User and Client Authentication for Lync Server 2010
Topic Last Modified: 2013-02-16
A trusted user is one whose credentials have been authenticated by a trusted server in Microsoft Lync Server 2010. This server is usually a Standard Edition server, Enterprise Edition Front End Server, or Director. Lync Server 2010 relies on Active Directory Domain Services as the single, trusted back-end repository of user credentials.
Authentication is the provision of user credentials to a trusted server. Lync Server 2010 uses the following authentication protocols, depending on the status and location of the user.
MIT Kerberos version 5 security protocol for internal users with Active Directory credentials. Kerberos requires client connectivity to Active Directory Domain Services, which is why it cannot be used for authenticating clients outside the corporate firewall.
NTLM protocol for users with Active Directory credentials who are connecting from an endpoint outside the corporate firewall. The Access Edge service passes logon requests to a Director, if present, or a Front End Server for authentication. The Access Edge service itself performs no authentication.
NTLM protocol offers weaker attack protection than Kerberos, so some organizations minimize usage of NTLM. As a result, access to Lync Server 2010 might be restricted to internal or clients connected through a VPN connection.
Digest protocol for so-called anonymous users. Anonymous users are outside users who do not have recognized Active Directory credentials but who have been invited to an on-premises conference and possess a valid conference key. Digest authentication is not used for other client interactions.
Lync Server 2010 authentication consists of two phases:
A security association is established between the client and the server.
The client and server use the existing security association to sign messages that they send and to verify the messages they receive. Unauthenticated messages from a client are not accepted when authentication is enabled on the server.
User trust is attached to each message that originates from a user, not to the user identity itself. The server checks each message for valid user credentials. If the user credentials are valid, the message is unchallenged not only by the first server to receive it but by all other servers in the trusted server cloud.
Users with valid credentials issued by a federated partner are trusted but optionally prevented by additional constraints from enjoying the full range of privileges accorded to internal users.
The ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC. For details, see Media Traversal.
Client certificates provide an alternate way for users to be authenticated by Lync Server 2010. Client certificates are created and issued to the client by the Lync Server. They are used for the purpose of identification only. The certificate is issued to the client and is stored in the computer user’s Personal certificate store. By issuing on a per-user basis, this ensures that each distinct user will require a separate certificate for client identification purposes. The certificate is created with Client Authentication Extended Key Usage only, and carries no key usage information.
The Lync Server creates and issues the certificates for the express purpose of client authentication and identification between the Lync Server and the requesting user. Because this is designed behavior and part of the client and server operational design, it is not possible to have another certificate issuing service, private public key infrastructure or public certification authority, create and assign the certificates.
Aside from computer-based client software, Certificates are particularly useful for telephones and other devices running Microsoft Lync 2010 Phone Edition where it is difficult to enter a user name and/or password. A personal identification number (PIN) is used instead.