Lync 2013 On-Prem and Client Authentication.

I recently was made aware of a new “feature” in Lync 2013 which I was not aware of. This is regarding client authentication and remote access users.

There are three authentication methods on the security – registrar tab in Lync Server Control Panel:

The following TechNet article describes each of these

Notice that the checkbox for Enable Integrated Windows Authentication is cleared in my configuration. According to the TechNet article, Microsoft recommends to enable this when serving remote access users, otherwise they won’t be able to authenticate. And here’s where my discovery comes in play.

I discovered that if this setting is enabled, a remote user with a local Lync client can log in to Lync with a username and password(of a Lync enabled user) without having to present a valid root certificate. The local PC does not have to be domain joined either. In my opinion, this is not very secure…The feature has obviously been there for a while, but I’ve never tried logging in to a system before without having the root certificate in place so that’s why I kinda didn’t know this was possible.

I think this setting was default disabled on Lync 2010 and had to be turned on, but I might be wrong on this one. Nevertheless, I would recommend this setting to be turned off in order to have some control of the clients logging in to the Lync environment. When Microsoft states that remote access clients won’t be able to authenticate unless you enable NTLM authentication, that’s not entirely true. They will be able to authenticate if they are provided with the domains root certificate from the internal rootCA. Domain joined clients get this by default, but nondomain clients like Mac’s, Linux and other Windows clients will have to import the certificate to the local trusted root certificate store.

This involves some manual actions to be taken, but in my opinion it’s worth the extra effort in order to have a more secure environment.

Of course, if the Lync environment is a multitenant solution where all users are treated as remote users and not able to acquire the root certificate from the domain in which Lync is installed(without a lot of intervention from the system administrators), NTLM authentication is the only way to allow clients to authenticate.

If anyone has comments regarding this matter or even have some other opinion on why this might be nice or not, please feel free to comment on this post 🙂

One thought on “Lync 2013 On-Prem and Client Authentication.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s