Check out the most comprehensive, actively managed Lync blog roll in the known universe, your one-stop source for links to over 100 of the very best Lync blogs. Here you will also find weekly blog highlights and a feed for a dozen of the top blogs.
Lync Server Support Home
Top Lync Solutions RSS Feed
Microsoft Senior Support engineers walk you through real-life support cases, giving you an insider’s view into the systematic approach they use to troubleshoot Lync Server issues.
These short videos focus on specific tasks and show you how to accomplish them for Microsoft Lync Server 2010.
Abstract: Following up on our announcement today about new features available with updated Lync 2013 Mobile clients, we are excited to share more details about Lync 2013 Mobile client’s support for certificate authentication and passive authentication.
Author: Kaushal Mehta, Sr. Lync Beta Engineer
Publication date: 10/08/2013
Product version: Lync 2013
Some customers prefer to limit the use of Active Directory (AD) username and password credentials in order to address a range of security concerns, including those associated with the use of smartphones and tablets. It has been challenging for these customers to take advantage of Lync mobile clients which have until now relied on AD credentials for authentication.
With the updated Lync 2013 mobile clients (version 5.2, now available for iOS and Windows Phone), customers can now take advantage of the support for Lync Server Certificate Authentication or Passive Authentication and configure their environment for enabling mobility scenarios. Notably, we are addressing these concerns in a way that minimizes the impact for end users.
This is a proven solution since Lync Server 2010 release and Lync desktop clients already support this authentication method.
Figure 1: Lync 2013 Mobile Client Certificate Authentication flow diagram
In this method, the Lync user signs in using AD Credentials (same as before) but in the background we also get a Lync Certificate which is used for ongoing authentication. The AD credentials are only stored as a long as the current Lync application session is running, and that once either Lync or the device is restarted, only the certificate is stored locally.
Please note: When this in-band policy is enabled or in general when credentials aren’t stored on the device, Lync mobile client cannot authenticate against Exchange Web Services (EWS).
For more details about Lync Server Certificate Authentication in general, please visit Certificate Authentication in Lync Server 2010 and Enterprise PKI.
This type of authentication offers the customers to have their users authenticate passively and hence customize the authentication experience as desired. Passive auth is handled using AD FS 2.0 that does the initial authentication. User signs in by typing sign in address only (no password), taps sign in and then gets redirected to ADFS for authentication. AD FS server passes back a Lync server trusted authentication token that is used by the mobile client for signing in. As we can see, there are no user credentials stored in the devices’ encrypted memory or other mobile storage location. The subsequent authentication between the Lync mobile client and Lync server is handled using the certificate retrieved during the initial sign-in.
Figure 2: Lync 2013 Mobile Client Passive Authentication flow diagram
When signing in from a Windows Phone, below is the expected user experience when AD FS configuration is set for “forms” based authentication.
Figure 3: Client Sign in
AD FS server can be configured to enable other forms of authentication (for two-factor authentication). This includes customized forms of authentication as well as support for third party AD FS based solutions. Please note that, smart card based authentication is not possible on a smart phone device at present.
For detailed step by step instructions on how to configure your Lync deployment for passive authentication, see the blog post, Microsoft Lync 2013 for Mobile and Passive Authentication by Jens Trier Rasmussen.
We truly believe that Lync 2013 Mobile client support for Certificate and Passive authentication will help address key Enterprise IT security concerns and, more importantly, without having the users worry about security policies. The following table that demonstrates this.
Lync Mobile 2013 with Kerberos/NTLM
Lync Mobile 2013 with certificate authentication
Lync Mobile 2013 with passive authentication
Eliminates need to store AD Credentials on device
Restricts use of AD Credentials to corporate network only
Eliminates need to have users configured with AD credentials
Provides option for Two Factor Authentication
√* - Passive authentication using AD FS in combination with customized authentication or third-party two-factor authentication solutions required.