Modern authentication in Skype for Business

You have probably heard about modern authentication, there’s a lot of talk about it. Especially when it comes to Office 365 and Azure. You might have seen the acronym ADAL which is the Active Directory Authentication Library which is modern authentication. So, what is modern authentication and what does it mean for Skype for Business?

Well, let’s first take a look at what  modern authentication is before we start looking at how it works in Skype for Business. While modern authentication is something that is presented as something new and shiny, the corner stones and the foundation is nothing new. Modern authentication simply put, is federation. Which in the Microsoft world means AD FS.

So what does this mean for Skype for Business? Well, to be honest, not very much. It works pretty much the same as the old Passive authentication which was also based on federation. Sadly there’s no EWS integration unless you are using Office365. Hopefully this will change.

The sign in flow differs from the original behavior: An S4B client attempts to connect to the S4B server, gets redirected to AD FS where the client is presented with an authentication form, user authenticates and gets a claim and is then redirected back to the S4B server where the claim is accepted by the S4B server and the client gets the webticket. So what has changed?

From my initial tests I’ve found that they’ve changed the federation protocol to Oauth2 which comes as no surprise as it is being pushed quite heavily. Secondly, ADAL support is built into the client so unlike passive authentication the client doesn’t spawn the browser window the same way (to present the authentication form) so it looks a tad bit different.

The image below is a screenshot of the sign in using modern authentication and the PointSharp MFA to provide two-factor authentication.

IMG_0385

If you want to test modern authentication you can follow the steps on TechNet. Just remember that you need an AD FS server as well as the scripts needed to enable Oauth2 for Skype for Business (http://aka.ms/sfbadalscripts)

Advertisements