Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Use Get/Set-CsAuthConfig cmdlet to manage Skype for Business Server 2015 authentication configuration


View products that this article applies to.

Summary

After you apply the July 2018 cumulative update 6.0.9319.534 for Microsoft Skype for Business Server 2015, you can use the Get/Set-CsAuthConfig cmdlets to manage the authentication configuration for your Skype for Business Server.

Set-CsAuthConfig can be configured in 5 different ways as shown below.

 

External

Internal

Parameter

Description

 

1

Allow Modern Authentication (MA) and Windows Authentication

Allow MA and Windows Authentication

AllowAllExernallyAndInternally

Default scenario when MA is turned ON for Skype for Business Server.

2

Allow only MA

Allow MA and Windows Authentication

BlockWindowsAuthExternally

Blocks password attacks externally and allows older clients that don't support ADAL to still work internally, although clients that do support ADAL use MA internally.

3

Allow only MA

Allow only MA

BlockWindowsAuthExternallyAndInternally

Forces MA for all users. Only ADAL-capable clients will work.

4

Allow only MA

Allow only Windows Authentication

BlockWindowsAuthExternalyAndModernAuthInternally

Blocks password attacks externally and allows all internal clients to use legacy authentication.

5

Allow MA and Windows Authentication

Allow only Windows Authentication

BlockModernAuthInternally

Externally: ADAL clients will use MA and non-ADAL clients will use legacy authentication. Internally: All clients will use legacy authentication.

 

Running these cmdlets at a pool level:

  • The Set-CsAuthConfig cmdlet sets configuration on both the Registrar and the Web Services roles. This cmdlet is only meant to be run at the global level (and not at the pool level), and we highly recommend that you only use it in this manner. However, technically it can be run at a pool level. But realize that if the pool only has one of the roles needed (say, Registrar and not Web Services), then only the settings for Registrar will be set and the Web Services settings will come from the global setting. If a client uses the Registrar settings from one pool and the Web Services settings from another pool and the authentication settings are in an inconsistent state, the client may be unable to log on.
  • If there's only one role present for a pool:
    • Set - will only set the settings that correspond to the role that exists. No special warning will be given because some settings were not set.
    • Get - will return the setting that corresponds to the role that exists and the global settings for the role that doesn't exist.
  • If neither role is present for a pool, both Set and Get will return an error message.
  • If both roles are present for a pool but policies aren't defined at the pool level, Get will return an error message.

 

↑ Back to the top


How to get this update

To get this update, install the July 2018 cumulative update 6.0.9319.534 for Skype for Business Server 2015, Core Components.

Note: After you modify the CsAuthConfig, you must run Enable-CsComputer cmdlet on all servers in order for the settings change to take effect.

↑ Back to the top


Keywords: kb, kbfix, kbsurveynew, kbexpertiseadvanced, kbqfe, Use Get/Set-CsAuthConfig cmdlet to manage Skype for Business Server 2015 authentication configuration

↑ Back to the top

Article Info
Article ID : 4346673
Revision : 23
Created on : 12/21/2018
Published on : 12/21/2018
Exists online : False
Views : 240