Configuring Authentication for Front End Servers

The authentication protocol you specify for each pool determines which type of challenges the servers in the pool issue to clients. The available protocols are:

Kerberos. This is the strongest password-based authentication scheme available to clients, but it is normally available only to enterprise clients because it requires client connection to a Key Distribution Center (Kerberos domain controller). This setting is appropriate if the server authenticates only enterprise clients.
NTLM. This is the password-based authentication available to clients that use a challenge-response hashing scheme on the password. This is the only form of authentication available to clients without connectivity to a Key Distribution Center (Kerberos domain controller), such as outside users. If a server authenticates only outside users, you should choose NTLM.
Both NTLM and Kerberos. This is the best choice when a server supports authentication for both outside and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to outside clients. If only Kerberos is enabled on these servers, they cannot authenticate outside users. If enterprise users also authenticate against the server, Kerberos is used.

To specify the authentication protocol for Front End Servers

Open the Office Communications Server 2007 R2 snap-in.
In the console tree, expand the forest node, and then do one of the following:
- For an Enterprise pool, expand Enterprise pools, right-click the pool, click Properties, and then click Front End Properties.
- For a Standard Edition server, expand Standard Edition servers, right-click the pool, click Properties, and then click Front End Properties.
Click the Authenticationtab.
On the Authenticationtab, in the Authentication protocollist, click the protocol you want to use:
- Kerberosto have the servers in the pool issue challenges using only Kerberos authentication.
- NTLMto have the servers in the pool issue challenges using only NTLM.
- Both NTLM and Kerberosto have the servers in the pool issue challenges using either NTLM or Kerberos authentication, depending on the capabilities of the client.