Activate a UCMA 5.0 trusted application

Applies to: Skype for Business 2015

A UCMA trusted application is an application based on Microsoft Unified Communications Managed API 5.0 that is trusted by Skype for Business Server 2015. This trust relationship is summarized in the following list:

  • Trusted applications are not challenged for authentication by Skype for Business Server 2015.

  • Trusted applications are not throttled by Skype for Business Server 2015 for SIP transactions, connections, or outgoing Voice over Internet Protocol (VoIP) calls.

  • Trusted applications can impersonate any user and can join conferences without appearing in rosters.

  • Trusted applications are highly available and resilient.

Activating an application is the process by which UCMA 5.0 applications are configured to take advantage of Skype for Business Server 2015 functionality. Most of the commonly-used configuration data exists in Active Directory, the Central Management Store, and the computer that hosts the application’s local certificate store.

Activation is needed not only for deploying a ready-to-ship application, but also must be performed in order to test an application during the application development phase.

Note

It is recommended that the computer running the trusted application be joined to the domain in which Skype for Business Server 2015 is running. However, if there is no intent to run Skype for Business Server 2015 PowerShell cmdlets from the application server or to make use of UCMA auto-provisioning capabilities, then the application can be run on a computer that is not joined to the domain.

Prerequisites for activation

  • UCMA 5.0 SDK or UCMA 5.0 Runtime has been installed with Skype for Business Server 2015, Core Components.

    Skype for Business Server 2015 Core Components provide access to PowerShell cmdlets needed for activating the application, and include the binaries that are needed to enable a local replica, or copy, of the Central Management Store.

  • A valid server topology with Skype for Business Server 2015 and an Active Directory domain controller exist for the application to run against.

  • Appropriate permissions and memberships are set.

    An application that runs as a trusted application must be a member of the appropriate groups. These groups are created during Skype for Business Server 2015 setup so that group members can carry out their intended tasks. The following table provides more information.

Role

Group membership

Skype for Business Server 2015 Administrator

Domain Admins security group

Trusted Application Operator

RTCUniversalServerAdmins security group

Administrators local group

Trusted Application Service Account

RTC Component Local Group local group

Note

After Skype for Business Server 2015 has been installed, administrators must manually create users with the previously listed permissions to act in the Trusted Application Administrator and Trusted Application Service Account roles.

Note

A security group is an entity that exists in the domain and is stored in Active Directory. Security groups can be managed using the Active Directory Users and Computers Microsoft Management Console (MMC). A local group is an entity that exists in the computer on which the trusted application is running. Local groups can be managed by using the Local Users and Groups MMC.

Tasks by role

The following table summarizes the tasks that can be performed by the three different roles.

Task

Skype for Business Server 2015 Administrator

Trusted Application Operator

Trusted Application Service Account

Install UCMA 5.0 SDK or UCMA 5.0 Runtime

Yes

Yes

No

Manage trusted application pools and trusted application computers

Yes

No

No

Request and set certificates

Yes

Yes

No

Manage trusted applications

Yes

No

No

Manage trusted application endpoints

Yes

Yes

No

Install and activate a local Central Management Store replica

Yes

Yes

No

Run UCMA-based applications

Yes

Yes

Yes

The remaining topics in this section discuss how activation, provisioning, and deployment are different in UCMA 5.0, and list the activation steps that are required for all trusted applications, as well as the activation steps required by either auto-provisioned or manually-provisioned applications: