Skype for Business server 2015 “Set-CsAuthConfig”

In the last month I found what seems to be a bug when trying to lock down authentication forms.

From external I wanted to disable ole NTLM and only use modern authentication.
Just a note I was on a Skype for business enterprise editions setup with CU 10H1

To change the authentication from the Skype side you will need to run a “set-csauthconfig” with the scenario that you would like
https://docs.microsoft.com/en-us/powershell/module/skype/set-csauthconfig?view=skype-ps

I wanted to use Scenario 2. Allow NTLM or Kerb internally for my legacy hardware like Polycom or BiAmps

Scenario 2: External: MA; Internal: MA + Win; Parameter: BlockWindowsAuthExternally. This topology blocks NTLM externally, but allows NTLM or Kerb

Issue: After making the change we found our legacy hardware was unable to sign in. After running logs we found that Skype server only wanted MA authentication. Logging a call with Microsoft they agreed that Scenario 2 has a bug in this environment.

 

The Work around: After playing around because waiting for Microsoft to build a fix “ain’t no one got time for that”. I found that using Scenario 4
External: MA; Internal: Win; Parameter: BlockWindowsAuthExternallyAndModernAuthInternally. This topology blocks NTLM externally and MA internally. It allows all clients to use legacy authentication methods internally (even ADAL-capable clients).

This actually gave us the expected results and allowed for legacy hardware to sign in. Not sure if its the forcing of no MA internally that was the key, but scenario 2 should have worked.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s