Skype for Business Server 2015 utilises other applications and server products and must be able to communicate securely and seamlessly with them.
Take for example the Unified Contact Store and Exchange 2013. If you want to configure Skype for Business Server to use Exchange 2013 to store contact data, you will need to have the Exchange Server and Skype for Business Server talking to each other securely.
A secure standardised method for this communication with Exchange and also with SharePoint, can be utilised. Skype for Business Server 2015, Exchange 2013 and SharePoint Server all support the OAuth (Open Authorization) protocol for server-to-server authentication and authorization. With OAuth, a standard authorization protocol used by a number of major websites, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time.
There are three server-to-server authentication scenarios that are supported by Skype for Business Server 2015:
- An on-premises installation of Skype for Business Server 2015 and an on-premises installation of Exchange 2013 and/or SharePoint Server
- A pair of Office 365 components (for example, between Microsoft Exchange Server and Skype for Business Server 2015, or between Skype for Business Server 2015 and SharePoint).
- A cross-premises environment (that is, server-to-server authentication between an on-premises server and an Office 365 component).
If you do not need to communicate between any of these servers, you do not need to configure this. Also, if you already have configured server-to-server authentication for Lync Server 2013 and other applications, there’s no need to re-do it for Skype for Business Server 2015.
In order to configure server-to-server authentication for an on-premises implementation of Skype for Business Server 2015, it is pretty straight forward. Ensure that Exchange Autodiscover service is working correctly beforehand. You will need to use some PowerShell in both Skype for Business and Exchange management shells and configure a valid certificate to use for OAuth from your internal CA.
Assign a certificate to the built-in Skype for Business Server 2015 token issuer.
When initially installing Lync 2013 or Skype for Business Server 2015, part of the Certificate Wizard runs you through installing an OAuth certificate. If you want to check to see if you already have an OAuth certificate assigned to Skype for Business Server run the following command
Get-CSCertificate –Type OAuthTokenIssuer
In the screenshot above, the certificate information is returned showing I have one installed on Skype for Business Server 2015
This information can also be obtained by using the Lync Server or Skype for Business Server deployment wizard.
Launch the Skype for Business Server Deployment Wizard and click Run Again on Step 3 from the Deployment Wizard
You should see confirmation that the OAuth Certificate is installed
If you need to request, install and assign an OAuth certificate, you will need to run through the Certificate Wizard or use PowerShell to do so.
Configure the server that Skype for Business Server 2015 will communicate with to be a partner application, and then you will need to configure Exchange to be a partner application.
With the certificate installed and assigned, you need to configure the partner applications, which in my case, will be Exchange 2013.
Consider the following for the script below. The last line of the script does not use the –Realm parameter and therefore uses my FQDN of my organisation. If my realm name was different from my organisation name then I would include the realm name as follows:
Set-CsOAuthConfiguration
-ServiceName
00000004-0000-0ff1-ce00-000000000000 –Realm “domain.com”
Enter the following into notepad or a text editor replacing autodiscover.austinlab.com with your own settings, save as .ps1 and execute:
if ((Get-CsPartnerApplication -ErrorAction SilentlyContinue) -ne $Null)
{
Remove-CsPartnerApplication app
}
$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
if ($exch -eq $null)
{
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://autodiscover.austinlab.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
}
else
{
if ($exch.ApplicationIdentifier -ne “00000002-0000-0ff1-ce00-000000000000”)
{
Remove-CsPartnerApplication microsoft.exchange
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://autodiscover.austinlab.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
}
else
{
Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full
}
}
Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000
YOU CAN ALSO DOWNLOAD THIS FROM HERE: HTTP://1DRV.MS/1SNPOSO
The following is returned at the end of running the above script
An error message may appear similar to the following:
New-CsPartnerApplication : Cannot bind parameter ‘MetadataUrl’ to the target. Exception setting “MetadataUrl”: “The metadata document could not be downloaded from the URL in the MetadataUrl parameter or downloaded data is not a valid metadata document.”
This references that the URL specified is not valid or could not be contacted. A simple test before running the script would be to try an access the URLs and then run the script.
After creating the partner application for Skype for Business Server 2015 you must then configure the return, which makes the Skype for Business Server to be a partner application for Exchange 2013. This is done by running the script Configure-EnterprisePartnerApplication.ps1. You will need to specify the metadata URL for Skype for Business Server and indicate that Skype for Business Server is the new partner application. Make sure you can access the URL used from the Exchange 2013 Server.
Open the Exchange Management Shell and type in the following:
cd \$ExScripts
./Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://EnterpriseEDTN1.austinlab.com/metadata/json/1 ” -ApplicationType “Lync”
As shown above in the screenshot, ‘The configuration has succeeded’ is the important message result. The script Configure-EnterprisePartnerApplication.ps1 will create a disabled user and assign the UserApplication and ArchiveApplication management roles
The partner application is associated with the account and the authentication document from the URL which allows Skype for Business to read and write to Exchange mailboxes on users behalf.
From here we can configure the Unified Contact Store (UCS), archiving into Exchange 2013, storing high definition photos in Exchange 2013, and enabling instant messaging from within Outlook Web App – blogs on these are coming soon!