locked
SfB 2015 On-Prem - Enabling ADAL without impacting internal users RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We have recently rolled out Skype for Business (SfB server 2015 completely on prem) for IM and presence (voice and video coming later) with a single front end pool and have turned off remote access as we need to get multi factor auth configured to satisfy our security team. We want to use ADAL to leverage our existing ADFS and Azure ad sync set up that we are using for Office 365 (we are not using Skype for Business online). I've read the guide here https://technet.microsoft.com/en-gb/library/mt710548.aspx which seems to be the only instructions for setting this up and it's a little unclear. I'm also very new to ADFS so have a few questions:

    Has anyone had any experience setting this up, if so any how did it go, any tips?

    When setting up the relying party trusts in ADFS what URLs should I be using for internal users?

    What is the impact on internal users when you set the OAuth server on SfB - We are using autodiscover at the moment so internal users get signed in automatically, will the stop working if we set it up to go to ADFS?

    Any help greatfully appreciated

    Thursday, February 9, 2017 10:53 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi mdickens,

    Q: When setting up the relying party trusts in ADFS what URLs should I be using for internal users?
    A: You should type the URL for specific pool’s internal and external web service FQDN.

    Q: What is the impact on internal users when you set the OAuth server on SfB - We are using autodiscover at the moment so internal users get signed in automatically, will the stop working if we set it up to go to ADFS?
    A: when we configure OAuth server on SFB server, all authorization which connect to SFB server will be done by ADFS. As I am concerned, there are no any impact for internal user. Of course, autodiscover will be worked without any problems.

    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Liinus Friday, February 10, 2017 10:46 AM
    • Marked as answer by mdickens98 Thursday, February 16, 2017 10:25 AM
    Friday, February 10, 2017 5:53 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi mdickens,

    Q: When setting up the relying party trusts in ADFS what URLs should I be using for internal users?
    A: You should type the URL for specific pool’s internal and external web service FQDN.

    Q: What is the impact on internal users when you set the OAuth server on SfB - We are using autodiscover at the moment so internal users get signed in automatically, will the stop working if we set it up to go to ADFS?
    A: when we configure OAuth server on SFB server, all authorization which connect to SFB server will be done by ADFS. As I am concerned, there are no any impact for internal user. Of course, autodiscover will be worked without any problems.

    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Liinus Friday, February 10, 2017 10:46 AM
    • Marked as answer by mdickens98 Thursday, February 16, 2017 10:25 AM
    Friday, February 10, 2017 5:53 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Jim,

    Just noted down the urls etc so we've got our commands ready, will do all of this under change control next week, wish me luck!

    Just one more thing, the web service FQDN's, i'm assuming we should be using https for internal and external but will it work either way?

    Friday, February 10, 2017 1:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi mdickens,

    As I am concerned, you should be using https, instead of http, because the connections between server side and server side, or client side and client side are encrypted.

    If our above suggestions are helpful to you, you could mark it as answer so that someone who has similar issue could find this thread as soon as possible.

    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, February 11, 2017 1:05 AM