Modern authentication in Skype for Business

You have probably heard about modern authentication, there’s a lot of talk about it. Especially when it comes to Office 365 and Azure. You might have seen the acronym ADAL which is the Active Directory Authentication Library which is modern authentication. So, what is modern authentication and what does it mean for Skype for Business?

Well, let’s first take a look at what  modern authentication is before we start looking at how it works in Skype for Business. While modern authentication is something that is presented as something new and shiny, the corner stones and the foundation is nothing new. Modern authentication simply put, is federation. Which in the Microsoft world means AD FS.

So what does this mean for Skype for Business? Well, to be honest, not very much. It works pretty much the same as the old Passive authentication which was also based on federation. Sadly there’s no EWS integration unless you are using Office365. Hopefully this will change.

The sign in flow differs from the original behavior: An S4B client attempts to connect to the S4B server, gets redirected to AD FS where the client is presented with an authentication form, user authenticates and gets a claim and is then redirected back to the S4B server where the claim is accepted by the S4B server and the client gets the webticket. So what has changed?

From my initial tests I’ve found that they’ve changed the federation protocol to Oauth2 which comes as no surprise as it is being pushed quite heavily. Secondly, ADAL support is built into the client so unlike passive authentication the client doesn’t spawn the browser window the same way (to present the authentication form) so it looks a tad bit different.

The image below is a screenshot of the sign in using modern authentication and the PointSharp MFA to provide two-factor authentication.


If you want to test modern authentication you can follow the steps on TechNet. Just remember that you need an AD FS server as well as the scripts needed to enable Oauth2 for Skype for Business (

S4B iOS Mobile EWS bug

The December update (version of the Skype for Business iOS mobile app contains a bug that breaks exchange integration. It’s quite annoying as it keeps popping an error message inside the client over and over.

When the client receives the Exchange Autodiscover request and parses the response it attempts to connect to the internal URL of EWS instead of the external URL. Since the internal URL most often aren’t reachable from the external network it wont reach the Exchange server.

I can think of two workarounds to this problem

  1. Set internalURL and externalURL to the same value. This might work for some companies depending on their DNS infrastructure but generally I think this is a bad idea.
  2. Rewrite the response data between exchange and the client so that the internalURL value matches the externalURL value.

Review: Plantronics Voyager Focus UC

Today’s post will be a review of the Voyager Focus UC headset from Plantronics. It is a bluetooth on-ear headset that is focused on communication. The name “Focus UC” becomes evident whenever you use it.

I’ve been living with this headset for the last couple of weeks. I’ve used it in any situation that requires a headset, be it a Skype for Business meeting or watching the latest episode of a TV-series. My iPhone has been constantly connected to the headset. The same goes for my laptop whenever it has been powered on.

When using a headset there are a few basic requirements that needs to be covered before we can go into specific details.


I’ve always been cautious when it comes to on-ear headsets because my ears are very sensitive. Some days I spend the majority of the day in Skype for Business meetings, which means hours on hours without taking the headset of. I have always thought that the constant pressure on the ears would make an on-ear headset impossible for me to use. Plantronics have proved me wrong, the Voyager Focus UC is very comfortable even after wearing them for a long time. This is because the ear pads are very soft and the pressure on the ears are very light but not as light as to cause the headset to slip out of place.

Audio quality

Needless to say audio quality is very important to a headset. The Voyager Focus UC does not disappoint in this department. The Active Noise Cancellation effect is, of course, less prominent than in an over-ear headset but for an office environment its just where it needs to be. I’m not bothered by any surrounding sound at all while I’m working at my desk. When listening to music the quality is good, I’m quite impressed by the bass delivered by the headset. While good audio quality is _quite_ common in headsets I find that mics are often lacking in quality. The mic of the Voyager Focus UC is nothing short of fantastic. I’ve tested it outside in windy conditions and it still performs really well.

Form factor

The Voyager Focus UC is a relatively small headset that is easy to carry around in, for instance, a lap top bag when you’re not wearing it. The build quality is good and feels robust while being very light weight.


From good to fantastic

The above categories are fundamentally important in a good headset.  So what can make a communications headset like this go from good to fantastic? In the case of the Voyager Focus UC it’s the combination of doing a fantastic job in the categories above with all the extra features Plantronics has incorporated into the device. Features that I, from now on, almost consider mandatory in a headset.

Apart from the standard controls of volume and answering/hanging up a call I really appreciate to be able to play/pause and skip tracks when listening to music. Being able to mute the headset with a button is s must for me but it’s not necessary with this headset (more on this later).

The Voyager Focus UC is a Bluetooth Class 1 unit which gives it a fantastic range when paired to another Class 1 device. It’s possible to be paired with up to two devices simultaneously. Whether it’s a call to my mobile phone or my Skype for Business PC-client I just click the answer button. And to all the Skype for Business people out there; when answering a call on your mobile phone the Plantronics hub sets your presence to “in a call”. That’s really neat.

