How to install the Authentication Extender?

In this article, we are going to learn how to install the Authentication Extender using the SphereShield installer.
Before proceeding make sure to follow this KB in order to generate the user properties file.

What is the Authentication Extender

The Authentication extender is an optional component that is mandatory only when using SphereShield for SfB credentials (dedicated credentials).
This component is directly connected to the SfB/Lync FE and the CAS/Exchange server, and it will need delegation for these servers to give it rights over these servers.
This component is a middle-man between the DMZ Bastion and the internal traffic; it receives traffic from the DMZ and authenticates on its behalf.

Installation

1. Right-click the installer and run it as an administrator.
2. When prompted with this window click 'SphereShield for Skype for Business'


3. If no properties file was detected you will be asked to choose (if you have).
    Click yes, to specify a file and no to proceed without specifying. The default location of the file should be at:

C:\Agat\SphereShield.Setup

4. In the 'Bastion Configuration' page make sure that 'Install Authentication Extender' is checked

Enter the names of you Front End and CAS servers. Use the  sign to add as many as you have in your environment.

Press   until you reach the Install page.

5. In the Install page Click the  butting is next to 'Authentication Extender'


6.After a successful installation, you will see the following message box:

We will need to delegate the Authentication Extender.   To do this, we have a Powershell script. 
Click yes to save the script to file.
After you have saved the file, move it to your DC and execute the script.

7. Make sure that 'Bastion Reverse Proxy' service has been created on the Authentication Extender server:


Configuration

Bastion.xml Configuration

1. In the Bastion.xml file of the DMZ Bastion make sure that the channels are forwarding the traffic to the Authentication Extender.

2. in the bastion.xml of the Authentication Extender, Configure the certificate information for Reverse Proxy to use:

You may use a pfx file containing both the public and private key, separate certificate and private key, or a certificate installed in the Windows store.

3. In the Authentication Extender bastion.xml file, configure a channel to forward traffic to the Front End pool


AuthConsumer.xml Configuration

In the Authconsumer.xml file configure the certificate. You can use the included certificate (in the Bastion folder) for testing purposes and replace it with your own
once the system is up and running.

The default location of the Authconsumer.xml is:

C:\Agat\Bastion_Auth\filters\Skype\AuthConsumer.xml

KCD.xml Configuration

In the KCD.xml file, we will need to input our pool FQDN in the 'target' tag.

If you configuring EWS than use your CAS server FQDN:

WebTicket Application Configuration

Skype for Business

In each front end server of the pool, we need to edit the WebTicket application of the external site to support Negotiate authentication.

Make sure that Negotiate is at the top of the list, above NTLM

Exchange

In each front CAS server, we need to edit the Autodiscover and EWS applications of the default site to support Negotiate authentication.


Make sure that Negotiate is at the top of the list, above NTLM


Permissions

Follow these steps:

  • Open 'Active Directory Users and Computers'
  • Select the server on which the Authentication Extender is installed, right-click and select properties.
  • Click 'Member Of' , Click add and the text box write 'Windows Authorization Access Group'
  • Click 'OK and then 'Apply'.

.

Delegate control to the computer

You can delegate control using two options:

Using a KCD user

Create the Kerberos Intermediate Account

Skype for Business

The following step will cause downtime for online meetings 

In order for the Authentication Extender to work with a pool, it must be set with an intermediate account which needs to be created
specifically for this purpose.

In order to create that Account, run the following command in the Front End server in the Skype for Business Management Shell (or Powershell):


New-CsKerberosAccount -UserAccount "<Domain>\<Account_Name>” -ContainerDN "ou=Servers,
dc=domain,dc=com"

New-CsKerberosAccountAssignment -UserAccount "<Domain>\<Account_Name>” -Identity "Site:<Site_Name>"

Set-CsKerberosAccountPassword -UserAccount  "<Domain>\<Computer_Account_Name"


This creates a computer account in AD that gets assigned with all SPNs for the http entries of the pools in the site.
The user's 'servicePrincipaName'  will be the name of the pool:



Make sure to add the user to the delegation of the machine that runs the Authentication Extender (right click on the forest and choose Delegate Control)


Exchange


In the case where a configuration for Exchange needs to be made, we will not use the Kerberos account. Instead will need to delegate the machine that runs the Authentication Extender directly.
Go to Active Directory Users and Computers and find the Authentication extender server. Enable delegation as shown below. The “User or Computer” should be the Exchange servers. Add all
Exchange servers that will be used for EWS by Skype for Business



Delegate directly to the computer

  1. Go in [Active Directory Users and Computers] and select in [View] → [Advanced Features]
  2. Go to [Delegation] under the properties of the Computer object for the Authentication Extender server.
  3. Add the SPN for the HTTP service of the pool and the Front End server.
  4. Add the Exchange servers in the same manner as above in case the EWS protector is also incorporated in the deployment



Direct delegation per each Front-End/CAS instance

In the case of a smaller deployment, you can delegate Kerberos directly to the server.

Note that there can be only one SPN per KCD filter, as opposed to what may be understood from the PDF.



Replacing the signing certificate with your own after the system is up and running

For security reasons, it is recommended to replace the signing certificates. You will need to create a PFX certificate file with Public and Private Key for the LAC Filter (you can use the default signing.pfx as reference) and a CRT file with the same Public Key for the Auth Consumer (you can use the default signing.crt as reference).


In the Bastion server, add the new pfx to the Bastion folder (default path C:\Agat\Bastion).

In the Lync_Access_Control.xml replace the signing.pfx certificate with your own certificate.


In the Authentication Extender server, add the new crt certificate to the Bastion_Auth folder (default path C:\Agat\Bastion_Auth).

In the AuthConsumer.xml replace the signing.crt certificate with your own certificate.