{"id":1562,"date":"2014-07-21T13:03:13","date_gmt":"2014-07-21T13:03:13","guid":{"rendered":"https:\/\/modern-workplace.uk\/\/?p=1562"},"modified":"2014-07-21T13:32:52","modified_gmt":"2014-07-21T13:32:52","slug":"lync-passive-authentication-getting-hands-dirty","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=1562","title":{"rendered":"Lync Passive Authentication: Getting Your Hands Dirty"},"content":{"rendered":"<p><strong>Disclaimer<\/strong>: I always \u201ceat my own dog food\u201d. Right now I am working on a Packt book and one of the topics is Lync Passive Authentication. Before writing about this topic I have built a complete lab (honestly, more similar to a scaled down production environment) to test it. The following are my finding about the aforementioned feature.<\/p>\n<hr \/>\n<h3>Intro and Scenario<\/h3>\n<p>Starting with version 5.2 of the Lync 2013 mobile clients (October 2013), Microsoft has added support for passive authentication to Lync 2013. The aforementioned feature is important because it enables forms based authentication (built on Active Directory Federation Services \u2013 ADFS) and it is a starting point for the use of additional authentication mechanisms (for example, two factors authentication).<\/p>\n<p>The basic steps are well outlined in the Jens Trier Rasmussen\u2019s TechNet blog <span style=\"color: #3366ff;\"><em><a href=\"http:\/\/blogs.technet.com\/b\/jenstr\/archive\/2013\/10\/09\/microsoft-lync-2013-for-mobile-and-passive-authentication.aspx\"><span style=\"color: #3366ff;\">Microsoft Lync 2013 for Mobile and Passive Authentication<\/span><\/a><\/em><\/span><\/p>\n<p>A theoretical explanation of the feature is available on the TechNet site <span style=\"color: #3366ff;\"><em><a href=\"http:\/\/blogs.technet.com\/b\/nexthop\/archive\/2013\/10\/08\/lync-server-2013-certificate-authentication-and-passive-authentication-support-for-lync-2013-mobile-applications.aspx\"><span style=\"color: #3366ff;\">Lync Server 2013 Certificate Authentication and Passive Authentication support for Lync 2013 Mobile applications<\/span><\/a><\/em><\/span><\/p>\n<p>What I am going to examine here are the real-world challenges I have found, trying to make everything work.<\/p>\n<p>The deployment I used is the one you can see in the following picture<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lab_outline.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1563 size-large\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lab_outline-1024x565.jpg\" alt=\"Lab_outline\" width=\"720\" height=\"397\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lab_outline-1024x565.jpg 1024w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lab_outline-300x165.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lab_outline-150x82.jpg 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lab_outline.jpg 1042w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Notes<\/strong>: All the servers are Windows 2012 R2. The IIS Application Request Routing (IIS ARR) used is version 3.0<\/p>\n<p>All the IPs of the DMZ network (in the explanation, I will use address on the subnet 10.0.0.X) are published using a NAT.<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h3>Lessons Learned the Hard Way<\/h3>\n<h4>Certificates<\/h4>\n<p>A commonly used solution is to use IIS ARR to publish both Lync \u201cSimple URLs\u201d, ADFS and Office Web Apps (OWApp). It is possible to achieve the aforementioned results in two different ways:<\/p>\n<ul>\n<li>A SAN certificate including all the FQDN of the aforementioned services and listening on a single IP<\/li>\n<li>Multiple certificates (for example one for Lync, one for OWApp and one for ADFS) with multiple public IP listening on the IIS ARR for the different services<\/li>\n<\/ul>\n<p>Other solutions that I do not recommend, may include using a wildcard certificate or listening on non-standard ports on a single public IP (one port for every certificate).<\/p>\n<p>I have preferred using the first solution. I created the CSR with the usual DigiCertUtil and defined it in the following manner<\/p>\n<p><strong><span style=\"color: #ff9900;\"><em>Subject<\/em>:<\/span><\/strong><\/p>\n<ul>\n<li>Madhatter.absoluteuc.biz \u00a0 \u00a0 \u00a0 Public FQDN of my Standard Edition (S.E.) Lync server<\/li>\n<\/ul>\n<p><strong><span style=\"color: #ff9900;\"><em style=\"font-family: sans-serif; font-size: medium; font-variant: normal; line-height: normal;\">Subject Alternative Name:<\/em><\/span><\/strong><\/p>\n<ul>\n<li>madhatter.absoluteuc.biz \u00a0 \u00a0 \u00a0 \u00a0Public FQDN of my Standard Edition (S.E.) Lync server (again)<\/li>\n<li>adfs1.absoluteuc.biz \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Public