Smart Sensor
The headset comes equipped with a Smart Sensor technology. This sensor knows whether you have your headset on or off. It can be used to answer calls by putting your headset, mute the mic when you take your headset off while in a call and unmute when you put it on again. It also pauses your music if you take it off and resumes when you take it on. Another nice thing is that when you take it off it disables the active noise cancellation to conserve battery when you’re not using the headset.

Battery life
The talk time is around 10-12 hours and about 8 hours for music/video. Meaning that even after a full day of meetings and music in between I still have battery left.


I am extremely impressed with this headset. I might be preaching to the (Skype4B) choir here but this headset is truly fantastic. Plantronics has made a fantastic headset that should cover any communication needs. If you are treating yourself to a new headset this Christmas I not only recommend this headset, I urge you to get the Voyager Focus UC. You won’t be disappointed.

Skype4B/Lync certificate expiration time

I was at Modern Workplace Summit in Olso a week ago and did a presentation together with Fabrizio Volpe (@fabriziovlp) about security in Skype for Business. A part of my presentation touched upon the certificate based authentication used by Lync and Skype for business. After a twitter conversation with Randy Chapman (@randychapman) and Alexander Holmeset (Holmez85) I decided to write a short post about it.

Skype4B uses an authentication method called TLS-DSK which is a certificate based authentication. No it’s not client certificate authentication, it’s certificate based authentication. There is a very big difference and from a security perspective it’s important to understand that it’s not client certificate authentication.

When a client has authenticated to the server (Kerberos or NTLM) it gets a webticket. That webticket is then used to contact the Certificate Provisioning Service and retrieve a “Skype4B/Lync certificate”. This certificate is then used for subsequent authentications using TLS-DSK.

By default this certificate is valid for 180 days. This means that the client can use this certificate to retrieve new webtickets for 180 days. When a webticket is retrieved using the certificate, no check towards Active Directory user object is done. This means a locked AD account can retrieve webtickets without any problems. It’s only when an NTLM authentication is done that the AD is involved in the authentication process.

So the obvious question here is of course; “is there any way to set how long these certificates should be valid”? Yes there is, it can be done in PowerShell. This setting is a part of the web services configuration. The command below sets the expiration time of issued certificates to 24 hours.

Set-CsWebServiceConfiguration -Id site:site1 -DefaultValidityPeriodHours 24

Updated: iOS 9 and Lync 2013 sign in problems

iOS 9 is here! And like most iPhone owners I downloaded iOS 9 yesterday and installed it. If you or your Lync users haven’t done this already you might be in for an unpleasant surprise.

After the install was done I launched Lync and and hit the sign in button. I was greeted with the following error mesage.


After doing all the normal troubleshooting I still couldn’t find the reason for the error.

Thanks to Guy Bachar’s post I first of all realized that I wasn’t alone in having this issue. Turns our that for some reason; if your regional setting on iPhone doesn’t match your iPhone language you can’t sign in to Lync if you are on iOS 9.

This worked fine in iOS 8 and to me it’s really frustrating. I prefer to have my regional settings set to Swedish to get date, currency and all that in the, for me, correct format but I still want my iPhone language set to English.

I also want to point out that for me it wasn’t enough to just set my iPhone language to “swedish”. I had to re-install the Lync app from AppStore to get it working again. I really hope this gets sorted soon.

Update: Microsoft has a KB for this I was a bit sad to see this: “This problem is fixed in the Microsoft Skype for Business for iOS app that will replace Lync for iPhone and Lync for iPad when it’s released. No fix for this issue is scheduled for the current releases of Lync for iPhone and Lync for iPad”.

Thanks to Marc Bertasius (@marcbertasius) for bringing this to my attention.

Microsoft Ignite and PointSharp 4.4 Skype4B Security

Hello! Those of you that read my twitter already know that I am going to Microsoft Ignite next week. Those who didn’t know would have known if they followed me on twitter (hint hint). Anyway, I’m going to Ignite with many of my PointSharp colleagues. I’ll be going to sessions, stalking various Skype MVPs and of course be in our booth (#563) and talk about Skype for Business security.

We will also be bringing our brand new version, PointSharp 4.4, to the conference which includes some nice features for Lync/Skype4B.

  • A new admin UI
    Previously we used the IIS Manager to configure our reverse proxy, in this version we have built our own UI which makes administration and deployment much easier.

    Mobile Gateway UI

  • Device registration for PC
    In our previous versions we created a partnership between a user and their mobile device. This ensures that credentials cannot be stolen and used on another device. Now, we are bringing this functionality to the Edge server which means that we can do the same for PCs.
  • Block clients
    We have made it possible to block an active client. For instance if a user’s phone is stolen/lost we can block that specific device. The client becomes useless, it doesn’t even matter if the correct credentials are stored on the mobile device or PC. No more disabling the whole account.

These new features combined with application specific passwords (no need for domain passwords on devices), pre-authentication and even two-factor authentication provides a lot of extra security to Lync/Skype4B. I have to say I’m proud of what our team has has done. More info at PointSharp

4.4 Architecture

Are you coming to Ignite? Come talk to me in our booth, ping me on twitter (@techmikal). I’ll also be at some of the UC oriented parties in the evenings. I hope to meet you there!