How Lync/SfB clients authenticates to Lync/SfB Server - Simple explanation

How Lync/SfB clients authenticates to Lync/SfB Server

Internal users

When the user is inside the corporate network and signs in to Lync Server from a domain joined computer using their corporate Active Directory user account, Lync/SfB clients uses the following three protocols to authenticate the user when signing in to Lync/SfB Server:

o   Kerberos v5

o   TLS-DSK

o   NTLM v2

1. If the user has no certificate, Lync/SfB clients attempts to sign-in the user to Front-End Server using Kerberos (SIP traffic).

2. The Front-End Server rejects the authentication request, and redirects the Lync/SfB client to the Web Services (https://lync.contoso.com/CertProv/CertProvisioningService.svc) to request a certificate (SIP traffic)

3. Lync/SfB clients authenticates the user to Web Services using NTLM (HTTPS traffic).

4. Once authenticated, Lync/SfB clients requests a certificate for the user (HTTPS traffic). This client certificate is then stored in the user’s Personal certificate store.

5. Lync/SfB client re-authenticates the user to the Front End Server using TLS-DSK (SIP traffic).

6. For all subsequent sign-in requests, Lync/SfB client authenticates to Server using the TLS-DSK protocol with the user’s certificate instead of using Kerberos or NTLM

Note - This user certificate is valid for a period of 180 days, and is automatically renewed one month prior to expiration regardless of whether the user is connected internally or externally.

External users

For remote users connecting over the SIP channel via the Edge Server, Lync/SfB client can only use the following two authentication protocols:

o   TLS-DSK

o   NTLM v.2

1. If the user does not have a certificate, Lync/SfB client attempts to sign-in the user to Server using NTLM through the Edge Server (SIP traffic).

2. The Edge Server rejects the authentication request, and redirects the Lync/SfB client to the Web Services (https://lyncexternal.contoso.com/CertProv/CertProvisioningService.svc) through the reverse proxy to request a certificate (SIP traffic).

3. Lync/SfB client authenticates the user to Web Services using NTLM v2 (HTTPS traffic).

4. After authentication, Lync/SfB client requests a certificate for the user (HTTPS traffic). This client certificate is then stored in the user’s Personal certificate store.

5. Lync/SfB client re-authenticates the user through the Edge Server using TLS-DSK (SIP traffic).