Versions Compared

Version Old Version 3 New Version 4
Changes made by

Agat Support

Agat Support

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.

What is the Authentication Extender

The Authentication extender is an optional component that is mandatory only when using SkypeShield Credentials (Dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, it will need delegation for these servers to give it privileges over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic, it receives traffic from the DMZ and authenticates on its behalf.

Installation

1. Right-click the installer and run it as an administrator.
2.  When prompted with this windows click 'SphereShield for Skype for Business'


3. If no properties file was detected you will be asked to choose (if you have).
    Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:

...

6.After a successful installation, you will see the following message box:

...

In the KCD.xml file, we will need to input our pool FQDN to in the 'target' tag.


WebTicket Application Configuration

In each front end server of the pool, we need to edit the WebTicket application of the external site to support Negotiate authentication.

Image RemovedImage Added

Make sure that Negotiate is at the top of the leastlistt, above NTLM


Permissions

Add the computer object with the Authentication Extender to the domain group Follow these steps:

  • Open 'Active Directory Users and Computers'
  • Select the server on which the Authentication Extender is installed, right click and select properties.
  • Click 'Member Of' , Click add and the text box write 'Windows Authorization Access Group'

...

  • Click 'OK and then 'Apply'.

.Image Added

Create the Kerberos Intermediate Account

...

New-CsKerberosAccount -UserAccount "<Domain>\<Computer_Account<Account_Name>” -ContainerDN "ou=Servers,
dc=domain,dc=com"

New-CsKerberosAccountAssignment -UserAccount "<Domain>\<Computer_Account<Account_Name>” -Identity "Site:SiteA<Site_Name>" EnableCsTopology

Set-CsKerberosAccountPassword -UserAccount  "<Domain>\<Computer_Account_Name"


This creates a computer account in the AD that gets assigned with all SPNs for the http entries of the
pools in the site.
The user's 'servicePrincipaName'  will be the name of the pool:


Make sure to add the user to the delegation of the machine that runs the Authentication Extender

...