When requesting certificates in a Lync 2013 you will notice
a new certificate type called “OAuthTokenIssuer”. OAuth stands for “Open
Authentication” and is a protocol for server-to-server authentication and
authorization. OAuthTokenIssuer certificate is a global certificate. Exchange 2013, SharePoint Server, and Lync Server 2013
support server-to-server authentication. If you are not running one of these servers
then you will not be able to fully implement OAuth authentication. Authentication
and authorization is based on the exchange of security tokens; these tokens
grant access to a specific set of resources for a specific amount of time. Lync
Server 2013 must be able to securely communicate with other applications and
server products. You can configure Lync Server 2013 so that contact data is
stored in Exchange Server 2013; however, this can only be done if Lync Server
and Exchange are able to securely communicate with one another. Although it's
possible to use one authentication mechanism for Lync-to-Exchange communication
and a separate mechanism for Lync-to-SharePoint communication, a better and
more efficient approach is to use a standardized method for all
server-to-server authentication and authorization. When you assign this OAuth certificate,
it is replicated via the CMS and is assigned to all of the Lync Server 2013
servers that require OAuth. So when requesting the OAuthTokenIssuer certificate
in Lync Server 2013, you will only request it once and CMS will replicate it to
the other servers
To determine whether or not a server-to-server
authentication certificate has already been assigned to Microsoft Lync Server
2013, run the following command from the Lync Server 2013 Management Shell: Get-CsCertificate -Type OAuthTokenIssuer
If no certificate information is returned you must assign a
token issuer certificate before you can use server-to-server authentication. Any
Lync Server 2013 certificate can be used as your OAuthTokenIssuer certificate: For example, your Lync Server 2013 default certificate can also be used as the
OAuthTokenIssuer certificate. The OAUthTokenIssuer certificate can also be any
Web server certificate that includes the name of your SIP domain in the Subject
field. The primary two requirements for the certificate used for
server-to-server authentication are these:
- The same certificate must be configured as the OAuthTokenIssuer certificate on all of your Front End Servers
- The certificate must be at least 2048 bits.
If you do not have a certificate that can be used for
server-to-server authentication you can obtain a new certificate, import the
new certificate, and then use that certificate for server-to-server
authentication.
