A trusted user is one whose credentials have been authenticated by a trusted Office Communications Server. This server is normally a Standard Edition server, Enterprise Edition Front End Server, or Director. Office Communications Server 2007 R2 relies on Active Directory Domain Services as the single, trusted back-end repository of user credentials.
Authentication is the provision of user credentials to a trusted server. Office Communications Server 2007 R2 uses the three following authentication protocols, depending on the status and location of the user.
-
MIT Kerberos version 5 security protocolfor internal users
with Active Directory credentials. Kerberos requires client
connectivity to Active Directory Domain Services, which is why it
cannot be used for authenticating clients outside the corporate
firewall.
-
NTLM protocolfor users with Active Directory credentials who
are connecting from an endpoint outside the corporate firewall. The
Access Edge service passes logon requests to a Director, if
present, or a Front End Server for authentication. The Access Edge
service itself performs no authentication.
-
Digest protocolfor so-called anonymous users. Anonymous
users are outside users who do not have recognized Active Directory
credentials but who have been invited to an on-premises conference
and possess a valid conference key. Digest authentication is not
used for other client interactions.
Office Communications Server 2007 R2 authentication consists of two phases:
- A security association is established between the client and
the server.
- The client and server use the existing security association to
sign messages that they send and to verify the messages they
receive. Unauthenticated messages from a client are not accepted
when authentication is enabled on the server.
User trust is attached to each message that originates from a user, not to the user identity itself. The server checks each message for valid user credentials. If the user credentials are valid, the message is unchallenged not only by the first server to receive it but by all other servers in the trusted server cloud.
Users with valid credentials issued by a federated partner are trusted but optionally prevented by additional constraints from enjoying the full range of privileges accorded to internal users.
The ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC. For details, see Media Traversal.