If you would like to read the other parts of this article series please go to:
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 1)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 3)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 4)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 5)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 6)
Integrating Microsoft Unified Communications products, which includes Skype for Business Server 2015, Exchange Server 2013 and SharePoint Server 2013, enables several features and creates synergies among those products. The Microsoft Unified Communication platform uses Server to Server Authentication (S2SOAuth) for authentication within the Unified Communications family, the trust is established using certificates.
The integration requires enabling server-to-server authentication between Exchange and Skype for Business Server. Any other system is defined as partner application and we need to create a partner application per product (example 1 for Skype for Business Server, and it does not matter how many pools are deployed).
A partner application has a unique Application Identifier, which is identified when listing the application partners of any given product. The application identifier is used when there is access among systems (for example: Skype for Business accessing EWS in Exchange Server will show the application identifier). The following table lists the Microsoft products and their applications identifiers.
| Microsoft Product | Application Identifier |
| Exchange | 00000002-000-0ff1-ce00-000000000000 |
| Skype for Business Server | 00000004-000-0ff1-ce00-000000000000 |
| SharePoint | 00000003-000-0ff1-ce00-000000000000 |
Table 1
In this article series, we are going to enable the integration between Exchange and Skype for Business. On the Exchange side, we can use a script called Configure-EnterprisePartnerApplication.ps1 and that script will perform several tasks, such as creation of the application partner, an Active Directory account, RBAC permissions and so forth.
The first step on the integration starts with Exchange Server, logged as administrator on the Exchange Server, open Exchange Management Shell and run these two commands (replace the torsb01.patricio.local for the FQDN of your Skype for Business Server), the syntax is listed below and the cmdlets in action are shown in Figure 01.
Cd $exscripts
.\Configure-EnterprisePartnerApplication.ps1 –AuthMetadataURL https://torsb01.patricio.local/metadata/jason/1 -ApplicationType “Lync”
Figure 01
The results of the process is a new account called LyncEnterprise-ApplicationAccount created on the Users container, as shown in Figure 02.
Figure 02
Another change by the script is two new Management Role assignments on Exchange Server for that new Active Directory account created (Figure 03).
Figure 03
Besides of the Active Directory account, RBAC permissions, a partner application is also created, we can retrieve that information using Get-PartnerApplication Lync* | fl and the output will provide some useful information, such as the Active Directory linked account, application identifier, and the AuthMetadaURL used during the initial script (Figure 04)
Figure 04
Before moving forward, we should refresh the settings by running an iisreset /noforce on the Exchange Server.
One last step on the Exchange Server side is to identify the AutoDiscoverServiceInternalURI, which is responsible for the autodiscover (SCP, Service Connection Point) in the internal network. In order to retrieve that information one will use the following cmdlet (Figure 05).
Get-ClientAccessServer | Select Name,*uri*
Figure 05
The second portion of the integration must be done on the Skype for Business Server side, in order to start, open Skype for Business Server Management Shell and run the following cmdlet (the address webmail.patricio.ca should be replaced by your Exchange Server autodiscover URI), as shown in Figure 06.
New-CSPartnerApplication –Identity Exchange –ApplicationTrustLevel Full –MetadataURL https://webmail.patricio.ca/autodiscover/metadata/json/1
Figure 06
Now that we completed on both sides (Exchange and Skype for Business servers), we can use the Test-CSEXStorageConnectivity cmdlet on Skype for Business Server Management Shell using an account that has a mailbox enabled and it was enabled for skype for business.
If everything is working fine, then the results on your environment will be similar to Figure 07.
Figure 07
Those are the main steps to integrate Exchange Server 2013 and Skype for Business Server and having that integration in place we can start working on the other features such as high-resolution photos, archiving, and so forth.
Notes from the field…
The integration process that we just went through in the previous section should be the rule, however in some cases we may face issues during the test process. The process is not straightforward for an Exchange/Skype for Business administrator, but it is not rocket science.
When troubleshooting any issues that may arise, these following key points can help you to address and pin point where the issue lies:
- We are using certificates here, if your environment is deployed similarly to our series you should be fine, where we have an internal PKI trusted by all internal domain joined devices. That internal PKI was used to assign certificates to Skype for Business, and Exchange is using a Public Certification Authority. If that is not your case, make sure that both certs are valid on both sides (Exchange and Skype for Business servers).
- If you are getting the error ExCreateItem exchange operations failed, code=5 a possible solution is to add the current user in the RTCUniversalUserAdmins group (make sure to logoff and log back on before testing again)
- Depending on the scenario, the integration may not work using just the Microsoft documentation. The reason is that Skype for Business Server 2015 RTM has the autodiscover hard-coded on its logic. For example, even if the Exchange Organization is not using the name autodiscover.patricio.ca (based on our scenario) in the web services, the New-CSPartnerApplication will look for it. There are a couple of solutions to resolve this issue:
- create the autodiscover.patricio.ca pointing out to the same IP of webmail.patricio.ca
- Create a CNAME record autodiscover pointing out to webmail.patricio.ca
- Use Set-OAuthConfiguration cmdlet in Skype for Business Server and set the –ExchangeAutodiscoverURL “https://webmail.patricio.ca/autodiscover/autodiscover.svc” before running the New-CSPartnerApplication
- In order to see what is going on during the Test-CSExStorageConnectivity –sipuri [email protected] –Verbose
Conclusion
In this second article of our series, we covered all the required steps to configure the integration between Exchange Server 2013 and Skype for Business Server 2015.
If you would like to read the other parts of this article series please go to:
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 1)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 3)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 4)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 5)
- Integrating Exchange Server 2013 and Skype for Business Server 2015 (Part 6)
Thnx for the article, it is very usefull. But there is an error in the Figure 1 part: you point the script command line:
.\Configure-EnterprisePartnerApplication.ps1 –AuthMetadataURL https://torsb01.patricio.local/metadata/jason/1 -ApplicationType “Lync”
But there should be:
.\Configure-EnterprisePartnerApplication.ps1 –AuthMetadataURL https://torsb01.patricio.local/metadata/json/1 -ApplicationType “Lync”\
I mean there “../jason/1” instead of “../json/1”. I spend 2 days rechecking every component because script gave me link error.