Skype for Business continuouly asking for users credentials when NAM acting as Identity Server

  • 7017427
  • 30-Mar-2016
  • 30-Mar-2016

Environment

NetIQ Access Manager 4.2
Office 365
Skype for Business (SfB) users

Situation

Access Manager 4.2 setup as an Identity Server (IDP) for Office365 using ws-trust and ws-federation protocols. All services appear to work fine ie. when users access Office365 services and enter their usernames, they are redirected to the NAM IDP server to authenticate before being sent back to the Office365 services they need to access.

There is one exception - when users access the Skype for Business application from their desktops and are asked to login, the credentials are not accepted and the user is continuously asked for their credentials without any error. When accessing Skype for Business from a mobile client, all works fine.

Resolution

There's an issue with the mex.jsp page shipping with NAM 4.2. The page itself references an invalid endpoint that the client needs to access eg.

  <wsdl:service name="SecurityTokenService">
    <wsdl:port name="UserNameWSTrustBinding_IWSTrustFeb2005Async" binding="tns:UserNameWSTrustBinding_IWSTrustFeb2005Async">
      <soap12:address location="https://nam42sba.lab.novell.com/nidp/wstrust/sts/mex/active12 "/>
      <wsa10:EndpointReference>
        <wsa10:Address><%=com.novell.nidp.NIDPContext.getNIDPContext().getBaseUrl() %>wstrust/sts/mex/active12</wsa10:Address>
      </wsa10:EndpointReference>
    </wsdl:port>
  </wsdl:service>

where https://nam42sba.lab.novell.com/nidp is the baseURL of my IDP server.


Cause

Manually modify the mex.jsp and change the reference to sts/mex/active12 to sts/active12 eg. so that in the above example it uses https://nam42sba.lab.novell.com/nidp/wstrust/sts/active12.

A defect is opened on this and will be fixed in 4.2.2.