How to Configure Authentication?
In this guide, we are going to learn about the Admin Portal page Authentication.
This page has 2 states:
- Active Directory Credentials - default state, authentication is done using on on-prem AD username and password.
- SphereShield for SfB credentials - authentication is done using custom credentials
Active Directory Credentials
- SfB Client Authentication method - The authentication method that will be used in order to sign in to Skype
- Username Required - Whether a user will be required to enter a username in addition to SIP address and password. Requires Self-Registration and Custom Sign in Window.
- Username Type Preference - The preferred method which SphereShield for SfB will use in order to authenticate on behalf of the client. If the first type is not available in the DB the other will be used.
- Access Portal authentication type - The method which administrators can use in order to sign in to the Admin Portal.
- Pre Authenticate devices - This value will dictate if devices will be registered before users.
- Passwordless Sign-in - Whether to allow users to sign in without a password. This requires an Authentication Extender with an auth consumer filter configured.
- Require Biometric authentication - Whether users will be required to sign in using a Biometric supported device. Requires TouchId on iOS and FingerPrint on Android.
SphereShield for SfB Credentials
- Username Required - When set to 'No', user will not need to create a SphereShield for SfB user name and enter it in the advanced settings window of the SfB client.
- SkypeShield credentials verification against AD account - The type of credentials to use. When using domain\user a custom sign-in window is a requirement.
- Dedication SfB credentials maximum password age - The number of days that a password will be considered valid. When set to 0 passwords never expire.
- Required minimum length of username - The minimum number of characters required for username.
- Required minimum length of password - The minimum number of characters required for a password.
- Minimum amount of letters in password - The minimum number of letters required for a password.
- Minimum amount of numbers in password -The minimum number of digits required for a password.
- Minimum amount of symbols - in password The minimum number of symbols required for a password.
- Mixed characters are required - If users will have to use characters with mixed cases for their passwords.
- Auto generates first dedicated password - If the first password will be autogenerated according to the configured policy.
- Support Native NTLM authentication - When setting to "No" the users' passwords are being stored using Bcrypt hash instead of MD4. This feature requires a custom sign-in window to be enabled. Once you activate this feature and users have created credentials it is not possible to revert to the native window.
- Support Hybrid Deployment - This feature allows redirection for users homed in O365 or a non-SphereShield pool so they can use AD credentials to sign in. When not enabled users will need to type in their discovery address manually to log on.
Shared Configurations
- Admin Default Domain - For easy access to the admin side of the Admin Portal, you may enter your default domain so administrators will only be required to enter a username. Regardless of this value, it is possible to use domain\user.
- Block Web App User Login - Whether to prevent users from using the Web App. Guests will be allowed to use it regardless of this value.
- Username blacklist - A comma-separated list of regular expressions defining user formats which are not allowed to sign in. e.g, (.*)admin(.*),(.*)super(.*) This is required when configuring DOS Protection.
- Username Whitelist - A comma-separated list of regular expressions defining user format which are allowed to sign in. e.g, fabrikam\\(..*),(..*)@fabrikam
- Custom Sign-in Window - More information in How to Configure Custom sign in window?
- Allow manual overwrite approval for specific device - Whether to allow admins to manually approve devices and override policies.
PC Authentication Process
The following video demonstrates a successful login of a PC with SIP Filter on the Edge server configured with Block NTLM set to TRUE.
How to block NTLM Authentication using the SIP Filter?
In the SIP Filter .yaml file located at
C:\Agat\SipFilter\AgatSfbSipFilter.yaml
Change the value block-ntlm: false to block-ntlm: true