Configure OAuth between Skype for Business Online and Exchange on premises

Skype for Business Server 2015
 

마지막으로 수정된 항목: 2016-12-20

Configuring OAuth authentication between Exchange on premises and 비즈니스용 Skype 온라인 enables the 비즈니스용 Skype and Exchange Integration features described in Feature support.

This topic applies to UNRESOLVED_TOKEN_VAL(ExchangeServer2016 ) and UNRESOLVED_TOKEN_VAL(ExchangeServer2013).

Specify a verified domain for your 비즈니스용 Skype 온라인 organization. This domain should be the same domain used as the primary SIP domain used for the cloud-based accounts. This domain is referred as <your Verified Domain> in the following procedure.

Run the following command in the Exchange Management Shell (the Exchange PowerShell) in your on-premises Exchange organization.

New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/<your Verified Domain>/metadata/json/1" 

Run the following command in the Exchange PowerShell in your on-premises Exchange organization.

Get-PartnerApplication | ?{$_.ApplicationIdentifier -eq "00000002-0000-0ff1-ce00-000000000000" -and $_.Realm -eq ""} | Set-PartnerApplication -Enabled $true

This step is done on-premises. It will create a mail user and assign it the appropriate management role rights. This account will then be used in the next step.

Specify a verified domain for your Exchange organization. This domain should be the same domain used as the primary SMTP domain used for the on-premises Exchange accounts. This domain is referred as <your Verified Domain> in the following procedure. Also, the <DomainControllerFQDN> should be the FQDN of a domain controller.

$user = New-MailUser -Name SfBOnline-ApplicationAccount -ExternalEmailAddress SfBOnline-ApplicationAccount@<your Verified Domain> -DomainController <DomainControllerFQDN> 

This command will hide the new mail user from address lists.

Set-MailUser -Identity $user.Identity -HiddenFromAddressListsEnabled $True -DomainController <DomainControllerFQDN> 

These next two commands will assign the UserApplication and ArchiveApplication management role to this new account.

New-ManagementRoleAssignment -Role UserApplication -User $user.Identity -DomainController <DomainControllerFQDN> 

New-ManagementRoleAssignment -Role ArchiveApplication -User $user.Identity -DomainController <DomainControllerFQDN> 

Create a new partner application and will use the account you just created. Run the following command in the Exchange PowerShell in your on-premises Exchange organization.

New-PartnerApplication -Name SfBOnline -ApplicationIdentifier 00000004-0000-0ff1-ce00-000000000000 -Enabled $True -LinkedAccount $user.Identity

Run a PowerShell script to export the on-premises authorization certificate, which you will import to your 비즈니스용 Skype 온라인 organization in the next step.

Save the following text to a PowerShell script file named, for example, ExportAuthCert.ps1.

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint 
if((test-path $env:SYSTEMDRIVE\OAuthConfig) -eq $false) 
{ 
md $env:SYSTEMDRIVE\OAuthConfig 
} 
cd $env:SYSTEMDRIVE\OAuthConfig 
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint} 
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert 
$certBytes = $oAuthCert.Export($certType) 
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer" 
[System.IO.File]::WriteAllBytes($CertFile, $certBytes) 

In Exchange PowerShell in your on-premises Exchange organization, run the PowerShell script that you just created. For example: .\ExportAuthCert.ps1

Next, use Windows PowerShell to upload the on-premises authorization certificate that you exported in the previous step to Azure Active Directory Access Control Services (ACS). To do this, the Azure Active Directory Module for Windows PowerShell cmdlets must already be installed. If it’s not installed, go to https://aka.ms/aadposh to install the Azure Active Directory Module for Windows PowerShell. Complete the following steps after the Azure Active Directory Module for Windows PowerShell is installed.

  1. Click the Azure Active Directory Module for Windows PowerShell shortcut to open a Windows PowerShell workspace that has the Azure AD cmdlets installed. All commands in this step will be run using the Windows PowerShell for Azure Active Directory console.

  2. Save the following text to a PowerShell script file named, for example, UploadAuthCert.ps1.

    Connect-MsolService; 
    Import-Module msonlineextended; 
    $CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer" 
    $objFSO = New-Object -ComObject Scripting.FileSystemObject; 
    $CertFile = $objFSO.GetAbsolutePathName($CertFile); 
    $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate 
    $cer.Import($CertFile); 
    $binCert = $cer.GetRawCertData(); 
    $credValue = [System.Convert]::ToBase64String($binCert); 
    $ServiceName = "00000002-0000-0ff1-ce00-000000000000"; 
    $p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName 
    New-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue 
    
  3. Run the PowerShell script that you created in the previous step. For example: .\UploadAuthCert.ps1

  4. After you start the script, a credentials dialog box is displayed. Enter the credentials for the tenant administrator account of your Microsoft Online Azure AD organization. After running the script, leave the Windows PowerShell for Azure AD session open. You will use this to run a PowerShell script in the next step.

Specify a verified domain for your Exchange organization. This domain should be the same domain used as the primary SMTP domain used for the on-premises Exchange accounts. This domain is referred as <your Verified Domain> in the following procedure.

note참고:
Successfully running the following script requires that the Windows PowerShell for Azure Active Directory is connected to your Microsoft Online Azure AD tenant, as explained in step 4 in the previous section.
  1. Save the following text to a PowerShell script file named, for example, RegisterEndpoints.ps1. This example uses a wildcard to register all endpoints for contoso.com. Replace contoso.com with a hostname authority for your on-premises Exchange organization

    $externalAuthority="*.<your Verified Domain>" 
    $ServiceName = "00000002-0000-0ff1-ce00-000000000000"; 
    $p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName; 
    $spn = [string]::Format("{0}/{1}", $ServiceName, $externalAuthority); 
    $p.ServicePrincipalNames.Add($spn); 
    Set-MsolServicePrincipal -ObjectID $p.ObjectId -ServicePrincipalNames $p.ServicePrincipalNames; 
    
  2. In Windows PowerShell for Azure Active Directory, run the Windows PowerShell script that you created in the previous step. For example:.\RegisterEndpoints.ps1

Verify that the OAuth configuration is correct by verifying some of the features are working successfully, such as having conversation history for mobile clients visible in the Outlook Conversation History folder.

  1. Start the 비즈니스용 Skype mobile app on your Windows Phone or iOS device and sign in as a 비즈니스용 Skype 온라인 user with an UNRESOLVED_TOKEN_VAL(nm-exch-short) or Exchange 2013 on-premises mailbox.

  2. Have an instant messaging conversation with another 비즈니스용 Skype 온라인 user.

  3. Close the IM conversation window.

  4. Start Outlook for this user and verify that the conversation is visible in the Outlook Conversation history folder.

 
표시: