Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

After you apply the July 2018 cumulative update 6.0.9319.534 for Microsoft Skype for Business Server 2015, you can use the Get/Set-CsAuthConfig cmdlets to manage the authentication configuration for your Skype for Business Server.

Set-CsAuthConfig can be configured in 5 different ways as shown below.

 

External

Internal

Parameter

Description

 

1

Allow Modern Authentication (MA) and Windows Authentication

Allow MA and Windows Authentication

AllowAllExernallyAndInternally

Default scenario when MA is turned ON for Skype for Business Server.

2

Allow only MA

Allow MA and Windows Authentication

BlockWindowsAuthExternally

Blocks password attacks externally and allows older clients that don't support ADAL to still work internally, although clients that do support ADAL use MA internally.

3

Allow only MA

Allow only MA

BlockWindowsAuthExternallyAndInternally

Forces MA for all users. Only ADAL-capable clients will work.

4

Allow only MA

Allow only Windows Authentication

BlockWindowsAuthExternalyAndModernAuthInternally

Blocks password attacks externally and allows all internal clients to use legacy authentication.

5

Allow MA and Windows Authentication

Allow only Windows Authentication

BlockModernAuthInternally

Externally: ADAL clients will use MA and non-ADAL clients will use legacy authentication. Internally: All clients will use legacy authentication.

 

Running these cmdlets at a pool level:

  • The Set-CsAuthConfig cmdlet sets configuration on both the Registrar and the Web Services roles. This cmdlet is only meant to be run at the global level (and not at the pool level), and we highly recommend that you only use it in this manner. However, technically it can be run at a pool level. But realize that if the pool only has one of the roles needed (say, Registrar and not Web Services), then only the settings for Registrar will be set and the Web Services settings will come from the global setting. If a client uses the Registrar settings from one pool and the Web Services settings from another pool and the authentication settings are in an inconsistent state, the client may be unable to log on.

  • If there's only one role present for a pool:

    • Set - will only set the settings that correspond to the role that exists. No special warning will be given because some settings were not set.

    • Get - will return the setting that corresponds to the role that exists and the global settings for the role that doesn't exist.

  • If neither role is present for a pool, both Set and Get will return an error message.

  • If both roles are present for a pool but policies aren't defined at the pool level, Get will return an error message.

 

How to get this update

To get this update, install the July 2018 cumulative update 6.0.9319.534 for Skype for Business Server 2015, Core Components.

Note: After you modify the CsAuthConfig, you must run Enable-CsComputer cmdlet on all servers in order for the settings change to take effect.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×