User and client authentication for Skype for Business Server 2015

Skype for Business Server 2015

마지막으로 수정된 항목: 2016-07-14

A trusted user is one whose credentials have been authenticated by a trusted server in 비즈니스용 Skype 서버 2015. This server is usually a Standard Edition 서버, Enterprise Edition 프런트 엔드 서버, or Director. 비즈니스용 Skype 서버 relies on Active Directory 도메인 서비스 as the single, trusted back-end repository of user credentials.

Authentication is the provision of user credentials to a trusted server. 비즈니스용 Skype 서버 uses the following authentication protocols, depending on the status and location of the user.

  • MIT Kerberos version 5 security protocol for internal users with Active Directory credentials. Kerberos requires client connectivity to Active Directory 도메인 서비스, which is why it cannot be used for authenticating clients outside the corporate firewall.

  • NTLM protocol for users with Active Directory credentials who are connecting from an endpoint outside the corporate firewall. The 액세스 에지 서비스 passes logon requests to a Director, if present, or a 프런트 엔드 서버 for authentication. The 액세스 에지 서비스 itself performs no authentication.

    NTLM protocol offers weaker attack protection than Kerberos, so some organizations minimize usage of NTLM. As a result, access to 비즈니스용 Skype 서버 2015 might be restricted to internal or clients connected through a VPN or DirectAccess connection.
  • Digest protocol for so-called anonymous users. Anonymous users are outside users who do not have recognized Active Directory credentials but who have been invited to an on-premises conference and possess a valid conference key. Digest authentication is not used for other client interactions.

비즈니스용 Skype 서버 2015 authentication consists of two phases:

  1. A security association is established between the client and the server.

  2. The client and server use the existing security association to sign messages that they send and to verify the messages they receive. Unauthenticated messages from a client are not accepted when authentication is enabled on the server.

User trust is attached to each message that originates from a user, not to the user identity itself. The server checks each message for valid user credentials. If the user credentials are valid, the message is unchallenged not only by the first server to receive it but by all other servers in the trusted server cloud.

Users with valid credentials issued by a federated partner are trusted but optionally prevented by additional constraints from enjoying the full range of privileges accorded to internal users.

The ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC.

Client certificates provide an alternate way for users to be authenticated by 비즈니스용 Skype 서버 2015. Instead of providing a user name and password, users have a certificate and the private key corresponding to the certificate that is required to resolve a cryptographic challenge. (This certificate must have a subject name or subject alternative name that identifies the user and must be issued by a Root CA that is trusted by servers running 비즈니스용 Skype 서버 2015, be within the certificate’s validity period, and not have been revoked.) To be authenticated, users only need to type in a personal identification number (PIN). Certificates are particularly useful for telephones, mobile phones, and other devices where it is difficult to enter a user name and password.