none
Skype for Business web passive authentication, ensuring that windows auth is fully disabled. RRS feed

  • Question

  • Hello,

    I have been lab'ing a skype for business environment, and was able to successfully enable passive authentication (ws-fed) with ADFS. I have disabled kerberos and ntlm on the pool registrar, and disabled ntlm on the web services configuration forcing passive authentication only.

    This works fine for web conferencing, cert requests, mobile, dialin, scheduler, etc.., however, there are still URLs that send a 401 challenge such as
    https://lyncweb-ext.contoso.com/RgsClients/Tab.aspx

    which appears to be the response group client site. I can disable Windows auth for this on the external IIS application, but is this supported, is there something I am missing? Or are these potential URLs documented so I can block them on my reverse proxy?

    My main concern is the potential for account lockouts (which I have tested and does lockout accounts), especially if we change our UPNs to our email addresses.

    Thanks!

    Thursday, November 17, 2016 4:39 AM

All replies

  • Hi AndyK47,

    Welcome to post in our forum.

    For troubleshooting this issue, we need to confirm the following question:

    1.Would you please tell us did you mean you encounter 401 challenge when Kerberos and NTLM are disabled? Did this issue appear when you enable Kerberos and NTLM?

    2.What product did you use for reverse proxy?


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 18, 2016 8:47 AM
    Moderator
  • Hi Alice,

    Thanks for taking the time to reply I appreciate it!

    1) I am prompted for windows authentication when I access the site above, not the ADFS forms authentication (or at the very least a access denied) that I was expecting. I get the prompt with NTLM enabled or disabled.

    I disabled NTLM via:
    Set-CsWebServiceConfiguration -Identity webserver:fepool.contoso.com -UseWsFedPassiveAuth $true -UseWindowsAuth none –UseCertificateAuth $true

    2) The reverse proxy I am using is ARR.

    The main reason it is an issue for us is that we only want to have two factor authentication as well as removing the potential for DoS (since these logon attempts are hitting a DC) via account lockouts.

    The only other company that I see that has passive authentication is Microsoft, and I am also able to get a credential prompt there also, bypassing the ADFS logon there too (if requested I can provide specific URLs).

    Thanks again!

    Andrew

    Edit: Kerberos is only disabled for the CSProxyConfiguration, there is no tunable to disable Kerberos via CSWebServicesConfiguration - so my apologies for the note about it above.


    • Edited by AndyK47 Friday, November 18, 2016 9:09 PM
    Friday, November 18, 2016 1:44 PM
  • I'm going to open a premier ticket to look into this in the meantime. If I find a solution I will post it here for posterity.
    Tuesday, November 22, 2016 7:40 PM
  • Hi Andy,

    Thanks for your patience.

    I will do more research about this issue, if you find any solution, please try to share the method in our forum if possible, it will help others who has the similar issue.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 23, 2016 9:08 AM
    Moderator
  • No problem at all, I also appreciate you looking into it on your end. I currently have a case open with Premier, so I am hoping to have more information soon.
    Tuesday, December 6, 2016 9:30 PM
  • Hi Andy,

    Ok, if I have some more information, I will update to you as soon as possible.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 7, 2016 1:50 AM
    Moderator
  • While passive authentication works, if you want to use ADFS with Skype for Business, I would recommend looking at enabling Modern Authentication:

    https://technet.microsoft.com/en-us/library/mt710548.aspx

    Wednesday, February 1, 2017 2:56 PM