Passive authentication requires establishing trust between the AD FS Server and the Lync Server (because user credentials will be forwarded by the latter service). Lync mobility policies require customization too. We will see the steps to configure passive authentication now.
Based on the schema of our lab environment, we will use madhatter.wonderland.lab as the internal FQDN of the Lync 2013 Standard Edition (SE) Server. The madhatter.absoluteuc.biz is the public name for the pool, while gryphon.wonderland.lab is the internal FQDN of the AD FS server, and adfs1.absoluteuc.biz is the public name for the same service.
If we have no AD FS server available, the first step will be to add the role from Server Manager and configure it (for example, we can follow the steps outlined in the TechNet post How To Install ADFS 2012 R2 For Office 365 at http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx).
Lync-Ext-PassiveAuth
(based on the external name) and Lync-PassiveAuth
(based on the internal name).We is not allowed to create two trust relations that point to the same IP (in this scenario, the one used by the Lync 2013 SE Server), and we have to use the reverse proxy for both Lync mobile clients that connect from the external network and from the internal network. We can split the trusts, one on the external interface of IIS (Lync-Ext-PassiveAuth) and the other hair pinning on the internal interface of IIS (Lync-PassiveAuth).
$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
$IssuanceTransformRules = '@RuleTemplate = "PassThroughClaims" @RuleName = "Sid" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);'
Add-ADFSRelyingPartyTrust -Name Lync-PassiveAuth -MetadataURL https://madhatter.wonderland.lab/passiveauth/federationmetadata/2007-06/federationmetadata.xml
Set-ADFSRelyingPartyTrust -TargetName Lync-PassiveAuth -IssuanceAuthorizationRules $IssuanceAuthorizationRules Set-ADFSRelyingPartyTrust -TargetName Lync-PassiveAuth -IssuanceTransformRules $IssuanceTransformRules
Add-ADFSRelyingPartyTrust -Name Lync-Ext-PassiveAuth -MetadataURL https://madhatter.absoluteuc.biz/passiveauth/federationmetadata/2007-06/federationmetadata.xml Set-ADFSRelyingPartyTrust -TargetName Lync-Ext-PassiveAuth -IssuanceAuthorizationRules $IssuanceAuthorizationRules Set-ADFSRelyingPartyTrust -TargetName Lync-Ext-PassiveAuth -IssuanceTransformRules $IssuanceTransformRules
New-CsWebServiceConfiguration -Identity webserver:madhatter.wonderland.lab -WsFedPassiveMetadataUri https://adfs1.absoluteuc.biz/federationmetadata/2007-06/federationmetadata.xml
Set-CsWebServiceConfiguration -Identity webserver:madhatter.wonderland.lab -UseWsFedPassiveAuth $true -UseWindowsAuth none –UseCertificateAuth $true
New-CsProxyConfiguration -Identity registrar:madhatter.wonderland.lab -UseKerberosForClientToProxyAuth $false -UseNtlmForClientToProxyAuth $false
$false
in CsMobilityPolicy to suppress the error messages related to the Exchange Web Services (EWS). In our example, we will assign it to the wonderlandfab user in the wonderland.lab
domain:New-CsMobilityPolicy -Identity PassiveAuthUsers -AllowExchangeConnectivity $false Grant-CsMobilityPolicy -PolicyName PassiveAuthUsers -Identity wonderlandfab
To explain how the AD FS Relying Party Trust works, we have to introduce some of the following basic concepts:
Based on a set of rules (Acceptance Transform Rules), the claims from the claim provider will be filtered or passed to the Relying party trust. AD FS controls which users have access to the relying party based on the Issuance Authorization Rules. AD FS issues the claims to the relaying party by using the Issuance Transform Rules. In the schema shown in the following screenshot, we have a high-level overview of the mechanism inside the AD FS server that converts the incoming claims from the Claims Provider Trust and transmits them over the Relying party trust:
Right now, Lync clients for Android and Mac are not able to sign in using passive authentication (see Sign-in, Push Notifications, and General Features in the Mobile client comparison tables for Lync Server 2013 TechNet post at http://technet.microsoft.com/en-us/library/hh691004.aspx). Clients with no support for passive authentication will hang in the attempt to authenticate with Lync 2013.
How Lync passive authentication works is explained in two blog posts: Jens Trier Rasmussen's TechNet blog Microsoft Lync 2013 for Mobile and Passive Authentication at http://bit.ly/1ujMcSK and on the TechNet site Lync Server 2013 Certificate Authentication and Passive Authentication support for Lync 2013 Mobile applications at http://bit.ly/1rzopKJ.
In a recent post on my blog Lync Passive Authentication: Getting Your Hands Dirty at http://bit.ly/WywjJi, I tried the various clients and tested their behavior with passive authentication.
18.189.188.238