UCPrimer
  • Tech Blog
  • About UCPrimer.com

Modern Authentication with Polycom VVX Phones using ADFS

2/28/2017

6 Comments

 
This article explains in detail how Modern Authentication works with the new firmware release UCS5.5.1 for the Polycom VVX family of handsets in an ADFS Federated Identity environment. Polycom VVX phones are a family of Office365 qualified IP phones for Skype for Business. First we go recap some of the basics of what Modern Authentication is and how it works and then show the user experience of the phone user interface during sign-in using modern authentication via the Web Sign-in method available in UCS5.5.1. Fellow MVP Jeff Schertz has covered all the new phone features for this firmware release in his blog post here and thus will not be repeated in this article. We will also provide some debug logs captured on the phone during the sign-in process which may assist in troubleshooting if something does not work.
What is Modern Authentication and why use it?
Modern Authentication is a new method of granting access to all Office365 workloads for a wide range of client platforms including Office2016, Skype for Business 2016 as well as mobile devices running Windows, iOS and Android. It is the newer and preferred method for accessing Office365 workloads such as Skype for Business Online and Exchange Online in comparison to legacy authentication methods based on the Microsoft Online Sign-in Assistant (OrgID) or basic authentication. To align with Microsoft's strategy, Polycom has already started to use modern authentication for its VVX family of IP Phones in UCS 5.5.1 and in the very near future, also for Polycom Group Series room systems as well which is currently undergoing Office365 qualification testing. Modern Authentication is based on OAuth2.0 which is an open standard for token-based authentication and authorization particularly suited for cloud services on the internet because it gives identity providers with the ability to grant third-party access to web resources without sharing a password. OAuth was first released in 2007 as an authentication method for the Twitter API and in 2010, the IETF OAuth Working Group published OAuth 2.0, an improved version of OAuth with new features such as new flows, simplified signatures and short-lived tokens with long-lived authorizations. In Office365, these tokens are known as Access Tokens and Refresh Tokens respectively. Another advantage of using OAuth is the ability to support 3rd party STS providers such OKTA and Centrify as well as Multi-Factor Authentication (MFA). OAuth was originally created for web-based applications and so for rich clients such as Office2016, Microsoft provides the .NET Framework Active Directory Authentication Library (ADAL) that these applications can use to access Office365 workloads authenticating against the STS service Azure AD and an on-premise AD deployment via ADFS as described in this environment. At a high level, the OAuth authorization flow can be illustrated in the diagram below:
Picture
User Experience with VVX Web Sign-in via ADFS using Modern Authentication
To begin the sign-in experience walkthrough, on a VVX phone the user first selects the Web Sign-in Option shown below on the left. The phone will contact the online service to get a unique keycode and will display this keycode along with the browser URL shown below on the right:
Picture
Picture
On the phone, this process can be seen in the following log entries:

0222131959|Devic|2|00|Sent request for Device Configuration:https://bootstrap.pinauth.services.skypeforbusiness.com:443/api/DeviceConfig/Polycom/Default?api-version=1.0 (0X1136179904)
0222131959|Devic|2|00|S/E(sSDevicePairGetAADUrlAndClientID,kBaseEventInit),rO(5)
0222131959|Devic|2|00|<\SM>(302)DevicePairingStateMachine(0x43b8bac0):Ctx((304),(5),Ticks(0))
0222132000|Devic|2|00|<SM>(302)DevicePairingStateMachine(0x43b8bac0):Ctx((304),(301)kEDevicePairOnRecvDataResponse,Ticks(0))
0222132000|Devic|2|00|parseAndSaveRequiredInfo -> eRequestID (1)
0222132000|Devic|2|00|DeviceConfiguration Data: AadEndpointUrl[https://login.microsoftonline.com/] ClientId[131c22db-3591-4fc8-a305-55444fa5ccd3]  DevicePairingWebsiteUrl[http://aka.ms/sphone] GraphAPIUrl [https://graph.windows.net] AutoDiscoverUrl [https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root?] ExchangeOnlineAutoDUrl [https://outlook.office365.com/]
...

0222132001|Devic|2|00|parseDeviceInformation: user_code[HPMVGCDTX] device_code[HAQABAAEAAADRNYRQ3dhRSrm-4K-adpCJY-WmFgs_D0UqCU-R1ZU7WsOLHlGH2qgAd7j2LpZXFKHYAKkHNk8238TOCU3J5IyjyLJJy9BN27L3t7LnhohWeitj7dGTuVurO58IYwljpz7kEtcsVMXkbDNXADL9SeYRd0wr4uQl2ppyRSmNNzmHwyAA]  verification_url[https://aka.ms/devicelogin]  expires_in[900]  interval[5]

