Script

Only users who have accounts in your Active Directory domain or in the Active Directory domain of a federated partner can log on to a Communicator Web Access Web sites. Anonymous users (that is, users who do have an account in your domain or the domain of a federated partner) can participate in desktop sharing and conferencing sessions, but only if they are invited to do so by an authenticated user. Before a user can access a Communicator Web Access site, he or she must be authenticated (that is, Communicator Web Access must verify that the user has a valid user account).

Communicator Web Access supports several different authentication mechanisms, including the following:

• Custom authentication. Custom authentication enables you to employ two-factor authentication, an authentication mechanism that relies on two pieces of identification (for example, typically a password or PIN number, and a smartcard). Alternatively, you can use Microsoft Security and Acceleration Server (ISA) 2006 to provide single sign on authentication for Communicator Web Access. With single sign on authentication users can log on to Communicator Web Access and then automatically be logged on to other services (for example, Outlook Web Access) that support this type of authentication. Alternatively, users could sign on to Outlook Web Access and then be automatically logged on to Communicator Web Access too.
  
  
• Integrated Windows authentication. With integrated Windows authentication, users can access a Communicator Web Access site without having to log on. Instead, users are authenticated using the same credentials they employed when logging on to their computer. Integrated Windows authentication is available only for internal virtual servers, and only for users running a Web browser (for example, Internet Explorer) that supports NTLM and/or Kerberos authentication.
  
  
• Forms-based authentication. Forms-based authentication is designed primarily for external users or for users running Web browsers that do not support NTLM or Kerberos authentication.
  
  

Although you must specify an authentication method when you create a virtual server, you can change the authentication settings by using the Communicator Web Access snap-in. Keep in mind that the authentication mechanisms available to you will vary depending on whether you are dealing with an internal virtual server or an external virtual server. The following table lists the options available to you.

Server type	Authentication method	Notes
Internal	Built-in	If you choose Built-in, you can then select Windows Authentication or Forms Authentication. Communicator Web Access will make sure that at least one authentication method has been selected. If you clear Windows Authentication, Forms Authentication will automatically be chosen for you, and vice-versa.
Internal	Custom	With Custom authentication, you can enter a URL in the Sign-Out URL (Optional)box (this is optional). This represents the URL of the Web page that users will see after they sign out of Communicator Web Access. This option is not available if you use Built-in authentication.
External	Built-in	If you choose Built-in Authentication, Forms Authentication will automatically be selected for you. That’s because Windows Authentication cannot be used with an external site. With Built-in Authentication, you can also specify time-out values for both public computers (by default, 15 minutes) and private computers (by default, 720 minutes). The time-out period represents the maximum period of inactivity allowed on a computer before the user’s Communicator Web Access session is terminated.
External	Custom	With Custom authentication, you can enter a URL in the Sign-Out URL (Optional)box (this is optional). This represents the URL of the Web page that users will see after they sign out of Communicator Web Access. This option is not available if you use Built-in authentication.

To modify authentication settings