Introduction
...
Skype users on-prem, Exchange users on cloud
When an organisation uses SkypeShield credentials to sign in to Skype for Business these credentials are sent to Exchange too.
Traffic goes via Bastion filters, and credentials for Skype for Business and EWS are converted to Windows credentials using our KCD filter which creates Kerberos tickets to ensure the requests are accepted by the on-prem servers.
When the user’s account is homed on O365 the Kerberos ticket we would generate wouldn’t be accepted.
To ensure that the request is accepted, we create an Azure account impersonation authentication token, which we attach to the request to ensure that the request is accepted.
This requires creating/using an azure application with appropriate permissions.