Now you will learn how to configure OAuth server-to-server authentication between Lync 2013 and Exchange 2013 and also learn how to configure them both to be partner applications of each other.
This step is a prerequisite when you wish to achieve the following levels of integration:
- Lync 2013 to use Exchange 2013 for archiving
- Lync 2013 to use the Exchange 2013 unified contact store
- Lync 2013 to use high-resolution photos on Exchange 2013
To configure OAuth, we will assign server-to-server authentication certificates on Lync and Exchange to allow them to communicate with each other.
So, what certificates shall we use? For Exchange, we can use the default self-signed Microsoft Exchange Server Auth Certificate that is created when you install your Exchange Server. For Lync, you can use your existing Lync certificate for server-to-server authentication, provided that:
- The certificate has the SIP domain on the subject field
- The same certificate is used as OAuthTokenIssuer on all frontend servers
- The certificate length is at least 2048 bits
For more information on how to assign a server-to-server authentication certificate on Lync 2013, refer to http://technet.microsoft.com/en-us/library/jj205253.aspx.
Now that we've covered the certificates, the first thing you need to do is make sure that your Exchange 2013 autodiscover service is fully functional.
To verify your autodiscover settings, run the following command:
Get-ClientAccessServer | ft Name, AutoDiscoverServiceInternalUri
This will provide you with a list of the AutoDiscoverServiceInternalUri values for each client access server on your Exchange organization. But what is AutodiscoverServiceInternalUri?
Well, it's the service connection point (SCP) that domain-joined machines on the internal network will use to reach Exchange and make an autodiscover query.
The following value is the recommended value for the SCP. Make sure that the FQDN is a subject alternative name on the certificate used by IIS on the Exchange Server (for example, autodiscover.domain.com):
https://autodiscover.domain.com/autodiscover/autodiscover.xml
The following value is the default value for the SCP on a newly installed Exchange 2013 server, which is the FQDN of the server:
https://exchangeserver.domain.local/autodiscover/autodiscover.xml
If the value is blank or if the value points to a name that is not on the certificate that your Exchange Server uses for IIS, you should change it. If you are load balancing the Exchange Web Services between more than one Exchange 2013 Client Access Server, make sure that you assign the same name to all of the autodiscoverserviceinternaluri values on each of these servers (that is, autodiscover.domain.com) and again make sure that the name is on the certificate used by Exchange for IIS. Point the autodiscover.domain.com DNS record to the IP address of the load balancer configured to balance the Exchange 2013 HTTPS traffic.
To change the value or configure one, you can run the following Exchange Management Shell cmdlet:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml
The preceding command will change the attribute on all the Client Access servers of your organization.
The following command changes the value on a specific client access server:
Set-ClientAccessServer –Identity <CASServerName> -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml
The last step to complete the OAuth configuration is to modify the Lync Server OAuth configuration settings to make sure that Lync can find the Exchange autodiscover service. To achieve this, we need to run the following Lync Server Management Shell cmdlet:
Set-CsOAuthConfiguration -Identity global -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc
Once again make sure that the DNS name you use on the URL points to the Exchange Server or to a load balancer that is balancing the web traffic between your Exchange Client Access Servers.