Manage server-to-server authentication (OAuth) and partner applications in Skype for Business Server 2015

Skype for Business Server 2015

마지막으로 수정된 항목: 2015-08-17

Summary: Manage OAuth and partner applications in 비즈니스용 Skype 서버 2015.

비즈니스용 Skype 서버 2015 must be able to securely, and seamlessly, communicate with other applications and server products. For example, you can configure 비즈니스용 Skype 서버 2015 so that contact data and/or archiving data is stored in Microsoft Exchange Server 2013; however, this can only be done if 비즈니스용 Skype 서버 and Exchange are able to securely communicate with one another. Likewise, you can schedule a 비즈니스용 Skype 서버 conference from within Office Web Apps 서버; again, this can only be done if the two servers (SharePoint and 비즈니스용 Skype 서버) trust one another. Although it's possible to use one authentication mechanism for communication between 비즈니스용 Skype 서버 and Exchange but a separate mechanism for 비즈니스용 Skype 서버 and SharePoint communication, a better and more efficient approach is to use a standardized method for all server-to-server authentication and authorization.

Using a single, standardized method for server-to-server authentication is the approach taken by 비즈니스용 Skype 서버 2015. For the 2013 release, 비즈니스용 Skype 서버 2015 (as well as other Microsoft Server products, including Exchange 2013 and SharePoint Server) support the OAuth (Open Authorization) protocol for server-to-server authentication and authorization. With OAuth, a standard authorization protocol used by a number of major websites, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time.

OAuth authentication typically involves three parties: a single authorization server and the two realms that need to communicate with one another. (You can also do server-to-server authentication without using an authorization server, a process that will be discussed later in this document.) Security tokens are issued by the authorization server (also known as a security token server) to the two realms that need to communicate; these tokens verify that communications originating from one realm should be trusted by the other realm. For example, the authorization server might issue tokens that verify that users from a specific 비즈니스용 Skype 서버 2015 realm are able to access a specified Exchange 2013 realm, and vice-versa.

A realm is simply a security container. By default, 비즈니스용 Skype 서버 2015 uses your default SIP domain as its OAuth realm. Additional SIP namespaces are added to the Subject Alternate Name list in the OAuth certificate.

비즈니스용 Skype 서버 2015 supports three server-to-server authentication scenarios. With 비즈니스용 Skype 서버 2015 you can:

  • Configure server-to-server authentication between an on-premises installation of 비즈니스용 Skype 서버 2015 and an on-premises installation of Exchange 2013 and/or SharePoint Server.

  • Configure server-to-server authentication between a pair of Office 365 components (for example, between Microsoft Exchange Server and 비즈니스용 Skype 서버, or between 비즈니스용 Skype 서버 2015 and SharePoint).

  • Configure server-to-server authentication in a cross-premises environment (that is, server-to-server authentication between an on-premises server and an Office 365 component).

Note that, at this point in time, only Exchange 2013, SharePoint Server, Lync Server 2013 and 비즈니스용 Skype 서버 2015 support server-to-server authentication; if you are not running one of these servers then you will not be able to fully implement OAuth authentication.

It should also be pointed out that server-to-server authentication is optional: If 비즈니스용 Skype 서버 2015 does not need to communicate with other servers (such as Exchange 2013) then server-to-server authentication can be skipped altogether. If server-to-server authentication is already configured for Lync Server 2013 and other applications, there's no need to re-do it for 비즈니스용 Skype 서버 2015.

However, server-to-server authentication is required if you want to use some of the features in 비즈니스용 Skype 서버 2015, such as the "unified contact store." With unified contact store, 비즈니스용 Skype 서버 2015 contact information is stored in Exchange 2013 instead of in 비즈니스용 Skype 서버; this enables users to have a single set of contacts that is readily accessible from within 비즈니스용 Skype, Outlook, or Outlook Web Access. Because the unified contact store requires 비즈니스용 Skype 서버 2015 to share information with Exchange 2013, you must use server-to-server authentication in order to deploy the feature. Server-to-server authentication is also required if you choose to use Exchange archiving, in which the transcripts of instant messaging sessions are saved as Exchange 2013 emails rather than as individual database records.

For the Office 365 version of 비즈니스용 Skype 서버 to communicate with its Exchange counterpart, 비즈니스용 Skype 서버 2015 must first obtain a security token from the authorization server. 비즈니스용 Skype 서버 then uses that security token to identify itself to Exchange. The Office 365 version of Exchange must go through the same process in order to communicate with 비즈니스용 Skype 서버 2015.

However, for on-premises server-to-server authentication between two Microsoft servers there is no need to use a third-party token server. Server products such as 비즈니스용 Skype 서버 2015 and Exchange 2013 have a built-in token server that can be used for authentication purposes with other Microsoft servers (such as SharePoint Server) that support server-to-server authentication. For example, 비즈니스용 Skype 서버 2015 can issue and sign a security token by itself, then use that token to communicate with Exchange 2013. In a case like this, there is no need for a third-party token server.

In order to configure server-to-server authentication for an on-premises implementation of 비즈니스용 Skype 서버 2015 you must do two things:

  • Assign a certificate to the built-in 비즈니스용 Skype 서버 2015 token issuer.

  • Configure the server that 비즈니스용 Skype 서버 2015 will communicate with to be a "partner application." For example, if 비즈니스용 Skype 서버 2015 needs to communicate with Exchange 2013 then you will need to configure Exchange to be a partner application.

A "partner application" is any application that 비즈니스용 Skype 서버 2015 can directly exchange security tokens with, without having to go through a third-party security token server.

Note that OAuth is a core part of the product and cannot be disabled or removed.