Professional Documents
Culture Documents
Communicator Web
Access
(2007 release, Public
Beta)
Authentication Guide
Published: March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of
the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Mobile, Windows Server, Windows Vista, Active Directory, Internet Explorer, MSDN, Outlook,
SharePoint, Visual Studio, and Win32 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
Overview
Communicator Web Access (2007 release) has been developed and tested with code implementations
added to the 2005 release of Communicator Web Access for enabling automatic sign-in, including
single sign-on (SSO). Many of the changes to the 2005 release that enable automatic sign-in are
changes made to the underlying Communicator Web Access authentication mechanisms.
The Communicator Web Access (2007 release) AJAX Service API is one of five Unified
Communications APIs available to ISVs to help them quickly and easily provide real time
communications solutions to their customers. The five Unified Communications APIs are shown in the
next table.
Table 1: Unified Communications APIs
Unified Communications API Description
A .NET Framework-based (managed) API for
creating and deploying server-like or middle-
tiered real-time communications applications. It
Unified Communications Managed
is especially useful for application with high
API (UCMA)
scalability requirements. Communicator Web
Access is a server-based application that uses
UCMA.
A COM-based API for creating and deploying
client side real-time collaboration applications. It
Unified Communications Client is interoperable with the .NET Framework and is
Platform API useful for applications with high requirements
for device performance. Office Communicator is
a desktop client built on UCCP.
2 | Microsoft Office Communicator Web Access Authentication Guide
Understanding Authentication
Independent software vendors (ISVs) can use the Communicator Web Access (2007 release) AJAX
Service SDK, the Communicator Web Access (2007 release, Public Beta) API, and the Web server
controls to rapidly and easily:
• Deploy Communicator Web Access out of the box using built-in authentication
• Integrate enhanced presence provided by the AJAX Service API and the Communicator Web
Access controls
• Provide interoperability between enhanced and legacy clients
• Integrate and build custom Communicator Web Access controls
• Develop custom conferencing and call routing applications
• Provide an SSO experience using custom authentication
• Provide two factor authentication using custom authentication
Authorization| 3
• Build a custom user interface (UI ) to meet their customer’s specific needs
For example, you can combine customer relationship management (CRM), Web-based portal, and
enterprise resource planning (ERP) systems within a Web-based portal to meet your customers’ needs.
You can use the Communicator Web Access API to create the following:
• Browser-based applications
• Standalone network applications
• Platform-agnostic applications running on the Microsoft Windows® operating system, or on
UNIX, Linux, Mac OS, or Berkeley Software Distribution (BSD)
• Language-agnostic applications using Microsoft .NET or open-source implementations (Mono),
native C/C++ applications running on Linux or one of the BSD operating systems, JavaScript,
Perl, C#, etc
• Mobile device applications
• Custom Authentication mechanisms for any of the above
Some advantages to Web-based solutions that expose multiple systems and applications are:
• Web-based solutions can provide common functionality to a wide variety of operating systems
and hardware or software platforms.
• Users can access Web-based solutions through a browser without having to install additional
software on their computers.
• Frequent updates to the user interface or functionality of back-end applications are usually
transparent to the Web-based solution.
You must deploy Office Communicator Web Access (2007 release) and Office Communications Server
2007 at a minimum to support your applications using one or more of the following authentication and
integration methods:
• Built-in Authentication
• Integrated Windows authentication (NTLM/Kerberos) only – only available for internal users
who have an account in the Active Directory® Domain Services.
• Forms-based authentication only – required for external users and optional for internal users
• Integrated Windows and Forms-based authentication – for internal deployments with the
Windows Internet Explorer® Internet browser and the Mozilla Firefox browser.
• Quick Sign-In
• Custom Authentication
• Single Sign-On (SSO) Authentication
o Microsoft ISA Server 2006 SSO solution
• Third Party Authentication
• Two Factor Authentication
These authentication methods can be implemented to access the API, either via the AJAX Service or
the Communicator Web Access controls. The reference topology is shown in the next figure.
