Server-to-Server Authentication OAuth for On Premises Skype for Business Server 2015 and Exchange 2013

Skype for Business Server 2015 utilises other applications and server products and must be able to communicate securely and seamlessly with them.

Take for example the Unified Contact Store and Exchange 2013. If you want to configure Skype for Business Server to use Exchange 2013 to store contact data, you will need to have the Exchange Server and Skype for Business Server talking to each other securely.

A secure standardised method for this communication with Exchange and also with SharePoint, can be utilised. Skype for Business Server 2015, Exchange 2013 and SharePoint Server all support the OAuth (Open Authorization) protocol for server-to-server authentication and authorization. With OAuth, a standard authorization protocol used by a number of major websites, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time.

There are three server-to-server authentication scenarios that are supported by Skype for Business Server 2015:

  • An on-premises installation of Skype for Business Server 2015 and an on-premises installation of Exchange 2013 and/or SharePoint Server
  • A pair of Office 365 components (for example, between Microsoft Exchange Server and Skype for Business Server 2015, or between Skype for Business Server 2015 and SharePoint).
  • A cross-premises environment (that is, server-to-server authentication between an on-premises server and an Office 365 component).

If you do not need to communicate between any of these servers, you do not need to configure this. Also, if you already have configured server-to-server authentication for Lync Server 2013 and other applications, there’s no need to re-do it for Skype for Business Server 2015.

In order to configure server-to-server authentication for an on-premises implementation of Skype for Business Server 2015, it is pretty straight forward. Ensure that Exchange Autodiscover service is working correctly beforehand. You will need to use some PowerShell in both Skype for Business and Exchange management shells and configure a valid certificate to use for OAuth from your internal CA.

Assign a certificate to the built-in Skype for Business Server 2015 token issuer.

When initially installing Lync 2013 or Skype for Business Server 2015, part of the Certificate Wizard runs you through installing an OAuth certificate. If you want to check to see if you already have an OAuth certificate assigned to Skype for Business Server run the following command

Get-CSCertificate –Type OAuthTokenIssuer

Get-CSCertificate –Type OAuthTokenIssuer

Get-CSCertificate –Type OAuthTokenIssuer to display OAuth Certificate

In the screenshot above, the certificate information is returned showing I have one installed on Skype for Business Server 2015

This information can also be obtained by using the Lync Server or Skype for Business Server deployment wizard.

Launch the Skype for Business Server Deployment Wizard and click Run Again on Step 3 from the Deployment Wizard

Skype for Business Server Deployment Wizard

Skype for Business Server Deployment Wizard – Click Step 3 Run Again

You should see confirmation that the OAuth Certificate is installed

OAuth

Confirm OAuth Certificate is in place

If you need to request, install and assign an OAuth certificate, you will need to run through the Certificate Wizard or use PowerShell to do so.

Configure the server that Skype for Business Server 2015 will communicate with to be a partner application, and then you will need to configure Exchange to be a partner application.

With the certificate installed and assigned, you need to configure the partner applications, which in my case, will be Exchange 2013.

Consider the following for the script below. The last line of the script does not use the –Realm parameter and therefore uses my FQDN of my organisation. If my realm name was different from my organisation name then I would include the realm name as follows:

Set-CsOAuthConfiguration
-ServiceName
00000004-0000-0ff1-ce00-000000000000 –Realm “domain.com”

Enter the following into notepad or a text editor replacing autodiscover.austinlab.com with your own settings, save as .ps1 and execute:

if ((Get-CsPartnerApplication -ErrorAction SilentlyContinue) -ne $Null)
{
Remove-CsPartnerApplication app
}

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue

if ($exch -eq $null)
{
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://autodiscover.austinlab.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
}
else
{
if ($exch.ApplicationIdentifier -ne “00000002-0000-0ff1-ce00-000000000000”)
{
Remove-CsPartnerApplication microsoft.exchange
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://autodiscover.austinlab.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
}
else
{
Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full
}
}

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

You can also download this from here: http://1drv.ms/1SNPOso

The following is returned at the end of running the above script

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

Result of running script

An error message may appear similar to the following:

New-CsPartnerApplication : Cannot bind parameter ‘MetadataUrl’ to the target. Exception setting “MetadataUrl”: “The metadata document could not be downloaded from the URL in the MetadataUrl parameter or downloaded data is not a valid metadata document.”

This references that the URL specified is not valid or could not be contacted. A simple test before running the script would be to try an access the URLs and then run the script.

After creating the partner application for Skype for Business Server 2015 you must then configure the return, which makes the Skype for Business Server to be a partner application for Exchange 2013. This is done by running the script Configure-EnterprisePartnerApplication.ps1. You will need to specify the metadata URL for Skype for Business Server and indicate that Skype for Business Server is the new partner application. Make sure you can access the URL used from the Exchange 2013 Server.

Open the Exchange Management Shell and type in the following:

cd \$ExScripts

./Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://EnterpriseEDTN1.austinlab.com/metadata/json/1 ”  -ApplicationType “Lync”

Configure-EnterprisePartnerApplication.ps1

Running Configure-EnterprisePartnerApplication.ps1

As shown above in the screenshot, ‘The configuration has succeeded’ is the important message result. The script Configure-EnterprisePartnerApplication.ps1 will create a disabled user and assign the UserApplication and ArchiveApplication management roles

The partner application is associated with the account and the authentication document from the URL which allows Skype for Business to read and write to Exchange mailboxes on users behalf.

From here we can configure the Unified Contact Store (UCS), archiving into Exchange 2013, storing high definition photos in Exchange 2013, and enabling instant messaging from within Outlook Web App – blogs on these are coming soon!

All the best!

Austin

Other posts related to this

Step by Step on configuring the Unified Contact Store (UCS) and Skype for Business Server 2015

Step by Step on configuring Skype for Business Server 2015 and Exchange 2013 Archiving

Step by Step on configuring OWA and Instant Messaging

Advertisements

Leave a comment

Filed under OAuth, Skype for Business Server 2015, SQL, Step by Step

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s