FQDN the AD FS<\/li>\n<li>lyncdiscover.absoluteuc.biz \u00a0 \u00a0 Public FQDN for the auto-discover service<\/li>\n<li>meet.absoluteuc.biz \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Public FQDN for simple URL of Lync<\/li>\n<li style=\"text-align: left;\">whiterabbit.absoluteuc.biz \u00a0 \u00a0 \u00a0 Public FQDN for OWApps<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Notes<\/strong>:<\/p>\n<ul>\n<li>Right now I am not going to use the dialin or the admin simple URLs in the lab. In a production deployment you should add (at least) dialin<\/li>\n<li>I used a public Certification Authotity (C.A.) for my certificates, because testing from mobile clients is always a painful process with a deployment certificated from an internal C.A.<\/li>\n<li>This certificate is the same I used on the Lync S.E. for the Web Services \u2013 External. That is why the FQDN of the S.E. is both in the subject and in the subject alternative name.<\/li>\n<\/ul>\n<p><span style=\"font-size: 8pt;\">\u00a0<\/span><\/p>\n<h4>AD FS<\/h4>\n<p>AD FS setup, using the Windows 2012 R2 wizard is not too complex. A pair of important notes:<\/p>\n<ul>\n<li>It makes everything simpler to have the aforementioned SAN certificate ready when you are going to enable AD FS on your server. The wizard will require an FQDN and a certificate, so it makes sense to start directly with the solution you will use for real<\/li>\n<li>The TechNet guide uses two different Relying Party Trusts , one for connections from internal clients and one for external ones (see the following picture from my AD FS, Gryphon)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/LyncPass01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1565\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/LyncPass01.jpg\" alt=\"LyncPass01\" width=\"640\" height=\"92\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass01.jpg 893w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass01-300x43.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass01-150x21.jpg 150w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>You CAN\u2019T fool AD FS, pointing the internal and the public FQDN for your S.E. server to the same IP. AD FS actually checks the URLs you insert and is aware of a \u201cduplication\u201d. Solutions are:<\/p>\n<p style=\"padding-left: 30px;\">o\u00a0\u00a0 Hairpinning the public FQDN to the internal IP of the IIS ARR<\/p>\n<p style=\"padding-left: 30px;\">o\u00a0\u00a0 Poining the public FQDN to the public IP (the one you used to NAT the DMZ\u2019s IP of your IIS ARR).<\/p>\n<p>I have preferred to use the hosts file on the IIS ARR to point it to the public IP. Basically, I tried a few times to hairpin meeting a series of issues, so I have preferred the easier way \ud83d\ude42<\/p>\n<p><span style=\"font-size: 8pt;\">\u00a0<\/span><\/p>\n<h4>Lync Registration Process<\/h4>\n<p>The main caveat here is that using passive authentication is a process you activate at the Lync POOL level. Not all the clients are compatible with passive authentication. I have copied the following table from a really good article <a href=\"http:\/\/techmikal.com\/2014\/02\/20\/lync-passive-authentication-with-two-factor-authentication-part-i\/\">Lync Passive Authentication with two-factor authentication \u2013 Part I<\/a> on the Techmikal blog<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/LyncPass02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1566 size-full\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/LyncPass02.jpg\" alt=\"LyncPass02\" width=\"455\" height=\"176\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass02.jpg 455w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass02-300x116.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/LyncPass02-150x58.jpg 150w\" sizes=\"auto, (max-width: 455px) 100vw, 455px\" \/><\/a><\/p>\n<p>As you can see, if you need some users to stay with the \u201cstandard\u201d authentication, or if you need to keep Android and Mac working, the only solution is to have a registrar (and a pool) not enabled to passive authentication.<\/p>\n<p>A scenario could be having a Director Pool and a couple of S.E. server for Lync. BTW, talking about Director Pool, take a look to my previous post <a href=\"https:\/\/modern-workplace.uk\/\/why-i-added-a-lync-director-pool-also-if-i-dont-like-it\">Why I added a Lync Director Pool (also if I don\u2019t like it)<\/a>\u00a0\ud83d\ude42<\/p>\n<p>&nbsp;<\/p>\n<h4>IIS ARR<\/h4>\n<p>If you already have the Lync rules configured as in the TechNet Blog post <a href=\"http:\/\/blogs.technet.com\/b\/nexthop\/archive\/2013\/02\/19\/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx\">Using IIS ARR as a Reverse Proxy for Lync Server 2013<\/a> , I have to say, quoting <a href=\"http:\/\/www.msexchange.org\/articles-tutorials\/exchange-server-2013\/mobility-client-access\/iis-application-request-routing-part3.html\">IIS Application Request Routing (Part 3)<\/a> \u201cremember that if you are using the same ARR server to publish multiple services, your rules must be very specific so they only match the URLs they should match! You should use a combination of the Pattern field in the Match URL section together with the {HTTP_HOST} condition to achieve this.