Next the user users a browser to navigate to http://aka.ms/sphone which shows a Skype for Business Web Sign-in page asking for the address as shown on the left below. Here we need to enter the phone's SIP Address and then click on "Verify email". When the sign-in page detects that we are using an on-premise ADFS AD Federated identity, it then redirects the login to our ADFS Proxy server in the DMZ and provides a pop-up windows asking for credentials as shown on the right below:
Picture
Picture
On the web browser we need to enter the unique keycode generated during the first step after which it will display a successful login on the web browser as shown in the diagrams below:
Picture
Picture
Once the authentication flow is successful, the STS service in Azure AD will return a Refresh Token and an Access Token back to the phone. Again on the phone, this process can be seen in the following log entries:

0222132415|Devic|2|00|S/E(sSDevicePairGetRefreshAndIdTokens,),rO(5)
0222132415|Devic|2|00|<\SM>(302)DevicePairingStateMachine(0x43b8bac0):Ctx((306),(5),Ticks(0))
0222132415|Devic|3|00|DevicePairingService's Ticked,Reason(Timer),Count/Size(1/1),Stop? (Yes)
0222132415|Devic|2|00|<SM>(302)DevicePairingStateMachine(0x43b8bac0):Ctx((306),(301)kEDevicePairOnRecvDataResponse,Ticks(0))
0222132415|Devic|2|00|parseAndSaveRequiredInfo -> eRequestID (3)
0222132415|Devic|2|00|parseIDRefreshTokenData: access_token[eyJ0eXAiOiJKV1QiLCJh...] refresh_token[AQABAAAAAADRNYRQ3dhR...] id_token[eyJ0eXAiOiJKV1QiLCJh...]token_type [Bearer]
Having obtained the tokens, the phone proceeds to sign into Skype for Business Online and shortly will complete the sign in process and display the home page on the phone as shown below:
Picture
Again on the phone, this sign in process can be seen in the following log entries:

0222132535|sip  |0|00|    REGISTER sip:ucprimer.com;transport=tls SIP/2.0
0222132535|sip  |0|00|    Via: SIP/2.0/TLS 10.222.202.232:60618;branch=z9hG4bK323718ed169BD992
0222132535|sip  |0|00|    From: "vvx" <sip:vvx@ucprimer.com>;tag=B9A92F89-6F6343CE;epid=0004f2ae4b0d
0222132535|sip  |0|00|    To: <sip:vvx@ucprimer.com>
0222132535|sip  |0|00|    CSeq: 2 REGISTER
0222132535|sip  |0|00|    Call-ID: 7fae79d87a29829ae54a8b3071ae4b0d
0222132535|sip  |0|00|    Contact: <sip:vvx@10.222.202.232:60618;transport=tls>;methods="INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:43a160e1-13ce-5cc6-804c-4a288a2c1873>"
0222132535|sip  |0|00|    User-Agent: Polycom/5.5.1.11526 PolycomVVX-VVX_600-UA/5.5.1.11526
0222132535|sip  |0|00|    Accept-Language: en
0222132535|sip  |0|00|    Ms-device-info: MAC=00-04-F2-AE-4B-0D, vendor=POLYCOM, version=PolycomVVX-VVX_600-5.5.1.11526
0222132535|sip  |0|00|    ms-keep-alive: UAC;hop-hop=yes
0222132535|sip  |0|00|    Supported: msrtc-event-categories,adhoclist,ms-cluster-failover,ms-userservices-state-notification,gruu-10,gruu
0222132535|sip  |0|00|    Event: registration
0222132535|sip  |0|00|    ms-subnet: 10.222.202.0
0222132535|sip  |0|00|    Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", targetname="SG20F03FES06.infra.lync.com", gssapi-data="FgMBAEQBAABAAwGS0Pl0EBC6TOz0gpjhtvXFtSAqobE5DDpeNvhd6Ls3MQAADgA5ADUAMwAvABYACgD/AQAACQAjAAAADwABAQ==", version=4
0222132535|sip  |0|00|    Max-Forwards: 70
0222132535|sip  |0|00|    Content-Length: 0
0222132535|sip  |0|00|
0222132535|sip  |0|00|>>> End of data send
0222132535|sip  |1|00|CTcpSocket::SendData TLS queuedTxData = 0 TotalLen 1180 loop count 1 maxQueueDepth 40000
0222132535|sip  |1|00|CTcpSocket::SendData TLS Sent 1180 loop count 1
0222132535|AuthS|0|00|Policy Dest:(201)AuthServicePolicyServiceKey:(102)AuthServiceUCMsgKey:(205)AuthSvcAOServiceRequestKey
Caller Service(-1):IndicationCode(0)
,TransactionID(-1)Data:SD:Key Data(User Key/Operation Key/Url Key):Uri:vvx@ucprimer.com
User/Domain:vvx@ucprimer.com,
Url:

Operation:(102)AuthServiceUCMsgKey,Caller Service:(-1)Url,TransactionId:,-1
UrlKey(Operation,CallerService,Url):(-1),(-1),https://webpoolsg20f03.infra.lync.com:443/CertProv/CertProvisioningService.svc
Secondary Key:
Token Key/Data:TokenKey
0222132535|AuthS|0|00|Policy Dest:(201)AuthServicePolicyServiceKey:(102)AuthServiceUCMsgKey:(206)AuthSvcAOServiceReplyKey
Caller Service(-1):IndicationCode(200)Got User Certificate
,TransactionID(-1)Data:SD:Key Data(User Key/Operation Key/Url Key):Uri:vvx@ucprimer.com
User/Domain:vvx@ucprimer.com,
Url:

