Authentication Broker for EWS


Skype users on-prem, Exchange users on cloud

When an organisation uses SkypeShield credentials to sign in to Skype for Business these credentials are sent to Exchange too.
Traffic goes via Bastion filters, and credentials for Skype for Business and EWS are converted to Windows credentials using our KCD filter which creates Kerberos tickets to ensure the requests are accepted by the on-prem servers.

When the user’s account is homed on O365 the Kerberos ticket we would generate wouldn’t be accepted.

To ensure that the request is accepted, we create an Azure account impersonation authentication token, which we attach to the request to ensure that the request is accepted.

This requires creating/using an azure application with appropriate permissions.

Traffic flow

Assuming Manual Exchange Server configuration on client, no auto discover.

  1. Client sends EWS request to Bastion on special URL. e.g.

  2. EWS Filter verifies SphereShield credentials sent by client

  3. EWS Filter obtains authentication token and modifies the request to use the authentication token received from Azure

  4. Bastion sends modified request to Exchange Online