Exchange 2016 & Skype for Business 2015 server-server authentication
Things to know before you start:
Normally when we talk about Server-to-server authentication it means two servers that need to communicate with one another and a third-party security token server helps for the same by providing a security token. If Server A and Server B need to communicate, they both contact a common token server and obtain a mutually-trusted security token. Both the server present the mutually trusted token to authenticate to each other.
However Microsoft Exchange, Skype for business and SharePoint doesn't require such third party Mutually trusted token issuer.
Two step integration process:
In order to set up server-to-server authentication between Skype for Business Server and Exchange below, 2 steps should be followed.
1. Assign the appropriate certificates to each server
Exchange has inbuilt Auth certificate, self-signed.
http://cloudexchangers.com/wp-content/uploads/2016/04/erf.png
However in Skype for Business, we don't have one by default. Below screenshot shows it is not present.
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg2.png
When you try to add skype for business as a partner application from exchange it may fail as below if Oauth cert is absent in the Skype for business server.
http://cloudexchangers.com/wp-content/uploads/2016/04/Untitled-picture-1.png
Get-Cscertificate
should give below expected output.
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg4.png
2. Configure each server to be a partner application of the other server:
Configuring Skype for Business Server 2015 to be a Partner Application for Exchange 2016.
C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\Configure-EnterprisePartnerApplication.ps1 -AuthMetaDataUrl 'https://fe.cloudexchangers.com/metadata/json/1' -ApplicationType Lync
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg5.png
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg6.png
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg7.png
Configuring Exchange 2016 to be a Partner Application for Skype for Business Server 2015.
Validate Autodiscover url before proceeding, if it is not set properly use Set-ClientAccessService -Identity <fqdn> –AutoDiscoverServiceInternalUri.
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg8.png
Make sure the below DNS records are created.
http://cloudexchangers.com/wp-content/uploads/2016/04/1-254x300.png
http://cloudexchangers.com/wp-content/uploads/2016/04/2-300x188.png
Try accessing the autodiscover meta data url. Metadata file should be accessible as below from skype for business server.
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg10.png
Run the below command from Skype for business server to add exchange as a partner application.
New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl https://autodiscover.cloudexchangers.com/autodiscover/metadata/json/1
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg11.png
Validate the server to server authentication by running below command from Skype for business shell.
http://cloudexchangers.com/wp-content/uploads/2016/04/041816_1613_SimpleInteg12.png
By now we had configured Server-Server authentication between Exchange 2016 and Skype for Business 2016 server.