Microsoft Lync Server 2013 has many new features; one of the new features is called OAuth, the new authorization method used when an organization wants Lync 2013 integration with Microsoft Exchange Server 2013.
OAuth (Open Authorization) is a protocol for server to server authentication and authorization. With OAuth, user credentials and passwords are not passes from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens, these tokens grant access to a specific set of resources for a specific amount of time. Lync Server 2013 supports three server to server authentication scenarios:
· On-premisesdeployment-Configure server to server authentication between an on-premise installation of Lync Server 2013 and an on premises installation of Exchange 2013 and Share Point Server.
· Onlinedeployment- Authentication between a pair of Office 365 components such as Exchange 365 and Lync 365 or Lync 365 to SharePoint 365.
· Hybrid deployment- Configure server to server authentication in a cross- premises environment such as on-premises server and an Office 365 component.
By using OAuth authentication with Exchange 2013 and SharePoint 2013, organizations can take advantage of some of the new features of Lync 2013, such as:
- Unified contact store -- The unified contact store lets you store all Lync contact data in the user's Exchange 2013 mailbox. Lync retrieves data associated with a user's contact list by using Exchange Web Services (EWS), as opposed to the Session Initiation Protocol (SIP) request used in Lync 2010.
- Archiving -- By integrating Lync and Exchange 2013, both archiving and discovery take a major step forward.
- HD photos -- When Lync 2013 and Exchange 2013 are integrated, Lync supports HD photos. Storing photos in Active Directory (AD) in the thumbnailPhoto attribute limits the flexibility for manipulation of the photos and also puts the burden on AD to replicate extra traffic to all the domain controllers (DCs). By having Exchange as the storage point for Lync 2013 photos, users can leverage high-resolution photos for their Lync profiles.
Here are some points that should help make your deployment easier:
· Make sure that you have a valid certificate to use for OAuth, try to use same certificates across the Lync & Exchange environments which will makes for a more seamless integration with free/busy data and Exchange UM.
· User Lync 2013 deployment wizard for certificate installation and configuration in Lync environment.
· Create the partner association for Lync 2013 and Exchange Server 2013, the partner association allows Lync and Exchange to exchange security tokens during the OAuth process so that they don’t rely on a third party mechanism.
· Make sure to configure the Exchange Autodiscover service.
· Be sure to install the UM managed API 4.0 runtime in Exchange environment.
OAuthTokenIssuer certificate, that is different from other certificates in Lync Server 2013, is that the OAuthTokenIssuer certificate is a global certificate:
When you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth. You can check the directory where the Lync Server 2013 logs are stored (C:\Users\administrator\AppData\Local\Temp), ReplicateCMSCertificates-[2013_03_23][11_49_20].html.
If you open the log it looks like
After replication to succeed and then look at another Lync Server 2013 server, you will see that the OAuthTokenIssuer certificate has been replicated and assigned to that server.
So when requesting the OAuthTokenIssuer certificate in Lync Server 2013, remember to only request it once and sit back and let CMS replication take care of the rest!