Lync OAuth Protocol and Confgiuration

-

What is Server-to-Server/ OAuthentication Protocol?

OAuth2 is an open standard for authorization used by Microsoft Office 2013 Servers.
It allows users to access their private resources (e.g. Lync Contact List, IM Archiving) stored on Servers without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific service for specific resources and for a defined duration

OAuth2 standard-based server-to-server trust across all Office 2013 servers
Lync, Exchange, Microsoft Office SharePoint®, Active Directory

In Lync scenarios enabled for:
Unified Contacts, IM Archiving, OWA meeting scheduling


Hybrid Model:



On-Premise Model:



Prerequisites:
Certificate: token issuer certificate (OAuthTokenIssuer)
must be request able on PKI -

TIP:
every Web Server Certificate that includes the name of the SIP Domain in the Subject Field can be used as OAuthTokenIssuer Certificate

Configuration Steps for On-Premise Setup:

Start and request a certificate from internal/ external PKI and import the certificate into the computers certificate store.

First Step:
Get-CsCertificate -Type OAuthTokenIssuer
Import-CsCertificate –Identity global –Type OAuthTokenIssuer –Path C:\Certificates\ServerToServerAuth.pfx  –Password "P@ssw0rd

If a Certificate exists for (e.g. the default certificate) it can be used:$x = (Get-CsCertificate -Type Default).Thumbprint
Set-CsCertificate –Identity global -Type OAuthTokenIssuer -Thumbprint $x

Next you need to activate the PartnerApplication and make the new OAuth Protrol work:
Therefor you copy this script and run save it as ConfigureOAuthScrip.PS1

Script Start---------------------------------------------------------------------------------------------
if ((Get-CsPartnerApplication app -ErrorAction SilentlyContinue) -ne $Null)
   {
       Remove-CsPartnerApplication app
   }

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
       
if ($exch -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
    }
else
    {
       if ($exch.ApplicationIdentifier –ne “00000002-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.exchange
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full
           }
     }
$shp = Get-CsPartnerApplication microsoft.sharepoint -ErrorAction SilentlyContinue
       
if ($shp -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
    }
else
    {
       if ($shp.ApplicationIdentifier –ne “00000003-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.sharepoint
 
             New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.sharepoint -ApplicationTrustLevel Full
            }
   }
Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

Script End---------------------------------------------------------------------------------------------------

Note:
If your REALM should be different from the Organization Name (EXCHANGE) you need to specify incl. the REALM Parameter: Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000 –Realm "contoso.com"

Next Step:
Define the MetadataURL:
Lync 2013 Preview:https://atl-exchange-001.litwareinc.com/autodiscover/metadata/v1/json
Lync 2013 RTM:https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1

When you run this script from above, you might receive an error message similar to the following:
New-CsPartnerApplication : Cannot bind parameter 'MetadataUrl' to the target. Exception setting "MetadataUrl": "The metadata document could not be downloaded from the URL in the MetadataUrl parameter or downloaded data is not a valid metadata document."
This error message typically means one of two things:
1) that one of the URLs specified in the script is invalid (that is, one of your metadata URLs is not actually a metadata URL); or,
2) that of the metadata URLs could not be contacted. If this happens, verify that the URLs are correct and are accessible, and the re-run the script

Last Step:
Verification of configured PartnerApplication settings and verifiy the correct configuration:
Get-CsPartnerApplication

Result:
Identity              : microsoft.exchange
AuthToken             : Microsoft.Rtc.Management.WritableConfig.
                        Settings.SSAuth.UseOAuthServer
Name                  : microsoft.exchange
Realm                 : contoso.com
ApplicationTrustLevel : Full
Enabled               : True


If you have any questions, please let me know, I will do my best supporting you.


Location: Kolbermoor, Germany

Comments

  1. UnknownFebruary 13, 2014 at 8:45 PM

    Hi,

    We have lync 2013, sharepoint 2013 and exchange 2010 on premise. Will Oauth work with exchange 2010 and is it supported?

    Cheers

    ReplyDelete
    Replies
    1. Thomas PoettFebruary 26, 2014 at 1:09 PM

      Hi Paul,
      not, OAuth is only supported and even implemented with Office 2013 Server products

      Delete
  2. JohnnyAugust 18, 2014 at 7:24 PM

    Hi Thomas, does the OAuth cert subject name need to match the sip domain exactly, or just include it? For instance, if my sip domain is test.com, would a subject name of cert.test.com be OK to use?

    ReplyDelete
    Replies
    1. Thomas PoettAugust 19, 2014 at 10:03 AM

      Hi Johnny,
      I have written a wiki article on TechNet:
      http://social.technet.microsoft.com/wiki/contents/articles/24210.demystify-lync-2013-server-internal-certificate-requirements.aspx
      This explains it more in detail.

      Generally, the OAuth required like all other certificate the SN/CN as the default SIP domain and a SAN entry which repeats the default SIP domain.
      additional SIP domains must be added to the SAN.

      Delete
    2. JohnnyAugust 19, 2014 at 6:51 PM

      Thanks so much! One more question... if using this in a hybrid environment with O365 for Exchange, would the certificate have to be from a trusted 3rd party CA such as entrust?

      Delete
    3. Thomas PoettAugust 22, 2014 at 12:33 PM

      Absolute sure, it must be from an trusted certificate provider.

      Delete

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modif...
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, uniqu...
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more