In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.
What is the Authentication Extender
The Authentication extender is an optional component that is mandatory only when using SkypeShield Credentials (Dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, it will need delegation for these servers to give it privileges over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic, it receives traffic from the DMZ and authenticates on its behalf.
Installation
1. Right-click the installer and run it as an administrator.
2. When prompted with this windows click 'SphereShield for Skype for Business'
3. If no properties file was detected you will be asked to choose (if you have).
Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:
C:\Agat\SphereShield.Setup
4. In the 'Bastion Configuration' page make sure that 'Install Authentication Extender' is checked
Enter the names of you Fron End and CAS servers. Use the 
sign to add as many as you have in your environment.
Press 
until you reach the Install page.
5. In the Install page Click the 
butting is next to 'Authentication Extender'
6.After a successful installation, you will the following message box:
We will need to delegate the Authentication Extender, in order to do we have a Powershell script.
Click yes to save the script to file.
After you have done that, move the file to your DC and execute the script.
7. Make sure that 'Bastion Reverse Proxy' service has been created:
Bastion.xml Configuration
1. In the Bastion.xml file of the DMZ Bastion make sure that the channels are forwarding the traffic to the Authentication Extender.
2. in the bastion.xml of the Authentication Extender, Configure the certificate information for Reverse Proxy to use:
You may use a pfx file containing both the public and private key, separate certificate and private key, or a certificate installed in the Windows store.
3. In the Authentication Extender bastion.xml file, configure a channel to forward traffic to the Front End pool
AuthConsumer.xml Configuration
In the Authconsumer.xml file configure the certificate. You can the included certificate (in the Bastion folder) for testing purposes and replace with your own
once the system is up and running.
The default location of the Authconsumer.xml is:
C:\Agat\Bastion_Auth\filters\Skype\AuthConsumer.xml
KCD.xml Configuration
In the KCD.xml file, we will need our pool FQDN to the 'target' tag.
WebTicket Application Configuration
In each front end server of the pool, we need to edit the WebTicket application of the external site to support Negotiate authentication.
Make sure that Negotiate is at the top of the least, above NTLM
Permissions
Add the computer object with the Authentication Extender to the domain group 'Windows Authorization Access Group'
Create the Kerberos Intermediate Account
In order for the Authentication Extender to work with a pool, it must be set with a special intermediate account which needs to be created
specifically for this purpose.
In order to create that Account run the following command from the Skype for Business Management Shell:
New-CsKerberosAccount -UserAccount "<Domain>\<Computer_Account_Name>” -ContainerDN "ou=Servers,
dc=domain,dc=com"
New-CsKerberosAccountAssignment -UserAccount "<Domain>\<Computer_Account_Name>” -Identity "Site:SiteA" EnableCsTopology
Set-CsKerberosAccountPassword -UserAccount "<Domain>\<Computer_Account_Name"
This creates a computer account in AD that gets assigned with all SPNs for the http entries of the
pools in the site.
The user's 'servicePrincipaName' will be the name of the pool:
Make sure to the user to the delegation of the machine that runs the Authentication Extender
