Versions Compared

Version Old Version 16 New Version 17
Changes made by

Agat Support

Meir Davis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.

What is the Authentication Extender

The Authentication extender is an optional component that is mandatory only when using SkypeShield Credentials (Dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, it will need delegation for these servers to give it privileges over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic, it receives traffic from the DMZ and authenticates on its behalf.

Installation

1. Right-click the installer and run it as an administrator.
2.  When prompted with this windows click 'SphereShield for Skype for Business'


3. If no properties file was detected you will be asked to choose (if you have).
    Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:

...

  • Open 'Active Directory Users and Computers'
  • Select the server on which the Authentication Extender is installed, right-click and select properties.
  • Click 'Member Of' , Click add and the text box write 'Windows Authorization Access Group'
  • Click 'OK and then 'Apply'.

.

Delegate control to the computer

You can delegate control using two option

Using a KCD user

Create the Kerberos Intermediate Account

...

In the case where a configuration for Exchange needs to be made, we will not use the Kerberos account. Instead will need to delegate the machine that runs the Authentication Extender directly.
Go to Active Directory Users and Computers and find the Authentication extender server. Enable delegation as shown below. The “User or Computer” should be the Exchange servers. Add all
Exchange servers that will be used for EWS by Skype for Business



Delegate directly to the computer

  1. Go in [Active Directory Users and Computers] and select in [View] → [Advanced Features]
    Image Added
  2. Go to [Delegation] under the properties of the Computer object for the Authentication Extender server.
    Image Added
  3. Add the SPN for the HTTP service of the pool and the Front-end server.
    1. Image Added
    2. Image Added
    3. Image Added
    4. Image Added
  4. Add the Exchange servers in the same manner as above in case the EWS protector is also incorporated in the deployment


Replacing the signing certificate with your own after the system is up and running

...

In the AuthConsumer.xml replace the signing.crt certificate with your own certificate.


Simple Method

PDF
nameKCD Setup.pdf


View file
nameKCD Setup.pdf
height250