Modify the Default Authentication Protocols Issued by Registrars to Clients

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-04-19

The authentication protocol you specify for each pool determines which type of challenges the servers in the pool issue to clients. The available protocols are:

Kerberos. This is the strongest password-based authentication scheme available to clients, but it is normally available only to enterprise clients because it requires client connection to a Key Distribution Center (Kerberos domain controller). This setting is appropriate if the server authenticates only enterprise clients.
NTLM. This is the password-based authentication available to clients that use a challenge-response hashing scheme on the password. This is the only form of authentication available to clients without connectivity to a Key Distribution Center (Kerberos domain controller), such as remote users. If a server authenticates only remote users, you should choose NTLM.
Certificate authentication. This is the new authentication method when the server needs to obtain certificates from Microsoft Communicator “14” Phone Edition clients, common area phones and Microsoft Communicator "14". On Phone Edition clients, after a user signs in and is successfully authenticated by providing a personal identification number (PIN), Microsoft Communications Server 2010 then provisions the SIP URI to the phone and provisions a Communications Server signed certificate or a user certificate that identifies Joe (Ex: SN=joe@contoso.com ) to the phone. This certificate is used for authenticating with the Enhanced Registrar and Web Services.

We recommend that you enable both Kerberos and NTLM when a server supports authentication for both remote and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to remote clients. If only Kerberos is enabled on these servers, they cannot authenticate remote users. If enterprise users also authenticate against the server, Kerberos is used.

To specify the authentication protocol for Front End Servers

Open Communications Server Control Panel.
In the left navigation bar, click Security, and then click Registrar. (If you do not see Security, click the arrow at the bottom of the navigation bar to scroll down.)
On the Registrar tab, click Global, click Edit, and then click Modify.
On the Authentication tab, in the Authentication protocol list, select one or more of the following depending on the capabilities of the clients and support in your environment:
- Enable Kerberos authentication to have the servers in the pool issue challenges using Kerberos authentication.
- Enable NTLM authentication to have the servers in the pool issue challenges using NTLM.
- Enable certificate authentication to have the servers in the pool issue certificates to clients.
- When you are finished, click Commit.