Only users who have accounts in your Active Directory domain or in the Active Directory domain of a federated partner can log on to a Communicator Web Access Web sites. Anonymous users (that is, users who do have an account in your domain or the domain of a federated partner) can participate in desktop sharing and conferencing sessions, but only if they are invited to do so by an authenticated user. Before a user can access a Communicator Web Access site, he or she must be authenticated (that is, Communicator Web Access must verify that the user has a valid user account).
Communicator Web Access supports several different authentication mechanisms, including the following:
-
Custom authentication. Custom authentication enables you to
employ two-factor authentication, an authentication mechanism that
relies on two pieces of identification (for example, typically a
password or PIN number, and a smartcard). Alternatively, you can
use Microsoft Security and Acceleration Server (ISA) 2006 to
provide single sign on authentication for Communicator Web Access.
With single sign on authentication users can log on to Communicator
Web Access and then automatically be logged on to other services
(for example, Outlook Web Access) that support this type of
authentication. Alternatively, users could sign on to Outlook Web
Access and then be automatically logged on to Communicator Web
Access too.
-
Integrated Windows authentication. With integrated Windows
authentication, users can access a Communicator Web Access site
without having to log on. Instead, users are authenticated using
the same credentials they employed when logging on to their
computer. Integrated Windows authentication is available only for
internal virtual servers, and only for users running a Web browser
(for example, Internet Explorer) that supports NTLM and/or Kerberos
authentication.
-
Forms-based authentication. Forms-based authentication is
designed primarily for external users or for users running Web
browsers that do not support NTLM or Kerberos authentication.
Although you must specify an authentication method when you create a virtual server, you can change the authentication settings by using the Communicator Web Access snap-in. Keep in mind that the authentication mechanisms available to you will vary depending on whether you are dealing with an internal virtual server or an external virtual server. The following table lists the options available to you.
Server type | Authentication method | Notes |
---|---|---|
Internal |
Built-in |
If you choose Built-in, you can then select Windows Authentication or Forms Authentication. Communicator Web Access will make sure that at least one authentication method has been selected. If you clear Windows Authentication, Forms Authentication will automatically be chosen for you, and vice-versa. |
Internal |
Custom |
With Custom authentication, you can enter a URL in the Sign-Out URL (Optional)box (this is optional). This represents the URL of the Web page that users will see after they sign out of Communicator Web Access. This option is not available if you use Built-in authentication. |
External |
Built-in |
If you choose Built-in Authentication, Forms Authentication will automatically be selected for you. That’s because Windows Authentication cannot be used with an external site. With Built-in Authentication, you can also specify time-out values for both public computers (by default, 15 minutes) and private computers (by default, 720 minutes). The time-out period represents the maximum period of inactivity allowed on a computer before the user’s Communicator Web Access session is terminated. |
External |
Custom |
With Custom authentication, you can enter a URL in the Sign-Out URL (Optional)box (this is optional). This represents the URL of the Web page that users will see after they sign out of Communicator Web Access. This option is not available if you use Built-in authentication. |
To modify authentication settings
-
Log on to the computer that is running the Communicator Web Access snap-in. To modify authentication settings, you must log on as a member of the local Administrators group and the RTCUniversalServerAdmins group.
-
Click Start, point to Administrative Tools, and then click Microsoft Office Communications Server 2007 R2, Communicator Web Access.
-
In the console pane, expand the name of the computer that hosts the virtual server whose authentication settings you want to change, right-click the name of the virtual server, and then click Properties.
-
In the Propertiesdialog box, click the Authenticationtab.
-
Change the settings as needed and then click OK. The authentication types available to you will vary depending on whether you are configuring an internal virtual server or an external virtual server.