Operation:(102)AuthServiceUCMsgKey,Caller Service:(-1)Url,TransactionId:,-1
UrlKey(Operation,CallerService,Url):(-1),(-1),https://webpoolsg20f03.infra.lync.com:443/CertProv/CertProvisioningService.svc
Secondary Key:
Tok
0222132535|AuthS|0|00|Reqponse(-1)AuthSvc,(102)AuthServiceUCMsgKey,(-1)pps,(14),(Expiry,TransactionId,Time,Type):(-1,-1,1487741135,1)IndicationCode:(200)Got User Certificate
0222132535|app1 |2|00|MsgAppRegistrationInternalState: Received, State 3
0222132535|sip  |1|00|SipGotNewUserCert: pstNewUserCert[1131886644]
0222132535|sip  |3|00|TLS-DSK:soWebTicketCbFunc: the event type is 9
0222132535|sip  |4|00|TLS-DSK:soWebTicketCbFunc: Unhandled event received from webRTicket [9]
0222132535|sip  |0|00|<<< Data received TLS
0222132535|sip  |0|00|    SIP/2.0 401 Unauthorized
0222132535|sip  |0|00|    ms-user-logon-data: RemoteUser
0222132535|sip  |0|00|    Date: Wed, 22 Feb 2017 05:27:25 GMT
0222132535|sip  |0|00|    WWW-Authenticate: TLS-DSK opaque="E30C2F6B", gssapi-data="FgMBEpUCAABNAwFYrSE904RvQRJWMPI6iQMjy3nY+3aknmx+wJ+dJy2LqCAINQAA0RKZigYWhn8LQ9HKBSR44CbenbXV2RE7NH5pbwA1AAAF/wEAAQALABIyABIvAAZwMIIGbDCCBFSgAwIBAgITWgAAx/PyNCBy00od+AABAADH8zANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UECxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgU1NMIFNIQTIwHhcNMTUwMzEzMjM0MzE3WhcNMTcwMzEyMjM0MzE3WjAcMRowGAYDVQQDDBEqLm9ubG
0222132535|sip  |0|00|   
Web Sign-in Authentication Flow Summary
Its worth to note that the Web Sign-in process flow on a VVX is different from a typical modern authentication flow from a SfB client as the phone will not receive tokens directly from the ADFS server. Based on wireshark traces on the VVX during web sign-in, the high level authentication flow can be summarized in the following diagram:

1. User initiates Web Sign-in on the phone
2. Phone registers with Device Paring Service https://bootstrap.pinauth.services.skypeforbusiness.com:443 and gets a device pairing code
3. User login on the browser using the SIP Address
4. User gets redirected by Azure AD oAuth Service to our on-premise ADFS Proxy and is prompted to enter credentials
5. After credentials are validated ADFS provides the claims token to Azure AD STS
6. After entering the pairing code to Azure AD, Azure AD STS returns Refresh and Access tokens to the phone
7. Phone uses access token to authenticate with Skype for Business Online
Picture
Conclusion
Its also important to note that Web Sign-in for the VVX is not supported for on-premise Skype for Business deployments at this time. Only Skype for Business Online accounts can be used. For more information, see https://support.office.com/en-ie/article/Deploying-Skype-for-Business-Online-phones-faa17eb3-7483-4984-87f2-815d981b68ae

To learn more about Modern Authentication, please visit the following websites:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/
https://docs.microsoft.com/en-sg/azure/active-directory/develop/active-directory-protocols-oauth-code
6 Comments
Tim
3/28/2017 11:30:14 am

Is it safe to assume that in a scenario where device based conditional access is used, the login won't work?

Reply
Brennon link
4/3/2017 08:36:08 pm

Hi Tim

The Web-Sign in mechanism uses modern authentication but not in the same way as normal modern auth applications do. Therefore I do not believe it will work with device based conditional access.

Reply
Rob Young
6/5/2017 06:28:48 pm

just curious, we actually use BTOE and we have the users sign in with paired client option. We use modern authentication for our tenant but we have an issue because we require users to change their password every 30 days which impacts the VVX devices. (sometimes locks out their account) Any thoughts on how we could overcome this issue other than having the user sign out of their phone prior to changing their windows credentials?

Brennon link
6/21/2017 12:57:31 am

Hi Rob

The new Resource Manager 10.1 from Polycom has a feature that can change the password on the phone. Check out http://support.polycom.com/content/support/North_America/USA/en/support/network/management_scheduling/realpresence_resource_manager.html

Reply
KEvin Betts link
5/2/2019 08:55:16 am

Just to clarify, according to what I am reading UCS5.5.1 Firmware for the VVX Polycom phones support OAuth2.0?

Reply
Brennon link
5/2/2019 11:47:13 pm

Yes it does. Are you having any issues?

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies