Topic Last Modified: 2014-02-05

In a cross-premise configuration, some of your users are homed on an on-premises installation of Microsoft Lync Server 2013 while other users are homed on the Office 365 version of Lync Server. In order to configure server-to-server authentication in a cross-premises environment, you must first configure your on-premises installation of Lync Server 2013 to trust the Office 365 Authorization server. The initial step in this process can be carried out by running the following Lync Server Management Shell script:

Copy Code
$TenantID = (Get-CsTenant -Filter {DisplayName -eq "Fabrikam.com"}).TenantId

$sts = Get-CsOAuthServer microsoft.sts -ErrorAction SilentlyContinue
	
   if ($sts -eq $null)
	{
		 New-CsOAuthServer microsoft.sts -MetadataUrl "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1"
}
   else
	{
		 if ($sts.MetadataUrl -ne  "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1")
			{
			 Remove-CsOAuthServer microsoft.sts
			 New-CsOAuthServer microsoft.sts -MetadataUrl "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1"
		}
	}

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
	
if ($exch -eq $null)
   {
	New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer
}
else
	{
	 if ($exch.ApplicationIdentifier -ne "00000002-0000-0ff1-ce00-000000000000")
		{
			 Remove-CsPartnerApplication microsoft.exchange
			 New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer 
	}
	 else
		{
			 Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full -UseOAuthServer
	}
   }

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

Keep in mind that the realm name for a tenant is typically different than the organization name; in fact, the realm name is almost always the same as the tenant ID. Because of that, the first line in the script is used to return the value of the TenantId property for the specified tenant (in this case, fabrikam.com) and then assign that name to the variable $TenantId:

Copy Code
$TenantID = (Get-CsTenant -DisplayName "Fabrikam.com").TenantId

After the script completes you must then configure a trust relationship between Lync Server 2013 and the authorization server, and a second trust relationship between Exchange 2013 and the authorization server. This can only be done by using the Microsoft Online Services cmdlets.

Note:
If you have not installed the Microsoft Online Services cmdlets you will need to do two things before proceeding. First, download and install the 64-bit version of the Microsoft Online Services Sign-in Assistant. After installation is complete, download and install the 64-bit version of the Microsoft Online Services Module for Windows PowerShell. Detailed information for installing and using the Microsoft Online Services Module can be found on the Office 365 web site. These instructions will also tell you how to configure single sign-on, federation, and synchronization between Office 365 and Active Directory.

If you have not installed these cmdlets your script will fail because the Get-CsTenant cmdlet will not be available.

After you have configured Office 365, and after you have created Office 365 service principals for Lync Server 2013 and Exchange 2013, you will then need to register your credentials with these service principals. In order to do this, you must first obtain an X.509 Base64 saved as a .CER file. This certificate will then be applied to the Office 365 service principals.

When you have obtained the X.509 certificate, start the Microsoft Online Services Module (click Start, click All Programs, click Microsoft Online Services, and then click Microsoft Online Services Module for Windows PowerShell). After the Services Module opens, type the following to import the Microsoft Online Windows PowerShell module containing the cmdlets that can be used to manage service principals:

Copy Code
Import-Module MSOnlineExtended

When the module has been imported, type the following command and then press ENTER in order to connect to Office 365:

Copy Code
Connect-MsolService

After you press ENTER, a credentials dialog box will appear. Enter your Office 365 user name and password in the dialog box, and then click OK.

As soon as you are connected to Office 365 you can then run the following command in order to return information about your service principals:

Copy Code
Get-MsolServicePrincipal

You should get back information similar to this for all your service principals:

Copy Code
ExtensionData		: System.Runtime.Serialization.ExtensionDataObject
AccountEnabled	 : True
Addresses			: {}
AppPrincipalId	 : 00000004-0000-0ff1-ce00-000000000000
DisplayName		: Microsoft Lync Server
ObjectId			 : aada5fbd-c0ae-442a-8c0b-36fec40602e2
ServicePrincipalName : LyncServer/litwareinc.com
TrustedForDelegation : True

The next step is to import, encode, and assign the X.509 certificate. To import and encode the certificate, use the following Windows PowerShell commands, being sure to specify the complete file path to your .CER file when you call the Import method:

Copy Code
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("C:\Certificates\Office365.cer")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

After the certificate has been imported and encoded, you can then assign the certificate to your Office 365 service principals. To do that, first use the Get-MsolServicePrincipal to retrieve the value of the AppPrincipalId property for both the Lync Server and the Microsoft Exchange service principals; the value of the AppPrincipalId property will be used to identify the service principal being assigned the certificate. With the AppPrincipalId property value for Lync Server 2013 in hand, use the following command to assign the certificate to the Office 365 version of Lync Server (the StartDate and EndDate properties should correspond to the validity period for the certificate):

Copy Code
New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue -StartDate 6/1/2012 -EndDate 5/31/2013

You should then repeat the command, this time using the AppPrincipalId property value for Exchange 2013.

If you later need to delete that certificate, you can do so by first retrieving the KeyId for the certificate:

Copy Code
Get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

That command will return data like this one:

Copy Code
Type	: Asymmetric
Value	 : 
KeyId	 : bc2795f3-2387-4543-a95d-f92c85c7a1b0
StartDate : 6/1/2012 8:00:00 AM
EndDate   : 5/31/2013 8:00:00 AM
Usage	 : Verify

You can then delete the certificate by using a command similar to this:

Copy Code
Remove-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -KeyId bc2795f3-2387-4543-a95d-f92c85c7a1b0

In addition to assigning a certificate you must also configure the Exchange Online Service Principal and configure your on-premise version of Lync Server 2013 as an Office 365 service principal. That can be done by carrying out the following two commands:

Copy Code
Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true

$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
$lyncSP.ServicePrincipalNames.Add("00000004-0000-0ff1-ce00-000000000000/lync.contoso.com")
Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames