OAuth Authentication in Lync Server 2013
Microsoft Lync Server 2013 adds OAuth authentication for more secure integration with Exchange Server 2013 and SharePoint 2013.
April 4, 2013
Microsoft Lync Server 2013 has many new server and client features that will get a lot of attention, but there are also some under-the-hood items that shouldn't go unnoticed. One that comes to mind is OAuth, the new authorization method used when an organization wants Lync 2013 integration with Microsoft Exchange Server 2013 or SharePoint 2013. In this article, I'll take a look at some key areas around OAuth, including the benefits of using OAuth for Lync integration and deployment tips for smoother implementation.
Benefits of OAuth
OAuth is an industry standard communication protocol for server-to-server authentication and authorization. Lync Server 2013 leverages OAuth for its server-to-server communication process to better handle security between Lync 2013, Exchange 2013, and SharePoint 2013.
OAuth authentication involves three parties in the communication process: an authorization server, and two parties that need to communicate with each other. The authorization server issues security tokens to the two parties that are trying to communicate. These tokens verify that communication from one party should be trusted by the other party during the communication process.
Related: The Lync Server 2013 Planning Tool
By using OAuth authentication with Exchange 2013 and SharePoint 2013, organizations can take advantage of some of the rich new features of Lync 2013, such as:
Unified contact store -- The unified contact store lets you store all Lync contact data in the user's Exchange 2013 mailbox. This feature presents a unified view of the data as well as a single storage location. Lync retrieves data associated with a user's contact list by using Exchange Web Services (EWS), as opposed to the Session Initiation Protocol (SIP) request used in Lync 2010.
Archiving -- Lync has always had robust archiving capabilities, but its discovery capabilities have been limited. By integrating Lync and Exchange 2013, both archiving and discovery take a major step forward.
HD photos -- When Lync 2013 and Exchange 2013 are integrated, Lync supports HD photos. Storing photos in Active Directory (AD) in the thumbnailPhoto attribute limits the flexibility for manipulation of the photos and also puts the burden on AD to replicate extra traffic to all the domain controllers (DCs). By having Exchange as the storage point for Lync 2013 photos, users can leverage high-resolution photos for their Lync profiles.
OAuth Deployment Tips
Lync Server 2013 supports three server-to-server authentication scenarios with the OAuth authentication process:
On-premisesdeployment -- an on-premises deployment of Lync Server 2013 integrated with an on-premises deployment of either Exchange 2013 or SharePoint 2013
Onlinedeployment -- an online cloud deployment of Lync Online integrating with Exchange Online or SharePoint Online
Hybrid deployment -- a deployment where part of your infrastructure (Lync, Exchange, SharePoint) is on-premises and part in the cloud
Although you have choices about which scenario best fits your needs, implementing OAuth for your Lync 2013 environment isn't difficult. Here are some tidbits that should help make your deployment even easier:
Be sure that you have a valid certificate to use for OAuth; try to leverage the same certificates across the Lync and Exchange environments, which makes for a more seamless integration with free/busy data and Exchange Unified Messaging.
Take advantage of the Lync 2013 Deployment Wizard for certificate installation and configuration in your Lync environment. The Lync deployment wizard provides a step-by-step walkthrough for importing/exporting certificates to Lync 2013 servers. Note that the Lync 2013 Deployment Wizard is launched when you run setup.exe for Lync.
Be sure to create the partner association for Lync 2013 and Exchange 2013. The partner association allows Lync and Exchange to exchange security tokens during the OAuth process so that they don't rely on a third-party mechanism. For more information about creating this connection, see the Microsoft article "Configuring an On-Premises Partner Application for Microsoft Lync Server 2013."
Make sure to configure the Exchange Autodiscover service, or that it's already set up and working. You can find out more about this service in the Microsoft article "Configure Exchange Services for the Autodiscover Service."
Be sure to download and install the Unified Communications Managed API (UCMA) 4.0 Runtime in your Exchange environment. UCMA 4.0 is available from the Microsoft Download Center.
OAuth for Tighter Integration
The benefits of the OAuth authorization method outweigh the few extra steps an administrator will need to take to reap the rewards of Lync Server 2013. Microsoft came through by addressing key areas for tighter integration with SharePoint 2013 and Exchange 2013, whether you’re in an on-premises, cloud, or hybrid deployment. At the end of the day, the OAuth authorization process is Microsoft conforming to an industry standardized framework that already existed within the web industry for token authentication -- which should be good for everybody.
Learn More: Lync Server 2013 Deployment Scenarios
About the Author
You May Also Like