In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.

What is the Authentication Extender

The Authentication extender is an optional component that is mandatory only when using SkypeShield Credentials (Dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, it will need delegation for these servers to give it privileges over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic, it receives traffic from the DMZ and authenticates on its behalf.

Installation

1. Right-click the installer and run it as an administrator.
2.  When prompted with this windows click 'SphereShield for Skype for Business'


3. If no properties file was detected you will be asked to choose (if you have).
    Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:

...

In order for the Authentication Extender to work with a pool, it must be set with a special intermediate account which needs to be created
specifically for this purpose.

In order to create that Account, run the following command from in the FE server in the Skype for Business Management ShellShel(or Powershell):

New-CsKerberosAccount -UserAccount "<Domain>\<Account_Name>” -ContainerDN "ou=Servers,
dc=domain,dc=com"

...