\u201d I.E., you have to add an {HTTP_HOST} rule for the AD FS FQDN.<\/p>\n<h2><\/h2>\n<hr \/>\n<h2>Behavior of the Mobile Clients<\/h2>\n<p>&nbsp;<\/p>\n<p>Here comes the fun: looking at the list, you could think that Windows Phones are a piece of cake to use with Lync 2013 passive authentication. The answer is: not at all (and it is what took me a LOT of time for this lab)<\/p>\n<h3>Lync 2013 \u201cDesktop\u201d Client<\/h3>\n<p>This one simply authenticates as usual, no form from the AD FS is shown, also if you use a Windows client coming from the external network and not joined to the domain.<\/p>\n<p>In the picture, you can see the logging for the WebInfrastructure component, that is the most relevant for the passive authentication process<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Desktop_Client_Passive_Auth03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1567\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Desktop_Client_Passive_Auth03.png\" alt=\"Desktop_Client_Passive_Auth03\" width=\"640\" height=\"451\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Desktop_Client_Passive_Auth03.png 807w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Desktop_Client_Passive_Auth03-300x211.png 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Desktop_Client_Passive_Auth03-150x105.png 150w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h3>Lync 2013 Store App<\/h3>\n<p>&nbsp;<\/p>\n<p>The Windows 8 &#8211; Lync 2013 Store App works as expected, redirecting you to the AD FS forms page and then allowing you access to Lync (see picture)<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1568\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00-1024x575.png\" alt=\"Store_App_Passive_Auth00\" width=\"640\" height=\"360\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00-1024x575.png 1024w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00-300x168.png 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00-150x84.png 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth00.png 1366w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>In the following image you can see the related WebInfrastructure logging<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1569\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth02.png\" alt=\"Store_App_Passive_Auth02\" width=\"640\" height=\"474\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth02.png 806w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth02-300x222.png 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Store_App_Passive_Auth02-150x111.png 150w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h3>Lync 2013 for IPad<\/h3>\n<p>The IPad clients works well as the Windows store app when we deploy passive authentication. It shows the AD FS authentication page and then works as we expect it to do<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth00.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1570\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth00-225x300.png\" alt=\"IPAD_Passive_Auth00\" width=\"480\" height=\"640\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth00-225x300.png 225w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth00-150x200.png 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth00.png 768w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Again, there is a capture of the logging. Note that there are 401 (unauthorized) errors for the webticketservice, but it looks like they have no consequence on the client.<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1571\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth03-300x212.png\" alt=\"IPAD_Passive_Auth03\" width=\"640\" height=\"453\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth03-300x212.png 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth03-150x106.png 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/IPAD_Passive_Auth03.png 809w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>Windows Phone 8 \u2013 Lync 2013 Client<\/h3>\n<p>I have used my good, cheap Lumia 620 phone. It tries to open the AD FS web page, but the result is a white page and there is no way to make it work. Considering that all the other clients work as expected, I suspect some kind of specific problem with the phone \/ Windows Phone version \/ client. Again, here are some screenshots of the logging. The errors are the same I have for the IPad, but the result is REALLY different<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth00.