Microsoft mercifully added passive authentication to Lync 2013 giving Lync admins the ability to require two-factor authentication for external access to Lync (by integrating two factor authentication into ADFS). Unfortunately, authentication options are a pool wide setting meaning that if you turn on passive authentication for your pool, all clients will use and must support passive authentication. If configured on the main pool, any client that isn’t Lync 2013 (Lync 2010, third party conferencing equipment using SIP, or Lync 2010 version phones) will no longer be able to connect.
At this point, you have three options:
- Don’t use passive authentication until all clients are upgraded to Lync 2013
- Configure ADFS to only require two factors via the ADFS proxy and perform single sign on internally (default configuration), or
- Create a director pool, configure it for passive authentication and leave Kerberos and NTLM enabled on the home pool.
This blog post gives an overview of option 3, which includes the added benefit of internal clients continuing to use Kerberos or NTLM.
For the purposes of discussion, the director pool name is dirpool01 and the home pool is pool01.
After provisioning the director pool and configuring it for passive authentication, the desired sign-in behaviour can be achieved by configuring DNS and the next hop pool for the edge pool.
In this scenario, internal clients will connect to lyncdiscoverinternal (or _sipinternaltls._tcp.<domain> for Lync 2010 clients) and find pool01 which is configured with NTLM and Kerberos authentication. External clients will connect in through lyncdiscover (or _sip._tls.<domain> for Lync 2010 clients) and find dirpool01 which is configured for passive authentication and redirects them to ADFS for authentication. The director pool will accept the ADFS token and then redirect them to their home pool.
Some notes about this solution:
- Update: Users smart enough to enter a direct server name will be able to bypass passive auth. If this is undesirable, you could use this solution temporairily until all Lync 2010 clients are updated. I’m trying to find a way to stop this
- Certificate authentication needs to be enabled on then director and home pool. It may work without it, but I’m not sure how.
- Passive Authentication is only supported by Lync 2013 (or higher) clients
- The certificates used will need to be updated to include the new dirpool01 alternate name which may incur a cost from your certificate provider
- You can reconfigure the next hop pool from Admin > Edge Pools > Edit Properties or using PowerShell
Set-CsEdgeServer -Identity EdgeServer:<Edge Server pool FQDN> -Registrar Registrar:<NextHopPoolFQDN>
- For more information about deploying a Director pool, see Setting up the Director in Lync Server 2013 on TechNet
- For more information about automatic client sign-in, see DNS requirements for automatic client sign-in in Lync Server 2013 and Determine DNS requirements for Lync Server 2013 on TechNet
- For more information about Passive Authentication, see: