Microsoft mercifully added passive authentication to Lync 2013 giving Lync admins the ability to require two-factor authentication for external access to Lync (by integrating two factor authentication into ADFS). Unfortunately, authentication options are a pool wide setting meaning that if you turn on passive authentication for your pool, all clients will use and must support passive authentication. If configured on the main pool, any client that isn’t Lync 2013 (Lync 2010, third party conferencing equipment using SIP, or Lync 2010 version phones) will no longer be able to connect.

At this point, you have three options:

  1. Don’t use passive authentication until all clients are upgraded to Lync 2013
  2. Configure ADFS to only require two factors via the ADFS proxy and perform single sign on internally (default configuration), or
  3. Create a director pool, configure it for passive authentication and leave Kerberos and NTLM enabled on the home pool.

This blog post gives an overview of option 3, which includes the added benefit of internal clients continuing to use Kerberos or NTLM.

For the purposes of discussion, the director pool name is dirpool01 and the home pool is pool01.

After provisioning the director pool and configuring it for passive authentication, the desired sign-in behaviour can be achieved by configuring DNS and the next hop pool for the edge pool.

DNS Destination DNS Host
lyncdiscover.<domain> dirpool01 External
_sip._tls.<domain> dirpool01 External
lyncdiscoverinternal.<domain> pool01 Internal
_sipinternaltls._tcp.<domain> pool01 Internal

In this scenario, internal clients will connect to lyncdiscoverinternal (or _sipinternaltls._tcp.<domain> for Lync 2010 clients) and find pool01 which is configured with NTLM and Kerberos authentication. External clients will connect in through lyncdiscover (or _sip._tls.<domain> for Lync 2010 clients) and find dirpool01 which is configured for passive authentication and redirects them to ADFS for authentication. The director pool will accept the ADFS token and then redirect them to their home pool.

Lync 2013 External Passive Auth

Some notes about this solution: