Lync OAuth Protocol and Confgiuration


What is Server-to-Server/ OAuthentication Protocol?

OAuth2 is an open standard for authorization used by Microsoft Office 2013 Servers.
It allows users to access their private resources (e.g. Lync Contact List, IM Archiving) stored on Servers without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific service for specific resources and for a defined duration


OAuth2 standard-based server-to-server trust across all Office 2013 servers
Lync, Exchange, Microsoft Office SharePoint®, Active Directory


In Lync scenarios enabled for:
Unified Contacts, IM Archiving, OWA meeting scheduling



Hybrid Model:



On-Premise Model:



Prerequisites:
Certificate: token issuer certificate (OAuthTokenIssuer)
must be request able on PKI -

TIP:
every Web Server Certificate that includes the name of the SIP Domain in the Subject Field can be used as OAuthTokenIssuer Certificate

Configuration Steps for On-Premise Setup:

Start and request a certificate from internal/ external PKI and import the certificate into the computers certificate store.

First Step:
Get-CsCertificate -Type OAuthTokenIssuer
Import-CsCertificate –Identity global –Type OAuthTokenIssuer –Path C:\Certificates\ServerToServerAuth.pfx  –Password "
P@ssw0rd

If a Certificate exists for (e.g. the default certificate) it can be used:$x = (Get-CsCertificate -Type Default).Thumbprint
Set-CsCertificate –Identity global -Type OAuthTokenIssuer -Thumbprint $x


Next you need to activate the PartnerApplication and make the new OAuth Protrol work:
Therefor you copy this script and run save it as ConfigureOAuthScrip.PS1

Script Start---------------------------------------------------------------------------------------------
if ((Get-CsPartnerApplication app -ErrorAction SilentlyContinue) -ne $Null)
   {
       Remove-CsPartnerApplication app
   }

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
       
if ($exch -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
    }
else
    {
       if ($exch.ApplicationIdentifier –ne “00000002-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.exchange
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full
           }
     }
$shp = Get-CsPartnerApplication microsoft.sharepoint -ErrorAction SilentlyContinue
       
if ($shp -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl
http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
    }
else
    {
       if ($shp.ApplicationIdentifier –ne “00000003-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.sharepoint
 
             New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl
http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.sharepoint -ApplicationTrustLevel Full
            }
   }

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000


Script End---------------------------------------------------------------------------------------------------

Note:
If your REALM should be different from the Organization Name (EXCHANGE) you need to specify incl. the REALM Parameter:
Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000 –Realm "contoso.com"

Next Step:
Define the MetadataURL:
Lync 2013 Preview:
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/v1/json
Lync 2013 RTM:https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1

When you run this script from above, you might receive an error message similar to the following:
New-CsPartnerApplication : Cannot bind parameter 'MetadataUrl' to the target. Exception setting "MetadataUrl": "The metadata document could not be downloaded from the URL in the MetadataUrl parameter or downloaded data is not a valid metadata document."

This error message typically means one of two things:
1) that one of the URLs specified in the script is invalid (that is, one of your metadata URLs is not actually a metadata URL); or,
2) that of the metadata URLs could not be contacted. If this happens, verify that the URLs are correct and are accessible, and the re-run the script


Last Step:
Verification of configured PartnerApplication settings and verifiy the correct configuration:
Get-CsPartnerApplication

Result:
Identity              : microsoft.exchange
AuthToken             : Microsoft.Rtc.Management.WritableConfig.
                        Settings.SSAuth.UseOAuthServer
Name                  : microsoft.exchange
Realm                 : contoso.com
ApplicationTrustLevel : Full
Enabled               : True



If you have any questions, please let me know, I will do my best supporting you.


Comments

  1. Hi,

    We have lync 2013, sharepoint 2013 and exchange 2010 on premise. Will Oauth work with exchange 2010 and is it supported?

    Cheers

    ReplyDelete
    Replies
    1. Hi Paul,
      not, OAuth is only supported and even implemented with Office 2013 Server products

      Delete
  2. Hi Thomas, does the OAuth cert subject name need to match the sip domain exactly, or just include it? For instance, if my sip domain is test.com, would a subject name of cert.test.com be OK to use?

    ReplyDelete
    Replies
    1. Hi Johnny,
      I have written a wiki article on TechNet:
      http://social.technet.microsoft.com/wiki/contents/articles/24210.demystify-lync-2013-server-internal-certificate-requirements.aspx
      This explains it more in detail.

      Generally, the OAuth required like all other certificate the SN/CN as the default SIP domain and a SAN entry which repeats the default SIP domain.
      additional SIP domains must be added to the SAN.

      Delete
    2. Thanks so much! One more question... if using this in a hybrid environment with O365 for Exchange, would the certificate have to be from a trusted 3rd party CA such as entrust?

      Delete
    3. Absolute sure, it must be from an trusted certificate provider.

      Delete

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

MFA with Guest Access and different tenants settings