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1572\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth00-300x212.jpg\" alt=\"Lumia_Passive_Auth00\" width=\"640\" height=\"453\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth00-300x212.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth00-150x106.jpg 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth00.jpg 806w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>And more<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1573\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth01-300x211.jpg\" alt=\"Lumia_Passive_Auth01\" width=\"640\" height=\"450\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth01-300x211.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth01-150x105.jpg 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth01.jpg 810w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>And a last one<\/p>\n<p><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1574\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth02-300x210.jpg\" alt=\"Lumia_Passive_Auth02\" width=\"640\" height=\"449\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth02-300x210.jpg 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth02-150x105.jpg 150w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/07\/Lumia_Passive_Auth02.jpg 808w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>Android \u2013 Lync 2013 Client<\/h3>\n<p>It is NOT supported, and it goes as you could expect: the client stays stuck in the attempt to authenticate with Lync 2013<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<h3>Summarizing<\/h3>\n<p>My impression is that the whole passive authentication mechanism in Lync 2013 still requires a lot of improvements. The fact that it is a pool level policy, the complex relation between Lync and AD FS, the no consistent errors (and results) I have with different kind of clients seems to point out for a promising but still problematic feature. Looking on the Internet, I see also really few posts \/ documents talking about this one. This is a good hint about something that not really much companies are using right now.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<h3>Logs<\/h3>\n<p>In the .zip file here, you will find the logs related to the different clients.<\/p>\n<p>The first one to solve the Windows Phone \u201cproblem\u201d will win an original Italian pizza, offered by me (as soon as you are in Rome, of course) \ud83d\ude00<\/p>\n<p><span style=\"color: #3366ff;\"><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/07\/Lync-Passive-Authentication.zip\"><span style=\"color: #3366ff;\">Lync Passive Authentication<\/span><\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disclaimer: I always \u201ceat my own dog food\u201d. Right now I am working on a Packt book and one of the topics is Lync Passive Authentication. Before writing about this topic I have built a complete lab (honestly, more similar to a scaled down production environment) to test it. The following are my finding about [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1575,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[259,18,19],"tags":[657,656,663,660,661,702,100,655,35,650,651,659,653,658,662,652,46,654],"class_list":["post-1562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-259","category-english","category-lync","tag-active-directory-federation-service","tag-adfs","tag-certificate","tag-iis-application-request-routing","tag-iis-arr","tag-lync","tag-lync-2013-2","tag-lync-2013-mobile-clients","tag-lync-client","tag-lync-mobile-client","tag-lync-passive-authentication","tag-lync-server-2013-certificate-authentication-and-passive-authentication-support-for-lync-2013-mobile-applications","tag-lync-two-factor-authentication","tag-microsoft-lync-2013-for-mobile-and-passive-authentication","tag-office-web-apps","tag-passive-authentication","tag-simple-urls","tag-version-5-2"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/1562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1562"}],"version-history":[{"count":15,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/1562\/revisions"}],"predecessor-version":[{"id":1591,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/1562\/revisions\/1591"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/1575"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}