In a typical Skype for Business Server deployment where Kerberos and/or NTLM is enabled for authentication, users should not have to enter their credentials every time that they sign in.
SKYPE SECOND FOR MAC WINDOWS
With the Kerberos or NTLM authentication method, the user's Windows credentials are used automatically for authentication. Users should use the Delete my sign-in info option in the Skype for Business client and delete their SIP profile folder from %localappdata%\Microsoft\Office\15.0\Skype for Business before attempting to sign for the first time using two-factor authentication. There are a number of deployment considerations involving saved Skype for Business credentials which may impact users who are configured to use two-factor authentication. This is by design, as Microsoft SharePoint does not currently support two-factor authentication. Skill SearchĬustomers who have configured the Skill Search feature in their Skype for Business environment will find that this feature does not work when Skype for Business is enabled for two-factor authentication. You should use the Invoke-CsUcsRollback cmdlet to remove existing user contacts from the Unified Contact Store and store them in Skype for Business Server before enabling two-factor authentication. Skype for Business users who are configured to leverage the Unified Contact Store feature will find that their contacts are no longer available after signing in with two-factor authentication. This behavior is by design, as the Skype for Business client doesn't support two-factor authentication for features that are dependent on Exchange integration. Exchange AuthenticationĬustomers who have deployed two-factor authentication for Microsoft Exchange may find that certain features in the client are unavailable.
With this configuration, users from Skype for Business Pools that are not enabled for two-factor authentication will not be required to enter a PIN to authenticate, while users from Skype for Business Pools that are enabled for two-factor authentication will be required to enter their PIN to authenticate. Skype for Business Service DiscoveryĭNS records used by internal and/or external clients to discover Skype for Business services should be configured to resolve to a Skype for Business server that is not enabled for two-factor authentication. Unless these authentication types are disabled at the service level, all other versions of the client will be unable to sign in successfully once two-factor authentication is enabled within in your deployment. To enable passive authentication for users, other authentication methods must be disabled for other roles and services, including these: Configuration Type Topology RequirementsĬustomers are encouraged to deploy two-factor authentication using dedicated Skype for Business Server with Edge, Director, and User Pools. The Cumulative Updates for Lync Server 2013: July 2013 desktop client and the Skype for Business client are the only clients that currently support two-factor authentication. By comparing the user information (user name and password) to the certificate provided, the server validates the credentials and authenticates the user.Ĭonsider the following subjects when configuring a Skype for Business Server environment to support two-factor authentication. A smart card contains a certificate associated with the user account, and can be validated against user and certificate information stored on a server.
This is also known as "something you have, something you know."Ī typical example of two-factor authentication with a certificate is the use of smart cards. Two-factor authentication provides improved security by requiring users to provide two forms of authentication or identification, namely a user name/password combination and a token or certificate. Summary: Manage two-factor authentication in Skype for Business Server.
0 kommentar(er)