4 | Microsoft Office Communicator Web Access Authentication Guide
Available authentication mechanisms by operating system and browser are shown in the next table.
Table 2: Authentication matrix
Authentication Flow
The authentication request must be made first before any other requests in a session. The
authentication method is the only request method which cannot have a rid attribute. The URL that is
used by each authentication mechanism is different. The URL can be used to authenticate a user with
the Communicator Web Access service using one of the following authentication schemes:
• Integrated Windows authentication in which the credentials from the user's Windows account is
used to have the user authenticated. The URL for such a request is of the
"https://server.contoso.com/iwa/logon.html".
• Form-based authentication in which the user must provide their credentials explicitly in order to
be authenticated. The URL used for such a request is of the
"https://server.contoso.com/forms/logon.html".
• Single Sign-On (SSO) The URL for such a request is of the
"https://server.contoso.com/sso/logon.html".
When the request is successful, the server creates an authentication ticket and returns it to the client via
a special HTTP header (named "CWA-Ticket") in the HTTP response. The caller must cache this ticket
and submit it, as the CWA-Ticket header, in all subsequent HTTP requests throughout the session.
The ticket will expire after a server-specified time period. The Communicator Web Access service will
issue a new ticket when that time period expires. The client must watch for the new ticket in the HTTP
responses from both the command and data channels. The client cache must be updated after receiving
a new authentication ticket. This new ticket will be used in all HTTP requests made to the command
and data channels until the next update of the ticket. If the authentication ticket is not returned, the
Logon request has failed.
The rest of this guide discusses the various authentication and integration methods that can be used.
Companion documents to be used with this guide for more detailed information, include the following:
• Microsoft Office Communicator Web Access (2007 release) AJAX Service SDK
6 | Microsoft Office Communicator Web Access Authentication Guide
• Microsoft Office Communicator Web Access (2007 release) Guide to Lab Deployment
• Microsoft Internet Security and Acceleration (ISA) Server 2006 documentation
single sign-on users are challenged for authentication credentials only if the sign-in request is an
HTTPS root request or it is a sign-in request after a failed authentication attempt. If the user has
already been authenticated, the user is not challenged again for access to Communicator Web Access
(2007 release). ISA Server 2006 can be deployed either as a workgroup member, or a domain member
when providing SSO.
Built-in Authentication
Built-in authentication is authentication supported by Communicator Web Access without
modification, other than the initial setup and configuration. Built-in authentication includes Integrated
Windows authentication and Forms-based authentication.
Quick Sign-In
When using Integrated Windows authentication, Communicator Web Access users can authenticate
using Quick Sign-in. For example, with Quick Sign-in, a user can enter the following URI to access
Communicator Web Access:
• https://server.contoso.com/quicksignin
The following two settings in the Internet Explorer browser are required:
• The Automatic logon only in Intranet zone radio button must be selected on the Security
Settings – Local Intranet Zone page
• The Communicator Web Access server URL must be added to the Local Intranet zone.
The domain user account that the user is logged on to the local computer is the account that is used for
Quick Sign-In.
When the user is already authenticated through Integrated Windows authentication, Communicator
Web Access will open immediately with no further authentication requests. This is beneficial to
frequent users that bookmark Communicator Web Access as https://server.contoso.com/quicksignin.
Selecting the bookmark enables the user to sign-in without providing credentials, thereby providing a
better user experience.
For remote users, and supported browsers that don’t support Integrated Windows authentication, the
forms-based authentication window will appear.
Quick Sign-in does not work with forms-based authentication.
Note Using these URIs to code quick sign-in from other Web applications is
not a supported scenario and may result in unexpected behavior.
Forms-based Authentication
Clients that use forms authentication submit a user’s credentials (domain, user name, and password) in
plain text within the sign-in request. To provide compatibility with a variety of different Web browsers
and to support all scenarios, Communicator Web Access supports Forms-based authentication. When
8 | Microsoft Office Communicator Web Access Authentication Guide
providing remote users with access to Communicator Web Access from across an enterprise firewall,
Forms-based authentication is the only form of authentication supported. Because credentials are in
plain text, using secure HTTP (HTTPS) and certificates is imperative for security. Forms-based
authentication can also be used for internal user access, and is required for use of some browsers such
as Mozilla Firefox with Communicator Web Access.
Custom Authentication
Custom authentication is any authentication other than Integrated Windows authentication or forms-
based authentication provided by Communicator Web Access built-in authentication. Examples of
custom authentication include single sign-on, third party plug-in authentication solutions, and two
factor authentication. Custom authentication can be used for both internal and external virtual servers.
Single Sign-On
ISVs creating Web-based portal solutions want to provide an optimal sign-on experience for their
users. Ideally, when a user signs into one of the applications, the sign-in information can be used for
other applications so that the user does not have to manually provide credentials again. This is
automatic sign-in. Single Sign-On (SSO) is one type of automatic sign-in. Automatic sign-in is the
process by which, after successful initial authentication to another ISA Server Web published site,
subsequent sign-in to Communicator Web Access (2007 release) occurs without requiring the user to
provide credentials again. The following are examples of scenarios in which single sign-on provides an
optimal user sign-in experience:
Authorization| 9
• A user wants to use other ISA Server Web published applications in addition to Communicator
Web Access (2007 release), for example, Microsoft Office Outlook® Web Access and Microsoft
Office SharePoint® portal services. If the user has already provided his or her credentials when
signing in to Outlook Web Access, the user should not have to provide his or her credentials again
when accessing Communicator Web Access.
• A user wants to access Web Services in a portal that aggregates information from several different
back-end systems. For example, a financial portal may provide Communicator Web Access (2007
release) Instant Messaging in addition to several other services, such as account balances and
other transactions. The user should be able to authenticate once and then have access to all parts of
the portal.
ISA Server 2006 also supports Two Factor Authentication. See the ISA documentation for details.
Sign-Out URL
If your custom authentication solution requires a virtual directory (vdir) and files on the
Communicator Web Access server, you must allow anonymous access on that vdir. Use the Sign-Out
URL field to specify an optional sign-out URL.
Figure 3: Sign-Out URL
The authentication token provided by the SSO server is stored on the client machine in the form of a
cookie. If the Communicator Web Access client is browser based, closing the browser will delete the
cookie. Otherwise, the expiration time value of the cookie will enforce its invalidation. It is strongly
suggested that at the time a user has logged off Communicator Web Access, they visit the URL
designated as the sign-out page by the SSO server. A visit to this page will result in the clearing of any
authentication cookies stored on the client. This step is particularly important when the Communicator
Web Access client is not browser based. The desktop based Communicator Web Access client
application is responsible for clearing the authentication cookie with a visit to the sign-out page.
ISA Server 2006 can be used to provide SSO for Communicator Web Access users accessing a virtual
server using custom authentication. The ISA Server 2006 server publishing the virtual server must be
deployed in the perimeter network, and it is recommended that the ISA server be a workgroup
member, not a domain member server. Configuration of the ISA server to use SSL (HTTPS) when
publishing the external site is the only supported configuration. Configuring ISA to use HTTP on the
published external site is not supported for Communicator Web Access (2007 release).
Although Communicator Web Access (2007 release) uses a session ticket instead of cookies, many of
the enterprise applications you might use in your solution, such as Windows SharePoint Services
(WSS) and ISA Server 2006 enabled for SSO, use cookies.
Note
ISA Server 2006 uses cookies to enable single sign-on.
The next figure shows the SSO traffic flow for the ISA Server 2006 solution.
Authorization| 11
3. The user enters credentials for the ISV application, and clicks Log On, which sends the traffic to
ISA Server 2006.
4. On behalf of the client, ISA Server 2006 caches the credentials in a cookie on the local computer
and then sends the traffic to the ISV SharePoint server, which authenticates the user.
5. The ISV SharePoint server sends the client-response back to ISA Server 2006.
6. ISA Server 2006 forwards the response to the client, which, for example, displays the ISV’s
solution default page, containing a link to Communicator Web Access (2007 release).
7. The user clicks the Communicator Web Access (2007 release) link, which sends the request to ISA
Server 2006.
8. ISA Server 2006, using the credentials cached on ISA Server 2006 after the initial authentication
with ISA, and on behalf of the client, logs on to Communicator Web Access.
9. Communicator Web Access authenticates the client and attaches an authentication ticket to the
response, and sends the response with the authentication ticket to the client, by way of ISA Server
2006.
10. ISA Server 2006 forwards the response back to the client, and displays, for example, the
following:
With only one set of credentials during initial authentication with the SharePoint server in this
example, Communicator Web Access (2007 release) authentication was done without the need for
the user to enter her credentials again.
Subsequent authentications for SSO-aware applications, which are marked as N in Figure 4, are done
in the same way.
On the Advanced Form Options page (Figure 6), from the Use Persistent Cookies options list, select
the option to use persistent cookies on all computers, or only on private computers, and select the
Ignore browser’s IP address for cookie validation check box. Doing so will provide your users with
a single sign-on experience for multiple browser instances.
The Forms tab is where you to specify an SSO credentials challenge page that you have custom-built
for your solution, instead of the default ISA Server 2006 forms page.
Credentials Caching
In a single sign-on scenario, a user’s credentials are cached in memory on ISA Server 2006 and are
then reused whenever the user accesses one of the other Web services.
Session Timeouts
When a user accesses multiple Web-based services simultaneously, each application may have its own
default timeout period. Allowing each application to initiate a session timeout could result in a
frustrating user experience. To prevent multiple user sign-ins that would result, the single sign-on
solution, and not the individual applications, should control session timeouts.
Subsequent Sign In
For situations in which the user’s session times out, Communicator Web Access provides a Sign In
Again button. However, when the Sign In Again button is clicked after a session timeout, ISA Server
2006 prompts the user to reenter his or her credentials, because the cached credentials have expired.
You use the Microsoft.Rtc.WebControl.LoginCtrl.LogonByIWA method to sign the user in to
Communicator Web Access through SSO-enabled ISA Server 2006. This logon method should only be
used if SSO-enabled ISA Server 2006 is deployed in front of the ISV server and the Communicator
Web Access server. This method assumes that the client has already logged on to the ISV site through
SSO-enabled ISA Server 2006.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/77b95fc9-e7de-471a-
8de9-fee27c816cc3.asp
Once you have built the plug-in ISAPI filter, you must load it in IIS using the procedure at:
http://support.microsoft.com/kb/150312.
these servers, services, or sites and the browsers maintain separate credential caches for each different
website.
To give an example of the logon flow here, the user contoso\bob first accesses the SharePoint Web site.
The browser receives an Integrated Windows authentication challenge and is automatically
authenticated using the identity of contoso\bob since he is logged on to the local machine. Included in
the SharePoint HTML response is the URLs that request the UI controls from the Communicator Web
Access server. As the page is being rendered by the browser and it requests content from the server,
Integrated Windows authentication is again challenged for credentials, this time from a different
website. The browser once again will use credentials for contoso\bob to successfully authenticate.
This type of control authentication relies on domain users being logged on to their machines with their
domain user account and it also relies on the default Integrated Windows authentication mechanism
being enabled for Internet Explorer on the client machine. Therefore, it might not be ideal for all
situations. For example, if contoso\bob is logged onto his machine as a local administrator and
accesses SharePoint, the logon flow changes. Bob first will be prompted for domain credentials from
SharePoint. Upon entering his correct domain credentials, Bob will once again be prompted for
credentials from Communicator Web Access. This is not an optimal user experience, and also
introduces the possibility for the user to use different accounts and credentials to log on to different
Web sites existing within the same Web page. In this scenario, integrating the controls with the server
proxying authentication might be a better choice.
The benefits of Passback authentication are relative ease of implementation and possible server load
reduction. However, the fact that credentials are passed in plain text must be considered by the
application developer.
ibers
deleteGroup deleteContact conference initiateImSession
initiateSession terminateSession logon logoff
acceptImSession terminateImSession sendInfo sendMessage
notifyComposing inviteParticipants updateContact updateGroup
publishRawCategori ejectParticipant promoteParticipant Lock
es
voIPRedirect voIPTerminate voIPRedirectToVoice voIPReplyWithIM
mail
queryPresence updateContainer publishSelfPresence subscribePresence
unSubscribePresenc search
e
The following code snippet gives an example.
<cwaRequests xmlns="http://schemas.microsoft.com/2006/09/rtc/cwa">
<initiateSession rid="1">
<securityMode>private</securityMode>
<userStateAvailability>3500</userStateAvailability>
<options autoPublishMachineState="true"</options>
</initiateSession>
< queryPresence rid="2">
<uris>
<uri>sip:bob@contoso.com</uri>
<uri>sip:carol@contoso.com</uri>
</uris>
</queryPresence>
</cwaRequests>
For details, see the Communicator Web Access (2007 release) AJAX Service API SDK
Testing Authentication
Implementations
This section discusses using the SDK to test your authentication solution.
Communicator Web Access provides an AJAX Service API, Communicator Web Access Controls, and
an SDK. These items provide the ISV with a starting point for developing applications that access the
Communicator Web Access AJAX Service API and integrate the controls. The API and controls enable
customers and ISVs to develop applications with enhanced presence conferencing. The SSO capability
of the combination of Communicator Web Access and ISA Server 2006 enables customers and ISVs to
develop applications with an SSO experience for their customers.
Any integrated development environment can be used to develop these applications. However, some of
the SDK code samples require the Microsoft Visual Studio® 2005 integrated development
environment.
AJAX stands for Asynchronous JavaScript and XML. It is a programming model for building
interactive Web applications. Communication between a client and server uses standard HTTP and
HTTPS request and response transactions. Supported transport formats are XML, JSON (JavaScript
Object Notation), or plain text. Unlike the traditional HTTP programming practice, an AJAX
transaction does not require that an entire Web page be transported over the wire for every change on a
Web page. The server provides modularized functionality through different access channels that are
exposed as different URLs on the same Web site. Communicator Web Access (2007 release) AJAX
Service API supports applications that use the AJAX programming model.
Communicator Web Access (2007 release) provides an AJAX Service application programming
interface (API) that publicly exposes methods and events for Communicator Web Access (2007
release). ISVs can develop applications by following the AJAX programming patterns. Various
programming languages, platforms, and operating systems, are supported. The Communicator Web
Access AJAX Service API uses XML as the data format and supports modularized access of the
following functionality:
• A Communicator Web Access AJAX Service API client signs in to Communicator Web Access by
using Forms-based authentication.
• A Communicator Web Access AJAX Service API client signs in to Communicator Web Access
using Integrated Windows authentication.
• A Communicator Web Access AJAX Service API client signs in to Communicator Web Access by
using single sign-on authentication.
• The AJAX client posts methods to Communicator Web Access.
Authorization| 21
user, and starting an IM conversation. Help utilities are also provided to support robust event handling
and error discovery.
Customers and ISVs can use the Communicator Web Access controls to integrate presence and Instant
Message features into their own Web-based applications. The Communicator Web Access Controls can
be used for:
• Enabling presence viewing from a Web page: A Web page can embed a presence control in an
HTML page to display the presence of a tracked user by simply dropping a presence control
instance to the HTML page and setting the appropriate SIP URI.
• Implementing cross-platform browser support
• Using the rapid application development paradigm
• Developing enhanced authentication experience applications
Integrating the Communicator Web Access Controls does not require deployment of any
Communicator Web Access (2007 release) files onto the ISV server. However, the ISV must add script
tags to their web pages in order to download the Communicator Web Access Controls. The client script
on the ISV Web site is also responsible for calling the entry point in the controls to pass any necessary
initialization parameters and begin execution.
