After you apply the July 2018 cumulative update 6.0.9319.534 for Microsoft Skype for Business Server 2015, you can use the Get/Set-CsAuthConfig cmdlets to manage the authentication configuration for your Skype for Business Server.
Set-CsAuthConfig can be configured in 5 different ways as shown below.
|
External |
Internal |
Parameter |
Description |
1 |
Allow Modern Authentication (MA) and Windows Authentication |
Allow MA and Windows Authentication |
AllowAllExernallyAndInternally |
Default scenario when MA is turned ON for Skype for Business Server. |
2 |
Allow only MA |
Allow MA and Windows Authentication |
BlockWindowsAuthExternally |
Blocks password attacks externally and allows older clients that don't support ADAL to still work internally, although clients that do support ADAL use MA internally. |
3 |
Allow only MA |
Allow only MA |
BlockWindowsAuthExternallyAndInternally |
Forces MA for all users. Only ADAL-capable clients will work. |
4 |
Allow only MA |
Allow only Windows Authentication |
BlockWindowsAuthExternalyAndModernAuthInternally |
Blocks password attacks externally and allows all internal clients to use legacy authentication. |
5 |
Allow MA and Windows Authentication |
Allow only Windows Authentication |
BlockModernAuthInternally |
Externally: ADAL clients will use MA and non-ADAL clients will use legacy authentication. Internally: All clients will use legacy authentication. |
Running these cmdlets at a pool level:
- The Set-CsAuthConfig cmdlet sets configuration on both the Registrar and the Web Services roles. This cmdlet is only meant to be run at the global level (and not at the pool level), and we highly recommend that you only use it in this manner. However, technically it can be run at a pool level. But realize that if the pool only has one of the roles needed (say, Registrar and not Web Services), then only the settings for Registrar will be set and the Web Services settings will come from the global setting. If a client uses the Registrar settings from one pool and the Web Services settings from another pool and the authentication settings are in an inconsistent state, the client may be unable to log on.
- If there's only one role present for a pool:
- Set - will only set the settings that correspond to the role that exists. No special warning will be given because some settings were not set.
- Get - will return the setting that corresponds to the role that exists and the global settings for the role that doesn't exist.
- If neither role is present for a pool, both Set and Get will return an error message.
- If both roles are present for a pool but policies aren't defined at the pool level, Get will return an error message.