Forum Discussion

laser's avatar
Icon for Altostratus rankAltostratus
Sep 05, 2016

APM: Office365 Skype for Business On-Premise Authentication

I've spent a few days working on an Office 365 lab hybrid deployment and have been unable to get Skype for business to authenticate or work properly. Is this supported? In my configuration I am attempting to use the F5 as the IDP. Azure AD connect is syncing properly and is not syncing password hashes to Azure.

According to this document, Rich client application such as Lync or authenticating an Office subscription are not supported:

Azure AD federation compatibility list

However I am able to authenticate other thick-clients like Word, Excel, Outlook, etc without issue. A window with the APM login screen is displayed when authenticating--I would expect similar behavior for the Skype client. This makes me believe maybe this document is incorrect?

I have gathered SSLdumps and see the authentication request reach the VIP:

1 10 1472838567.6975 (0.0018)  C>SV3.3(448)  application_data
POST /saml/idp/profile/ecp/sso HTTP/1.0
Connection: Keep-Alive
Content-Type: application/soap+xml
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR    3.5.30729; MSOIDCR
L 7.250.4556.0; App lync.exe, 16.0.7167.2040, {12B07E85-1B47-41C4-A4E2-43XXXXXXXXXX})
Content-Length: 1583

1 11 1472838567.6975 (0.0000)  C>SV3.3(1632)  application_data
/sso1472838xxx   xxxx@xxxx.xxxxxxxxxxxxxx   2016-09-02T17:52:11Z2016-09-02T17:57:11Z
Issueurn:federation:MicrosoftOnline     ---------------------------------
1 12 1472838567.7042 (0.0067)  S>CV3.3(336)  application_data
HTTP/1.0 302 Found
Server: BigIP
Connection: Close
Content-Length: 0
Location: /my.policy
Set-Cookie: LastMRH_Session=9c7be893;path=/;secure
Set-Cookie: MRHSession=xxxxxxxxxxxxxxxxxxxxxxxxxxx;path=/;secure
Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

1    1472838567.7042 (0.0000)  S>C  TCP FIN
1 13 1472838567.7046 (0.0003)  C>SV3.3(48)  Alert

I would expect that the APM should be responding to the request rather than closing the connection as seen above. To me the soap envelope looks OK, or maybe I'm missing something simple?

I'm running 12.1.1, and have also tried 11.6.1. I have no on-premise Skype/Lync environment and have validated that all DNS entries for Skype are correct. Microsoft's Connectivity Analyzer succeeds on all tests. The Skype client produces a generic failure on login: "Cannot sign in because the server is temporarily unavailable".

Any guidance would be appreciated, thanks!