at least that was my understanding when this feature was released and when i was initially researching CBA for SfB Mobile). If a u/p still has to be entered then thats hardly any different to the native NTLM/TLS-DSK support thats been part of SfB Mobile since Lync 2013, although NTLM/TLS-DSK is obviously not MFA. Admittedly the initial auth uses NTLM but subsequent auths use the cert issued from the provisioning service. CBA has been something customers have been asking for for a while. If its use is restricted just to MFA then in my opinion that kind of makes the feature redundant especially for enteprise customers who do not allow the use of credentials or NTLM over the internet.
I've been meaning to lab this for quite some time so i can observe the behavior. Sounds like that time is now @Mark Vale ! Sorry for hijacking your thread OP!
07-27-2017 09:04 AM
For anyone else following the thread the below is pertinent for CBA, although premises infrastructure is still required even for a cloud only deployment (PKI & ADFS).
Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
Testing Office mobile applications
To test certificate-based authentication on your mobile Office application:
07-27-2017 10:51 AM
I have CBA set up and can confirm it works correctly for mobile Office apps. SfB mobile app does NOT work with it however. I've always assumed that's the case for Windows Phone only, as I am one of those retarded WP users indeed :)
But it does look like it's a limitation for the current ADAL implementation for SfBO mobile clients...
07-27-2017 11:06 AM