Skype Validator Welcome to the Skype Validator! This tool is designed to simplify and monitor your Skype for Business 2015 deployment and Lync Server 2010/2013. To use this tool, you must be logged in with your Microsoft Account (Live ID). Use the 'Sign In' button below to login to the Skype Validator and get started. You must be logged in with a Microsoft Account to save or view existing deployments. If you are already logged in and seeing this message, click the refresh button below. The following tools are available for a quick test outside any topology.
-->A trusted user is one whose credentials have been authenticated by a trusted server in Skype for Business Server. This server is usually a Standard Edition server, Enterprise Edition Front End Server, or Director. Skype for Business Server relies on Active Directory Domain Services as the single, trusted back-end repository of user credentials.
Authentication is the provision of user credentials to a trusted server. Skype for Business Server uses the following authentication protocols, depending on the status and location of the user.
MIT Kerberos version 5 security protocol for internal users with Active Directory credentials. Kerberos requires client connectivity to Active Directory Domain Services, which is why it cannot be used for authenticating clients outside the corporate firewall.
NTLM protocol for users with Active Directory credentials who are connecting from an endpoint outside the corporate firewall. The Access Edge service passes logon requests to a Director, if present, or a Front End Server for authentication. The Access Edge service itself performs no authentication.
Note
NTLM protocol offers weaker attack protection than Kerberos, so some organizations minimize usage of NTLM. As a result, access to Skype for Business Server might be restricted to internal or clients connected through a VPN or DirectAccess connection.
Digest protocol for so-called anonymous users. Anonymous users are outside users who do not have recognized Active Directory credentials but who have been invited to an on-premises conference and possess a valid conference key. Digest authentication is not used for other client interactions.
Skype for Business Server authentication consists of two phases:
A security association is established between the client and the server.
The client and server use the existing security association to sign messages that they send and to verify the messages they receive. Unauthenticated messages from a client are not accepted when authentication is enabled on the server.
User trust is attached to each message that originates from a user, not to the user identity itself. The server checks each message for valid user credentials. If the user credentials are valid, the message is unchallenged not only by the first server to receive it but by all other servers in the trusted server cloud.
Users with valid credentials issued by a federated partner are trusted but optionally prevented by additional constraints from enjoying the full range of privileges accorded to internal users.
The ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC.
Client certificates provide an alternate way for users to be authenticated by Skype for Business Server. Instead of providing a user name and password, users have a certificate and the private key corresponding to the certificate that is required to resolve a cryptographic challenge. (This certificate must have a subject name or subject alternative name that identifies the user and must be issued by a Root CA that is trusted by servers running Skype for Business Server, be within the certificate's validity period, and not have been revoked.) To be authenticated, users only need to type in a personal identification number (PIN). Certificates are particularly useful for telephones, mobile phones, and other devices where it is difficult to enter a user name and password.
Cryptographic requirements due to ASP .NET 4.5
As of Skype for Business Server 2015 CU5, AES is not supported for ASP.NET 4.6 and this may cause Skype Meetings App to fail to start. If a client is using AES as the machine key validation value you will need to reset the machine key value to SHA-1 or another supported algorithm on the Skype Meetings App site level on IIS. If necessary, see IIS 8.0 ASP.NET Configuration Management for instructions.
Other supported values are:
HMACSHA256
HMACSHA384
HMACSHA512
The values AES, 3DES, and MD5 are no longer allowed, as they once were in ASP.NET 4. Cryptographic Improvements in ASP.NET 4.5, pt. 2 has more details.
This article describes the client preferences and defaults available for the Skype for Business on Mac client, and how to edit them from outside the App.
Microsoft Asking To Validate Identification For Mac Users For Skype Number
Skype for Business on Mac client preference settings
Certain features and behaviors that are available to Skype for Business on Mac clients are determined by preference settings on the client. The Skype for Business on Mac preferences are found in a file located on Macs that have installed the Skype for Business client located at the following path:
~/Library/Containers/com.microsoft.SkypeForBusiness/Data/Library/Preferences/com.microsoft.SkypeForBusiness.plist
To set these preferences, get to a terminal prompt on the client's Mac and as needed enter defaults write com.microsoft.SkypeForBusiness key commands using the preference keys described in the following table.
Client preference keys
| Key | Type | Value | Description |
|---|---|---|---|
| autoDetectAutoDicoveryURLs | Bool | 0 = manual server configuration 1 = automatic server detection (default) | Specify how Skype for Business identifies the transport and server to use during sign-in. If you enable this policy setting, you must specify internalAutoDiscoveryURL and externalAutoDiscoveryURL. |
| internalAutoDiscoveryURL | String | Full autodiscover URL | Internal autodiscover URL |
| externalAutoDiscoveryURL | String | Full autodiscover URL | External autodiscover URL |
| httpProxyDomain | String | HTTP Proxy Domain | |
| httpProxyUserName | String | HTTP Proxy Username | |
| httpProxyPassword | String | HTTP Proxy Password | |
| trustedDomainList | Array | List of trusted domains for HTTP redirects. | |
| autoAcceptTimeout | Number | 300 (default) | Auto-Accept timeout for users without Server-side Conversation History. |
| warnWhenUnknownLocationForE911 | Bool | 0 = Disabled 1 = Enabled | Warns the user when dialing an emergency number from an unknown location. |
| sipAddress | String | The SIP address (Email) used to sign-in to Skype for Business. | |
| userName | String | The UPN (UserName) used to sign-in to Skype for Business. | |
| userNameInAdvancedOnly | Bool | 0 = display the User Name field on the main sign-in screen and in the Advanced Properties dialog box 1 = display the User Name field only in the Advanced Properties dialog box (default) | Specify where the User Name field is displayed during sign-in. |
Usage examples
Microsoft Asking To Validate Identification For Mac Users For Skype Download
To add a single domain (Contoso.com) to the trusted domain list you would use the trustedDomainList key as shown:
defaults write com.microsoft.SkypeForBusiness trustedDomainList -array-add 'Contoso.com'
To add several domains to the trusted domain list you would use the trustedDomainList key as shown:
defaults write com.microsoft.SkypeForBusiness trustedDomainList -array-add 'sfb.com' 'abc.com' 'test.org'
Sample unedited settings
Microsoft Asking To Validate Identification For Mac Users For Skype Free
For reference, here is a sample settings file using default settings only: