Problems getting High-Resolution photos in Skype for Business with MA enabled

Scenario:

  • Skype for Business Server 2015 and Skype for Business Online (“split domain” hybrid configuration)
  • Exchange 2013 and Exchange Online (Hybrid)
  • Skype for Business Online and Exchange Online Configured/Enabled for Modern Authentication (Mixed 5 topology)
      • Important to note, that, users may see multiple prompts in some cases, notably where the MA state is not the same across all the server resources that clients may need and request, as is the case with all versions of the Mixed topologies. 
        In some cases (Mixed 1, 3, and 5 specifically) an AllowADALForNonLynIndependentOfLync registry key must be set for proper configuration for Windows Desktop Clients.
  • All users hosted in Skype for Business On-Premises.
  • All users configured for Unified Contact Store(UCS)

 

Problem:

  • The users only have problems getting High-Resolution photos from the users contacts that have an Exchange mailbox On-Premises.
    • The users can only see the Low-Resolution Image Quality of the users contact photo.
  • The users don’t have problems with High-Resolution photos from the users contacts that have an Exchange mailbox Online.

 

Example of High-Res VS Low-Res:

Photo credits to “Jeff Schertz” from: http://blog.schertz.name/2015/10/high-resolution-photos-in-skype-for-business/

 

 

Solution:

  • There is a need to create two CsClientPolicies for the users with Exchange Mailbox On-premises and another for users with Exchange Mailbox Online.
    • Policy for users with Exchange Mailbox On-Premises:      PolicyEntry : {Name=AllowAdalForNonLyncIndependentOfLync;Value=False}
    • Policy for users with Exchange Mailbox Online:      PolicyEntry : {Name=AllowAdalForNonLyncIndependentOfLync;Value=True}
  • After implementing/granting the policies to the users, wait for replication to complete, and force the affected accounts to sign-out and sign-in for the settings to be properly applied.

 

The setting “AllowAdalForNonLyncIndependentOfLync” can also be applied via REGKEYs. More details in the KB3082803.

 

More Information:

The behaviour of the client on this setting “AllowAdalForNonLyncIndependentOfLync;Value=TRUE”

  • The Skype for Business Desktop or Lync 2013 clients will connect to Skype for Business Server by using NTLM or the Kerberos authentication protocol. Specifically, a user name and password or Windows Integrated Authentication will be required for a successful connection (as before).
  • After you sign in, Skype for Business or Lync 2013 will connect to Exchange Web Services (EWS). If the EWS service advertises OAuth settings (authorization URI), the client will use MFA. Additionally, if a credentials refresh is necessary, the user will be prompted through the modern authentication dialog box.

The behaviour of the client on this setting “AllowAdalForNonLyncIndependentOfLync;Value=FALSE”

  • The Skype for Business Desktop and Lync 2013 clients connect to Skype for Business Server by using NTLM or the Kerberos authentication protocol, a user name and password, or Windows Integrated Authentication.
  • After you sign in, Skype for Business or Lync 2013 connect to the user’s mailbox in Exchange Online by using Exchange Web Services (EWS). Although the EWS service advertises OAuth settings (the authorization URI), the client ignores this and falls back to a non-MFA sign-in by using an OrgID channel. This limits sign-in protocols to a user name and password or to Windows Integrated Authentication.

 

Skype for Business topologies supported with Modern Authentication

https://technet.microsoft.com/en-us/library/mt803262.aspx

Configure the use of high-resolution photos in Skype for Business Server 2015

https://docs.microsoft.com/en-us/skypeforbusiness/deploy/integrate-with-exchange-server/high-resolution-photos

Configure the use of high-resolution photos in Skype for Business Server 2015

https://technet.microsoft.com/en-us/library/jj688150.aspx

Info about the AllowAdalForNonLyncIndependentOfLync setting in Skype for Business, Lync 2013, and Exchange Online

https://support.microsoft.com/en-us/help/3082803/info-about-the-allowadalfornonlyncindependentoflync-setting-in-skype-f