This is my first blog post about Lync, more will come but since most of them probably will be about authentication in one way or another this post seems like a good start.
I started to look into the Lync authentication process after getting a lot of questions from customers who wanted to know if and how they could increase the security of their planned Lync environment. Specifically how to handle mobile clients. However, before we go into how to make the Lync environment more secure we need to understand how authentication works.
Microsoft Lync Server 2013 supports A LOT of different clients, it is clearly one of its strengths. There’s a client for PCs, Macs, smartphone, tablets and IP-phones to name some of them. Depending on the type and version of the client being used you gain access to a different set of features from the plethora of Lync features. There is, however, one thing all these clients have in common. To enjoy the wonderful world of unified communications each and any of these clients have to tell the server who is connecting. Simply put, anyone connecting to a Lync server has to authenticate themselves. This is neither shocking nor surprising in any way but it is a very important part of any system using digital identities.
Diving into the authentication process I quickly realized that the authentication process differs depending on the client and its network location. Digging even deeper (thank you Wireshark), I started looking at the actual requests and responses that takes places during a Lync sign-in. Whatever authentication protocol the client uses there are a few steps that each client does before it reaches to the stage where it actually authenticates to the server.
1. Lync discover
This works similar to the Exchange autodiscover. It is used mainly to figure out if the client is an internal or external client and where to connect.
2. Metadata Exchange (MEX)
When the client knows where to connect it makes a connection the MEX service. The MEX service exposes metadata about the service, essentially it provides information about how the server is configured. It tells a client how and where it should do authentication.
3. Acquire a webticket
What each Lync client want is a webticket. The webticket is used throughout the whole Lync experience. It’s the master ticket, the one ticket to rule them all, the… You get it. To acquire this ticket the client connects to the webticket service which then prompts the user for authentication. This is where it starts to differ between the clients.
Lync 2013 supports many authentication protocols and this post will not discuss all of them but the following list shows the authentication protocol being used by some Lync clients in a default installation.
|PC-client (internal network)||Kerberos|
|PC-client (external network)||NTLM|
|Android||NTLM (Versions prior to 5.4 use SOAP)|
|Lync Web App (domain user)||SOAP|
|Lync Web App (guest)||SOAP (Anonymous)|
My next post about Lync will discuss what can be done to increase the security for Lync 2013.