Training from October 2016
Download
Report
Transcript Training from October 2016
http://aka.ms/sa-client
www.skypeoperationsframework.com/academy
1.
2.
3.
4.
5.
lyncdiscoverinternal.contoso.com resolves to IP address of Front End web
services
Client constructs URL and sends HTTP GET request GET/Autodiscover/AutodiscoverService.svc/root?sipuri=sip:[email protected]
Client receives two URLs in the response.
https://pool1.contoso.com/Autodiscover/AutodiscoverService.svc/root/domain
https://pool1.contoso.com/Autodiscover/AutodiscoverService.svc/root/user
The client uses that response to make a request to the
https://pool1.contoso.com/Autodiscover/Autodiscover.svc/root/user
to retrieve specific user home pool information.
Client receives 401 Unauthorized response with Web Ticket Service (WTS)
location in the header.
6.
7.
8.
9.
10.
11.
Client submits a request to the Web Ticket Service to retrieve the metadata
exchange document (MEX).
Client submits a Request Security Token to Web Ticket Service and supplies
credentials.
Web Ticket is returned to the client
Client makes request again to the
https://pool1.contoso.com/Autodiscover/Autodiscover.svc/root/user to retrieve
specific user home pool information and provides the web ticket.
Skype for Business Autodiscover service obtains user’s Uri from web ticket.
Skype for Business Autodiscover retrieves user info from registrar database and
retrieves the user’s home pool respectively assigned Edge Server for external
users
<?xml version="1.0" encoding="utf-8"?>
<AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="Internal">
<User>
<SipServerInternalAccess fqdn="dcpool.contoso.com" port="5061" />
<SipClientInternalAccess fqdn="dcpool.contoso.com" port="5061" />
<SipServerExternalAccess fqdn="sip.contoso.com" port="5061" />
<SipClientExternalAccess fqdn="sip.contoso.com" port="443" />
<Link token="Internal/Autodiscover" href="https://nawebint.contoso.com/Autodiscover/AutodiscoverService.svc/root" />
<Link token="Internal/AuthBroker" href="https://nawebint.contoso.com/Reach/sip.svc" />
<Link token="Internal/WebScheduler" href="https://nawebint.contoso.com/Scheduler" />
<Link token="External/Autodiscover" href="https://nawebext.contoso.com/Autodiscover/AutodiscoverService.svc/root" />
<Link token="External/AuthBroker" href="https://nawebext.contoso.com/Reach/sip.svc" />
<Link token="External/WebScheduler" href="https://nawebext.contoso.com/Scheduler" />
<Link token="Internal/Mcx" href="https://nawebext.contoso.com/Mcx/McxService.svc" />
<Link token="External/Mcx" href="https://nawebext.contoso.com/Mcx/McxService.svc" />
<Link token="Ucwa" href="https://nawebext.contoso.com/ucwa/v1/applications" />
<Link token="Internal/Ucwa" href="https://nawebint.contoso.com/ucwa/v1/applications" />
<Link token="External/Ucwa" href="https://nawebext.contoso.com/ucwa/v1/applications" />
<Link token="External/XFrame" href="https://nawebext.contoso.com/Autodiscover/XFrame/XFrame.html" />
<Link token="Internal/XFrame" href="https://nawebint.contoso.com/Autodiscover/XFrame/XFrame.html" />
<Link token="XFrame" href="https://nawebext.contoso.com/Autodiscover/XFrame/XFrame.html" />
<Link token="Self" href="https://nawebint.contoso.com/Autodiscover/AutodiscoverService.svc/root/user" />
</User>
</AutodiscoverResponse>
Authentication methods can be
disabled on demand
Works when remote
Inbound with signaling
Client does not need AD connection
Client connects to AD Directly
Used Internally
Skype for Business self signed certificate
No need to connect to Active Directory,
not internal or external
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname=“SkypeDIR01.contoso.com",
version=4, sts-uri=https://wp1.contoso.com/CertProv/CertProvisioningService.svc
Certificate service requires an existing certificate or a
web-ticket to authenticate the user.
