Activate a UCMA 5.0 trusted application
Applies to: Skype for Business 2015
A UCMA trusted application is an application based on Microsoft Unified Communications Managed API 5.0 that is trusted by Skype for Business Server 2015. This trust relationship is summarized in the following list:
Trusted applications are not challenged for authentication by Skype for Business Server 2015.
Trusted applications are not throttled by Skype for Business Server 2015 for SIP transactions, connections, or outgoing Voice over Internet Protocol (VoIP) calls.
Trusted applications can impersonate any user and can join conferences without appearing in rosters.
Trusted applications are highly available and resilient.
Activating an application is the process by which UCMA 5.0 applications are configured to take advantage of Skype for Business Server 2015 functionality. Most of the commonly-used configuration data exists in Active Directory, the Central Management Store, and the computer that hosts the application’s local certificate store.
Activation is needed not only for deploying a ready-to-ship application, but also must be performed in order to test an application during the application development phase.
Note
It is recommended that the computer running the trusted application be joined to the domain in which Skype for Business Server 2015 is running. However, if there is no intent to run Skype for Business Server 2015 PowerShell cmdlets from the application server or to make use of UCMA auto-provisioning capabilities, then the application can be run on a computer that is not joined to the domain.
Prerequisites for activation
UCMA 5.0 SDK or UCMA 5.0 Runtime has been installed with Skype for Business Server 2015, Core Components.
Skype for Business Server 2015 Core Components provide access to PowerShell cmdlets needed for activating the application, and include the binaries that are needed to enable a local replica, or copy, of the Central Management Store.
A valid server topology with Skype for Business Server 2015 and an Active Directory domain controller exist for the application to run against.
Appropriate permissions and memberships are set.
An application that runs as a trusted application must be a member of the appropriate groups. These groups are created during Skype for Business Server 2015 setup so that group members can carry out their intended tasks. The following table provides more information.
Role |
Group membership |
|---|---|
Skype for Business Server 2015 Administrator |
Domain Admins security group |
Trusted Application Operator |
RTCUniversalServerAdmins security group Administrators local group |
Trusted Application Service Account |
RTC Component Local Group local group |
Note
After Skype for Business Server 2015 has been installed, administrators must manually create users with the previously listed permissions to act in the Trusted Application Administrator and Trusted Application Service Account roles.
Note
A security group is an entity that exists in the domain and is stored in Active Directory. Security groups can be managed using the Active Directory Users and Computers Microsoft Management Console (MMC). A local group is an entity that exists in the computer on which the trusted application is running. Local groups can be managed by using the Local Users and Groups MMC.
Tasks by role
The following table summarizes the tasks that can be performed by the three different roles.
Task |
Skype for Business Server 2015 Administrator |
Trusted Application Operator |
Trusted Application Service Account |
|---|---|---|---|
Install UCMA 5.0 SDK or UCMA 5.0 Runtime |
Yes |
Yes |
No |
Manage trusted application pools and trusted application computers |
Yes |
No |
No |
Request and set certificates |
Yes |
Yes |
No |
Manage trusted applications |
Yes |
No |
No |
Manage trusted application endpoints |
Yes |
Yes |
No |
Install and activate a local Central Management Store replica |
Yes |
Yes |
No |
Run UCMA-based applications |
Yes |
Yes |
Yes |
The remaining topics in this section discuss how activation, provisioning, and deployment are different in UCMA 5.0, and list the activation steps that are required for all trusted applications, as well as the activation steps required by either auto-provisioned or manually-provisioned applications:
General application activation. Activation steps needed by all trusted applications.
Activating an auto-provisioned application. Activation steps needed by auto-provisioned applications. Auto-provisioned applications require a local copy of the Central Management Store.
Activating a manually-provisioned application. Activation steps needed for manually provisioned applications. Manually-provisioned applications do not require a local copy of the Central Management Store.
Activating applications programmatically. Steps required to run Skype for Business Server 2015 PowerShell cmdlets programmatically.