Symptoms
This update enables Active Directory Federation Services (ADFS) 3.0 support for Open Authentication (OAuth) tokens in a Microsoft Skype for Business Server 2015 environment.
Note OAuth is a standard protocol that's used for server-to-server authentication and authorization.
After you install this update, OAuth integration with ADFS is supported. This support includes the following:
-
OAuth interactive (forms-based authentication or Multi-factor authentication [MFA]) sign-in by running the Test-CsRegistration cmdlet.
The -AuthenticationMethod parameter has new OAuthInteractive value. If forms-based authentication or MFA is enabled on ADFS, it starts an Internet Explorer frame and prompts for credentials. -
Implements handling of PrimarySID claim in OAuth tokens to cater to resource forest deployment scenarios that other claims (UPN, SIP, email) aren't available for or to match the data that's stored in the resource forest.
-
Blocks fewer desktop client versions from using Active Directory Authentication Library (ADAL) for on-premises sign-in.
Note The following Skype for Business PowerShell cmdlets must be run to enable OAuth sign-in:New-CsOAuthServer -Identity <name> -Type adfs -MetadataUrl https://<adfs_fqdn>/FederationMetadata/2007-06/FederationMetadata.xml [-AcceptSecurityIdentifierInformation $true]
Set-CsOAuthConfiguraiton -ClientAuthorizationOAuthServerIdentity <name>
Resolution
To fix this issue, install the March 2016 cumulative update 6.0.9319.235 for Skype for Business Server 2015, core components.
