UCPrimer
  • Tech Blog
  • About UCPrimer.com

Enable Hybrid Modern Authentication for Skype for Business on-premise

11/30/2017

0 Comments

 
Picture
Since the May 2017 cumulative update for Skype for Business, modern authentication has been available for Skype for Business on-premise. This blog post covers what hybrid modern authentication (HMA) is, why you should use it, what are the limitations and how to deploy it for a Skype for Business on-premise Hybrid environment with Azure AD. We will walk through step-by-step how to configure the on-premise servers and the Office365 tenant and look at how HMA affects Skype for Business certified IP Phones.
What is Hybrid Modern Authentication (HMA) and why should you use it?
Much of the basics of what HMA is very well explained in this Microsoft article https://aka.ms/ModernAuthOverview. Here in this blog post I just want to summarize the key points. Firstly, HMA is an new authentication and authorization protocol that was first available on Office365 and now extended to Skype for Business hybrid split domain and Exchange hybrid environments. Modern Authentication is based on the open standard oAuth protocol and implemented in Microsoft software and services via ADAL. During the login process, Skype for Business clients will obtain Access and Refresh Oauth tokens from an Azure AD service known as evoSTS that on-premises Skype for Business and Exchange servers will accept and grant access. To obtain these tokens in HMA, the client must first be authenticated via an on-premise Active Directory with ADFS. Hence our environment is already configured with AADConnect and ADFS with Skype for Business on-premise hybrid split-domain. Once the tokens are issued, there is no need for the client to get authenticated again until the refresh token expires. The default expiry time for a refresh token is 90 days while an access token has a 1 hour validity. When access tokens expire the client will simply use its refresh token to renew access tokens.

Once HMA is configured, our environment can begin to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies such as conditional access.However, its important to note that not all clients support all the features provided by HMA and Microsoft has documented the different features available to different clients in this website ​https://aka.ms/ModernAuthUpdate 
What are the supported Topologies and pre-requisites?
There are four separate locations where modern authentication can be enabled. The first two are the Office365 workloads Exchange Online (EXO) and Skype for Business Online (SBFO) and two on-premise servers Skype for Busines (SFB) and Exchange (EXCH). Microsoft has documented the various supported HMA topologies in this article: https://technet.microsoft.com/en-us/library/mt803262.aspx However, the particular topology that we are using in our lab environment is somehow not included in the article, which is EXO with SFBO and SFB. So we will enable MA on EXO, SFBO and SFB; there is no Exchange on-premise. On-premise AD with ADFS will be our authentication server and AAD evoSTS will be our authorization server issuing tokens to clients. Below is the diagram of what this topology looks like:
Picture
Deploying Hybrid Modern Authentication Walk-Through
Before beginning to configure for HMA, we need to prepare our environment with the necessary pre-requisites. Firstly, the version of Skype for Business on-premise must be May 2017 CU 5 cumulative update, build .281 or later. We can check this using the Get-CsServerPatchVersion cmdlet on our SFB server. As shown below, our server is already on the required versions:
Picture
Secondly, we obtain the web service URL's with Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | fl as shown below
Picture
Next, we connect to AzureAD Remote Powershell and configure the necessary Service Principal Names (SPN) using the Set-MsolServicePrincipal cmdlet together with the web services URLs obtained earlier. The steps are shown in the diagram below:
Picture
Now we can proceed to configure our Skype for Business on-premise server for HMA. First, we check the existing oAuth configuration using Get-CsOAuthConfiguration and note that the ClientAuthorizationOAuthServerIdentity parameter is blank meaning that our server has not been enabled for HMA yet as shown below:
Picture
Now we can proceed to create the evoSTS oAuth server and cut over to HMA by setting our Skype for Business on-premise server's oAuth configuration to use it. This is done using the New-CsOAuthServer and the Set-CsOAuthConfiguration cmdlets as shown below:
Picture
We can also turn on Modern Authentication for SFBO by going into remote powershell and running the Set-CsOAuthConfiguration cmdlet as shown below: 
Picture
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies