How to allow cross domain authorization in Microsoft Skype for Business

The Skype for Business web based client embedded in the the Contact Expert Portal requires a specific configuration in the Microsoft telephony backend to allow delegating the portal user authorization request from the web browser. This configuration is typically not performed on the Microsoft telephony system by default and therefore needs the following extra steps.

Please note that the following configuration settings are performed in the Microsoft telephony system (Skype for Business Server) and require sufficient administrative credentials.

Please also note that these will open security connections between the CE Core Host(s) and the Microsoft telephony systems. While Geomant makes every effort to avoid having its solutions used in will not themselves engage in any security violation, the actual configuration opens up communication channels that malware injected onto the CE Core Hosts by 3rd parties might exploit! Be aware and monitor 3rd party applications on the CE Core Hosts.

Step-by-step guide

  1. Log on to a Microsoft Skype for Business Server Frontend computer – or to a computer with the Microsoft telephony admin tools installed – with a user account having administrative privileges.
  2. Launch the SfB Management Shell in elevated mode.

  3. Execute the following powershell cmdlets for every CE Core Host and for either the HTTP and/or the HTTPS access methods:

    $x = New-CsWebOrigin -Url "https://[your CE Core Host FQDN]"
Set-CsWebServiceConfiguration -Identity "Global" -CrossDomainAuthorizationList @{Add=$x}

    Replace the "https://[your CE Core Host FQDN]" part with the FQDN of your particular CE Core Host.

    Please also note that these cmdlets opened a HTTPS (encrypted) connection – this requires all CE administrators to log on to the portal using the same HTTPS notation, and that in turn mandates adding the HTTPS binding in the web server on the CE Core Hosts on top of the default HTTP (un-encrypted) binding! It is however possible to execute the above cmdlets both for HTTPS and HTTP (un-encrypted) connections the latter which does not require the extra web server binding steps – however it is using un-encrypted communication more susceptible to be exploited by hostile parties.

  4. Execute the above cmdlets as many times as the number of CE Core Host computers you intend to cover.

Use the following SfB powershell cmdlet to see the contents of the cross domain authorization list already established in the give Microsoft SfB Frontend pool:

Get-CsWebServiceConfiguration | select -ExpandProperty CrossDomainAuthorizationList
Sorry, your browser does not support inline SVG. article updatedarticle updated6/23/2020 9:06:55 AM (UTC)6/23/2020 9:06:55 AM (UTC)