If you are deploying the 2007 R2 version of Communicator Web Access in an Active Directory forest that includes multiple domains it is important that all the domains trust one another. If they do not, then users with accounts in a given domain might experience difficulty logging on to Communicator Web Access. In particular, they might have their logon attempt rejected along with the message that there computer clock has not been set correctly. The rejected logon and the misleading error message, result from the way that the Kerberos authentication protocol handles these requests.
If you cannot set up a trust relationship between all the domains, you can temporarily fix the problem by resetting the World Wide Web service. Alternatively, you can disable Kerberos, which forces Internet Information Services (IIS) to use NTLM authentication. With NTLM authentication, this problem does not occur.
To disable Kerberos authentication on a computer running Windows Server 2008
-
Log on to the computer as a member of the local Administrators group.
-
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
-
In Internet Information Services (IIS) Manager, expand the name of your domain and then expand Web Sites.
-
Click the name of your Communicator Access Web site, and then double-click Authenticationin the Featurespane.
-
Right-click Windows Authenticationand then click Disabled.
To disable Kerberos authentication on a computer running Windows Server 2003
-
Log on to the computer as a member of the local Administrators group.
-
Click Startand then click Run.
-
In the Rundialog box, type cmdand then press ENTER.
-
In the command window, type the following command and then press ENTER. Note that NTLM must be typed in all uppercase letters:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"