Topic Last Modified: 2010-04-19
The authentication protocol you specify for each pool determines which type of challenges the servers in the pool issue to clients. The available protocols are:
- Kerberos. This is the strongest password-based
authentication scheme available to clients, but it is normally
available only to enterprise clients because it requires client
connection to a Key Distribution Center (Kerberos domain
controller). This setting is appropriate if the server
authenticates only enterprise clients.
- NTLM. This is the password-based authentication
available to clients that use a challenge-response hashing scheme
on the password. This is the only form of authentication available
to clients without connectivity to a Key Distribution Center
(Kerberos domain controller), such as remote users. If a server
authenticates only remote users, you should choose NTLM.
- Certificate authentication. This is the new
authentication method when the server needs to obtain certificates
from Microsoft Communicator “14” Phone Edition clients, common area
phones and Microsoft Communicator "14". On Phone Edition clients,
after a user signs in and is successfully authenticated by
providing a personal identification number (PIN), Microsoft
Communications Server 2010 then provisions the SIP URI to the phone
and provisions a Communications Server signed certificate or a user
certificate that identifies Joe (Ex: SNemail@example.com ) to the
phone. This certificate is used for authenticating with the
Enhanced Registrar and Web Services.
We recommend that you enable both Kerberos and NTLM when a server supports authentication for both remote and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to remote clients. If only Kerberos is enabled on these servers, they cannot authenticate remote users. If enterprise users also authenticate against the server, Kerberos is used.
To specify the authentication protocol for Front End Servers
Open Communications Server Control Panel.
In the left navigation bar, click Security, and then click Registrar. (If you do not see Security, click the arrow at the bottom of the navigation bar to scroll down.)
On the Registrar tab, click Global, click Edit, and then click Modify.
On the Authentication tab, in the Authentication protocol list, select one or more of the following depending on the capabilities of the clients and support in your environment:
- Enable Kerberos authentication to have the servers in
the pool issue challenges using Kerberos authentication.
- Enable NTLM authentication to have the servers in the
pool issue challenges using NTLM.
- Enable certificate authentication to have the servers in
the pool issue certificates to clients.
- When you are finished, click Commit.
- Enable Kerberos authentication to have the servers in the pool issue challenges using Kerberos authentication.