Twitter

Friday, November 2, 2012

Lync OAuth Protocol and Confgiuration


What is Server-to-Server/ OAuthentication Protocol?

OAuth2 is an open standard for authorization used by Microsoft Office 2013 Servers.
It allows users to access their private resources (e.g. Lync Contact List, IM Archiving) stored on Servers without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific service for specific resources and for a defined duration


OAuth2 standard-based server-to-server trust across all Office 2013 servers
Lync, Exchange, Microsoft Office SharePoint®, Active Directory


In Lync scenarios enabled for:
Unified Contacts, IM Archiving, OWA meeting scheduling



Hybrid Model:



On-Premise Model:



Prerequisites:
Certificate: token issuer certificate (OAuthTokenIssuer)
must be request able on PKI -

TIP:
every Web Server Certificate that includes the name of the SIP Domain in the Subject Field can be used as OAuthTokenIssuer Certificate

Configuration Steps for On-Premise Setup:

Start and request a certificate from internal/ external PKI and import the certificate into the computers certificate store.

First Step:
Get-CsCertificate -Type OAuthTokenIssuer
Import-CsCertificate –Identity global –Type OAuthTokenIssuer –Path C:\Certificates\ServerToServerAuth.pfx  –Password "
P@ssw0rd

If a Certificate exists for (e.g. the default certificate) it can be used:$x = (Get-CsCertificate -Type Default).Thumbprint
Set-CsCertificate –Identity global -Type OAuthTokenIssuer -Thumbprint $x


Next you need to activate the PartnerApplication and make the new OAuth Protrol work:
Therefor you copy this script and run save it as ConfigureOAuthScrip.PS1

Script Start---------------------------------------------------------------------------------------------
if ((Get-CsPartnerApplication app -ErrorAction SilentlyContinue) -ne $Null)
   {
       Remove-CsPartnerApplication app
   }

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
       
if ($exch -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
    }
else
    {
       if ($exch.ApplicationIdentifier –ne “00000002-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.exchange
New-CsPartnerApplication -Identity microsoft.exchange -MetadataUrl
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1 -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full
           }
     }
$shp = Get-CsPartnerApplication microsoft.sharepoint -ErrorAction SilentlyContinue
       
if ($shp -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl
http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
    }
else
    {
       if ($shp.ApplicationIdentifier –ne “00000003-0000-0ff1-ce00-000000000000”)
          {
             Remove-CsPartnerApplication microsoft.sharepoint
 
             New-CsPartnerApplication -Identity microsoft.sharepoint -MetadataUrl
http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx -ApplicationTrustLevel Full
           }
        else
           {
             Set-CsPartnerApplication -Identity microsoft.sharepoint -ApplicationTrustLevel Full
            }
   }

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000


Script End---------------------------------------------------------------------------------------------------

Note:
If your REALM should be different from the Organization Name (EXCHANGE) you need to specify incl. the REALM Parameter:
Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000 –Realm "contoso.com"

Next Step:
Define the MetadataURL:
Lync 2013 Preview:
https://atl-exchange-001.litwareinc.com/autodiscover/metadata/v1/json
Lync 2013 RTM:https://atl-exchange-001.litwareinc.com/autodiscover/metadata/json/1

When you run this script from above, you might receive an error message similar to the following:
New-CsPartnerApplication : Cannot bind parameter 'MetadataUrl' to the target. Exception setting "MetadataUrl": "The metadata document could not be downloaded from the URL in the MetadataUrl parameter or downloaded data is not a valid metadata document."

This error message typically means one of two things:
1) that one of the URLs specified in the script is invalid (that is, one of your metadata URLs is not actually a metadata URL); or,
2) that of the metadata URLs could not be contacted. If this happens, verify that the URLs are correct and are accessible, and the re-run the script


Last Step:
Verification of configured PartnerApplication settings and verifiy the correct configuration:
Get-CsPartnerApplication

Result:
Identity              : microsoft.exchange
AuthToken             : Microsoft.Rtc.Management.WritableConfig.
                        Settings.SSAuth.UseOAuthServer
Name                  : microsoft.exchange
Realm                 : contoso.com
ApplicationTrustLevel : Full
Enabled               : True



If you have any questions, please let me know, I will do my best supporting you.


2 comments:

  1. Hi,

    We have lync 2013, sharepoint 2013 and exchange 2010 on premise. Will Oauth work with exchange 2010 and is it supported?

    Cheers

    ReplyDelete
    Replies
    1. Hi Paul,
      not, OAuth is only supported and even implemented with Office 2013 Server products

      Delete