Topic Last Modified: 2011-02-23
You can use the Registrar to configure proxy server authentication methods. The authentication protocol you specify determines which type of challenges the servers in the pool issue to clients. The available protocols are:
- Kerberos This is the strongest
password-based authentication scheme available to clients, but it
is normally available only to enterprise clients because it
requires client connection to a Key Distribution Center (Kerberos
domain controller). This setting is appropriate if the server
authenticates only enterprise clients.
- NTLM This is the password-based
authentication available to clients that use a challenge-response
hashing scheme on the password. This is the only form of
authentication available to clients without connectivity to a Key
Distribution Center (Kerberos domain controller), such as remote
users. If a server authenticates only remote users, you should
choose NTLM.
- Certificate authentication This is the
new authentication method when the server needs to obtain
certificates from Microsoft Lync 2010 Phone Edition clients, common
area phones and Microsoft Lync 2010. On Lync Phone Edition clients,
after a user signs in and is successfully authenticated by
providing a personal identification number (PIN), Microsoft Lync
Server 2010 then provisions the SIP URI to the phone and provisions
a Lync Server signed certificate or a user certificate that
identifies Joe (Ex: SN=joe@contoso.com ) to the phone. This
certificate is used for authenticating with the Registrar and Web
Services.
Note: |
---|
We recommend that you enable both Kerberos and NTLM when a server supports authentication for both remote and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to remote clients. If only Kerberos is enabled on these servers, they cannot authenticate remote users. If enterprise users also authenticate against the server, Kerberos is used. |
Follow these steps to create a new Registrar.
To create a Registrar
-
From a user account that is a member of the RTCUniversalServerAdmins group (or has equivalent user rights), or assigned to the CsServerAdministrator or CsAdministrator role, log on to any computer that is in the network in which you deployed Lync Server 2010.
-
Open a browser window, and then enter the Admin URL to open the Lync Server Control Panel. For details about the different methods you can use to start Lync Server Control Panel, see Open Lync Server Administrative Tools.
-
In the left navigation bar, click Security and then click Registrar.
-
On the Registrar page, click New
-
In Select a Service, click the service to which the Registrar is to be applied and then click OK.
-
In New Registrar Setting, select one or more of the following depending on the capabilities of the clients and support in your environment:
- Enable Kerberos authentication to have the servers in
the pool issue challenges using Kerberos authentication.
- Enable NTLM authentication to have the servers in the
pool issue challenges using NTLM.
- Enable certificate authentication to have the servers in
the pool issue certificates to clients.
- Enable Kerberos authentication to have the servers in
the pool issue challenges using Kerberos authentication.
-
Click Commit.