Cannot get the certificate without a web ticket
Contains Web-Ticket service URL
Skype for Business authenticates user with
NTLM, Kerberos, PIN or TLS-DSK
NTLM or Kerberos Auth
The ticket is returned
Skype for Business authenticates with Web Ticket
Skype for Business provides PKI key pair for user
Certificate service publishes cert to FEs, replicates to SBAs, etc
Get-CsClientCertificate returns information on published certificates
Revoke-CsClientCertificate revokes client certificates on the server
If Skype for Business has no certificate, it tries NTLM/Kerberos during first logon.
Speeds up sign-in process (Web service requests could time out during outage)
After sign-in completes, a certificate will be fetched for the next logon session.
Skype for Business Signed Certificate = User Password
Saving password = saving certificate too :Beware!
Skype for Business Certificates stored in Windows Certificate Store.
Skype for Business Credentials stored in Windows Credential Manager
To clean up a user, delete their certificate and credentials
Function
Debug String
Type
Location Profile
application/ms-location-profile-definition+xml
Service
Contact List/Groups
application/vnd-microsoft-roaming-contacts+xml
Subscribe
Policies
application/vnd-microsoft-roaming-provisioning-v2+xml
Subscribe
Get self presence
application/vnd-microsoft-roaming-self+xml
Subscribe
Publish presence
application/msrtc-category-publish+xml
Service
Conferencing policy
application/cccp+xml
Service
Media relay token
application/msrtc-media-relay-auth+xml
Service
Skype for Business
Server 2015 Pool
Internal DNS
DNS Records:
Lyncdiscoverinternal.<sipdomain>
<IntPoolFQDN>
External DNS
DNS Records:
Lyncdiscover.domain.com
<ExtPoolFQDN>
IIS / Skype for Business Web Services
Reverse
Proxy
External (4443)
Autodiscover
WebTicket
UCWA
Internal (443)
Skype for
Business
2015 Edge
Autodiscover
WebTicket
UCWA
Internet / Public Network
Perimeter
Network
DNS
Internal Network
Internal SfB
[email protected]
Skype for Business
Server 2015 Pool
Internal DNS
DNS Records:
Lyncdiscoverinternal.<sipdomain>
<IntPoolFQDN>
External DNS
DNS Records:
Lyncdiscover.domain.com
<ExtPoolFQDN>
IIS / Skype for Business Web Services
Reverse
Proxy
External (4443)
Autodiscover
WebTicket
UCWA
Internal (443)
Skype for
Business
2015 Edge
Autodiscover
WebTicket
UCWA
Internet / Public Network
Perimeter
Network
DNS
Internal Network
Internal SfB mobile
[email protected]
Skype for Business
Server 2015 Pool
DNS
Internal DNS
DNS Records:
Lyncdiscoverinternal.<sipdomain>
<IntPoolFQDN>
External DNS
DNS Records:
Lyncdiscover.domain.com
<ExtPoolFQDN>
IIS / Skype for Business Web Services
Reverse
Proxy
External (4443)
Autodiscover
External SfB
[email protected]
WebTicket
UCWA
Internal (443)
Skype for
Business
2015 Edge
Autodiscover
WebTicket
UCWA
Internet / Public Network
Perimeter
Network
Internal Network
http://aka.ms/sa-ice
Skype For Business.blog contains media stack information that is encrypted and can only be verified
by Microsoft using internal tools.
~/Desktop/CaptureMSFT.pcap
~/Library/Containers/com.Microsoft.SkypeForBusiness/Data/Library/Logs/com.microsoft.Skyp
eForBusiness/*.*
~/Library/Containers/com.Microsoft.SkypeForBusiness/Data/Library/Logs/LwaTracing/LccMed
ia/*.*
/var/log/system.log
1 – Enable Fiddler on PC and let remote users to connect
2 – Install the Fiddler Root CA cert on the Mac by accessing
Fiddler Echo Service: and downloadingFiddler Root
Certificate. Normally on http://<pc address>:8888/
3 – Configure your network proxy settings on Mac OS
Network Advanced Settings:
https://www.skypeoperationsframework.com/academy
https://www.microsoft.com/en-us/download/details.aspx?id=36535
http://aka.ms/sa-ice
https://www.microsoft.com/en-us/download/details.aspx?id=47263
http://www.telerik.com/fiddler
https://aka.ms/sofcommunity