UCPrimer
  • Tech Blog
  • About UCPrimer.com

Provisioning Exchange Online for Lync Hybrid Part II

11/26/2014

5 Comments

 
Picture
In the previous blog post we started on provisioning Exchange Online mailboxes for a Lync Hybrid environment where some users are hosted on Lync on-premise and some on Lync On-line. Here in part 2 of this series, we complete the integration between Exchange Online and Lync Hybrid so that users can access all the Lync - Exchange integration features. The table below shows the features that are available with Lync Hybrid and Exchange Online:
Picture
One of the obvious limitations of having not completed the integration steps is that users who login to Outlook Web App via the Office365 portal will not be able to schedule Lync Online Meetings as shown in the screen capture below:
Picture
We may recall that for a typical on-premise deployment of both Lync and Exchange, we had to configure server-to-server authentication between the two servers by running the Configure-EnterprisePartnerApplication.ps1 script on Exchange Server 2013 and the New-CsPartnerApplication cmdlet on Lync Server 2013. The steps for this can be found in this TechNet article. For Lync Hybrid with Exchange Online, we basically need to do the same thing, except that we are configuring server-to-server authentication in a cross premise environment. In fact these steps are also provided in this TechNet article which this blog post is based on, but here I provide more detailed explanation on what is happening plus other vital pieces of information.

To begin, we first need to export the oAuth certificate from the Lync server. For a FE pool this certificate is typically found on the first FE server installed and can be seen by running the Lync Deployment Wizard on that server and running the Certificate Wizard such as  shown below:
Picture
We can run the Certificates MMC to export the oAuth certificate as shown below but the critical part is to make sure the certificate is exported as a Base64 encoded .cer format. If we export the certificate using the DER encoded format then the integration will simply not work:
Picture
Picture
Save the certificate file to the local drive as we will need to use it in a later step. Next, we find out what our TenantID is. To do this, open Windows Powershell on the Lync FE server and start a new-CsOnline Session. Then run the Get-CsTenant cmdlet as shown below:
Picture
With the TenantID, we now create a new oAuth Server using the "New-CsOAuthServer" cmdlet with identity "microsoft.sts" using the Lync Management shell as shown below: 
Picture
Next, we create a new Lync Partner Application for Exchange Online using the "New-CsPartnerApplication" cmdlet. The identity of this new partner application is "microsoft.exchange" and for Exchange Server the Application Identifier is "00000002-0000-0ff1-ce00-000000000000". We also need to specify the "-UserOAuthServer" flag. After creating the Partner Application we need to run the "Set-CsOAuthConfiguration" cmdlet to use the service name of "00000004-0000-0ff1-ce00-000000000000" which is actually the Application Identifier of Lync Server. These sequence of cmdlets are shown below:
Picture
Now we proceed to configure a trust relationship between Lync Server 2013 and the authorization server, and a second trust relationship between Exchange Online and the authorization server. This can only be done by using the Microsoft Online Services cmdlets. If not already done so, download and install the  First, download and install the 64-bit version of the Microsoft Online Services Sign-in Assistant and the 64-bit Windows Azure Active Directory Module on the Lync FE server. Open the Windows Azure AD Module and import the "MSOnlineExtended" module. Then run "Connect-MsolService" to connect to your tenant (it will ask you for your tenant admin credentials). Then run the "Get-MsolServicePrincipal" cmdlet make sure we are connected successfully. The Service Principal information should be returned successfully. These sequence of cmdlets are shown below:
Picture
The next step is to import, encode, and assign the oAuth certificate that was exported earlier. To import and encode the certificate, we run the following sequence of cmdlets below:

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("<complete pathname of oAuthCertificate>")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

After the certificate has been imported and encoded, we can then assign the certificate to the Office 365 service principals. To do that, we first create a new Service Principal Credential for Lync using the "New-MsolServicePrincipalCredential" cmdlet with the "AppPrincipalID" for Lync Server which is "00000004-0000-0ff1-ce00-00000000000". To verify this was successful we run the "Get-MsolServicePrincipalCredential" cmdlet to return the results. My example of a completed steps are shown below:
Picture
Next, and it is easy to miss this step, we repeat the same cmdlet but this time for Exchange Server which has the "AppPrincipalID" of "00000002-0000-0ff1-ce00-00000000000".
Picture
We're now at the home stretch. The last step involves configuring the Exchange Online Service Principal and configure your on-premise version of Lync Server 2013 as an Office 365 service principal. That can be done by carrying out the following cmdlets

Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true

$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
$lyncSP.ServicePrincipalNames.Add("00000004-0000-0ff1-ce00-000000000000/<Your On-Prem Lync External Web Services FQDN>")
Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames

The completed sequence of cmdlets is shown below:


Picture
To verify that the cmdlet ran successfully, run "Get-MsolServicePrincipal" with the Lync AppPrincipalID and see that the on-premise external Lync web services FQDN has been added successful as shown below:
Picture
Conclusion
If all the above steps are completed successfully, we should now be able to login to the Office365 Portal and open Outlook Web App. Then go to the Calendar and create a new event. This time, the Online Meeting icon should display correctly as shown below, and clicking on that icon will create a new Lync online meeting invite with the online meeting join URL. This should work for both users homed on Lync Online and Lync Onprem.
Picture
5 Comments
Johnny
7/8/2015 06:06:48 am

The AppPrincipalId "00000004-0000-0ff1-ce00-00000000000" used in the New-MsolServicePrincipalCredential statement is short one zero in the last set of zeros, which will error out. Adding one more zero to the string will run the statement properly.

Reply
Jason
11/9/2015 08:38:25 am

Thank you author of this magnificent article, and also thanks Johnny for catching that, it worked for me!

Reply
Neeraj
2/17/2017 01:13:27 pm

Thanks for this write up. Had missed the setup of OAuth on the Exchange side, and that was preventing SSCH from working on mobile and Mac SfB clients.

Reply
Jared
11/8/2017 08:28:40 am

I've followed this to the letter and integration is working (IM & Presence). I now get the option to add Skype meetings in OWA, however, once I click the button it has a banner message popup that states: "Your skype meeting has been created. We'll add joining details after the invitation has been sent". The problem is, the recipient never gets the joining details... and neither does the sender. Any ideas?

Reply
Brennon link
1/22/2018 10:19:21 pm

Hi Jared

It could be due to the issue described in this article
https://support.microsoft.com/sw-ke/help/2565604/can-t-schedule-skype-for-business-online-meetings--see-presence-info

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies