Versions Compared

Old Version 23

changes.mady.by.user Agat Support

Saved on

compared with

New Version Current

changes.mady.by.user Avi J. Levin (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.

What is the Authentication Extender

The Authentication extender is an optional component that is mandatory only when using SkypeShield Credentials (Dedicated SphereShield for SfB credentials (dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, and it will need delegation for these servers to give it privileges rights over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic, ; it receives traffic from the DMZ and authenticates on its behalf.

Installation

1. Right-click the installer and run it as an administrator.
2.   When prompted with this windows window click 'SphereShield for Skype for Business'


3. If no properties file was detected you will be asked to choose (if you have).
    Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:

...

We will need to delegate the Authentication Extender, in order to do .   To do this, we have a Powershell script. 
Click yes to save the script to file.
After you have done thatsaved the file, move the file it to your DC and execute the script.

7. Make sure that 'Bastion Reverse Proxy' service has been created on the Authentication Extender server:

...


Configuration

Bastion.xml Configuration

...

You can delegate control using two optionoptions:

Using a KCD user

Create the Kerberos Intermediate Account

...

In order for the Authentication Extender to work with a pool, it must be set with a special an intermediate account which needs to be created
specifically for this purpose.

In order to create that Account, run the following command in the FE Front End server in the Skype for Business Management ShelShell (or Powershell):


New-CsKerberosAccount -UserAccount "<Domain>\<Account_Name>” -ContainerDN "ou=Servers,
dc=domain,dc=com"

...


This creates a computer account in the AD that gets assigned with all SPNs for the http entries of the
pools in the site.
The user's 'servicePrincipaName'  will be the name of the pool:

...

  1. Go in [Active Directory Users and Computers] and select in [View] → [Advanced Features]
  2. Go to [Delegation] under the properties of the Computer object for the Authentication Extender server.
  3. Add the SPN for the HTTP service of the pool and the Front -end End server.
  4. Add the Exchange servers in the same manner as above in case the EWS protector is also incorporated in the deployment

...

Direct delegation per each Front-End/CAS instance

In the case of a smaller deployment, you can delegate Kerberos directly to the server.

PDF
nameKCD Setup.pdf

...