You can use a number of sign-in methods when integrating the Communicator Web Access Controls
within your custom solutions. Communicator Web Access (2007 release) supports implementations
using the following:
• Parallel Integrated Windows authentication
• Passback authentication
• Proxy authentication
• Forms-based or Integrated Windows authentication for Automatic sign-in
Communicator Web Access controls use the JavaScript object XmlHttpRequest to send HTTP requests
to Communicator Web Access and to receive the corresponding HTTP responses. To minimize the
security concerns involved in cross-domain scripting, Internet Explorer enforces the same-origin safety
check on an XmlHttprequest instance to prevent the object from accessing resources residing in a
domain different from the one hosting the calling script.
<script src="http://app/WebControls/code.aspx"></script>
Or
<script src="http://202.3.4.5/WebControls/code.aspx"></script>
• Users must access the ISV Web site using the fully qualified domain name, for example,
http://appHost.contoso.com. Do not use NetBIOS name, IP address or "localhost", for example,
http://appHost, http://202.3.4.5 or http://localhost.
The above restrictions do not apply when an ISV Web site uses server proxy or server HTTP
redirection to handle the cross-domain request. In this situation, the ISV Web site and the server Web
site are considered to be within the same domain as far as the client is concerned. In this situation, a
client application must provide the server proxy path when calling the controls’ Initialize function.
Users who have already been authenticated should be able to access Communicator Web Access
functionality without being prompted again for credentials. The single sign-on capabilities in
Communicator Web Access make this experience possible. Enabling the single sign-on authentication
method removes the requirement for users to sign in to each part of the portal individually.
The subsequent sign-in is achieved by using the LogonByForm and LogonByIWA methods of the
Microsoft.Rtc.WebControl.LoginCtrl control, and cached credentials on ISA Server 2006, which is
required when SSO is enabled on the Communicator Web Access external virtual server.
When a control is used to interact with Communicator Web Access, user input of the credentials every
time the connection is made would be required in the absence of automatic logon. This would
downgrade the usability of the application. To maintain a high level of usability, automatic logon
should be used.
Another option for using Communicator Web Access Controls to login to Communicator Web Access
is to use the LogonByFORM, LogonByIWA or LogonBySSO methods on the
Microsoft.Rtc.WebControl.LoginCtrl control. The LogonByFORM method requires the input of user
credentials, whereas the other two methods do not. All the three methods are asynchronous. The caller
must provide a callback function in each method call in order for the control to return the result,
namely, a valid session ticket if the user is successfully signed in or an error if the user failed to sign
in. Once the ticket is obtained, it is used to initialize the presence control.
By default, connection is made directly to Communicator Web Access in which the controls are
hosted. In the situation where the connection must go through a proxy, the initialization must be called
explicitly on the proxy server.
When logon finishes, the Communicator Web Access Control will call this function with the following
input parameter:
• ticket: it will be null, if logon failed.
• error: it will be null, if logon succeeded.
For complete code samples and detailed explanation, see the Communicator Web Access (2007
release) AJAX Service SDK.
Note
The Web Controls do not render correctly in a frameset when
viewed in the Safari browser.
Authorization
As a result of a change to the Office Communications Server 2007 schema, Communicator Web
Access (2007 release) no longer must retrieve a user’s SIP URI during sign-in. This means that the
user name and password are the only pieces of information that need to be provided during sign-on.
24 | Microsoft Office Communicator Web Access Authentication Guide
Because Communicator Web Access (2007 release) does not require users to enter their SIP address
when signing in, Communicator Web Access can use the same set of credentials that are used to sign
into other applications. This ability to reuse credentials allows Communicator Web Access to be used
in conjunction with automatic sign-in solutions.
The user must be enabled for Microsoft Office Communications Server 2007 and for remote access in
the Active Directory Users and Computers snap-in for internal and remote access, respectively.