Summary
This article explains the authentication mechanisms of the following Skype for Business features:
-
Dial-in conferencing
-
Modern Admin Control Panel
-
Web Scheduler applications
Note: We recommend that you use the new Modern Admin Control Panel (MACP) instead of the old Admin Control Panel. This is because the old panel operates on Silverlight technology that is out of support and receives no security updates.
For more information about the Web scheduler component, see Skype for Business Web Scheduler.
Prerequisites to set OAuth for MACP
-
To enable the Modern Admin Control Panel, the Active Directory Federation Services (AD FS) servers must be running on Windows Server 2016 or a later version.
Note: To be able to use the MACP, Session Initiation Protocol (SIP) doesn't have to be enabled by the administrator.
Setting up OAuth for MACP
June 2023 cumulative update 7.0.2046.521 for Skype for Business Server 2019, Macp Web Components, provides AD FS-based OAuth authentication support for the following features:
-
Dial-in conferencing
-
Modern Admin Control Panel
-
Web Scheduler
Enabling ADFS-based OAuth authentication
ADFS on farm servers
-
To enable ADFS on farm servers, make sure that the AD FS farm exists in the topology. For more information see, Federation Service, Configure Federation Server.
ADFS on FE servers
To enable AD FS on Front End (FE) Skype for Business Server 2019 servers, follow these steps:
-
Install the June 2023 cumulative update 7.0.2046.521 for Skype for Business Server 2019, Macp Web Components on all FE servers in all pools in your Skype for Business Server 2019 environment.
-
Configure AD_FS OAuth:
-
To create an app on the ADFS server, run the New-CsAdfsApplicationForSFBWebApps cmdlet. The cmdlet will prompt you for required inputs, such as ADFS Server FQDN credentials to sign in, ADFS Application Group Name (default: SFB), ADFS Native Application name (default: SFBWebapps), pool names in the topology, internal domain name, external domain name, and the simple URL for MACP.
Notes:
-
The cmdlet will generate a unique adfsclientid (GUID) for the app.
-
To edit the app, run the Set- CsAdfsApplicationForSFBWebApps cmdlet by using the required inputs.
-
Run the New-CsOauthServer cmdlet by using the identity name “onpremsts” to configure ADFs OAuth. Provide the AdfsMetadataUrl and AdfsClientId values that you obtained from the previous step.
-
To disable ADFs OAuth, run the Remove-CsOauthServer onpremsts cmdlet.
-
To enable ADFs OAuth, run the New-CsOAuthServer cmdlet.
-
-
To enable OAuth for the MACP, you must have the June 2023 cumulative update 7.0.2046.521 for Skype for Business Server 2019, Macp Web Components installed.
-
If you have OAuth installed on your servers, you don't have to enable OAuth again when you update Skype for Business Server.
-
Enabling or disabling OAuth authentication can't be done on a per-pool basis. OAuth must be applied to all pools collectively.
Sign-in screen for OAuth
If OAuth is configured correctly, the sign-in screen will be displayed to administrators for entering the user name and password.