Mino – The UC Guy

Microsoft Unified Communications Blog

How to allow domain users to connect to Lync 2010 or OCS 2007 from Clients running on non-domain computers

Posted by Mino on September 15, 2010

I had a situation in our company where we have exceptional few users who got Domain credentials but they are working on Computers that are not joined to the domain.

However these computers run over the LAN or WAN, can communicate with the internal DNS and got the certificate chain of the CA imported to them and they use DOMAIN\UID and password credentials to login to mail , MOSS and everything is working fine.

When I installed the OCS 2007 R2 client on their machines and tried to login with the same behavior as mail using DOMAIN\UID , I was not able to log in and I received the below event log warning:

"Communicator was unable to authenticate because an authenticating authority was not reachable.”
Resolution:
The server may be asking for Kerberos authentication and Communicator is not able to find the Kerberos Domain Controller in order to generate credentials and authenticate.  The network administrator will need to change the configuration on the server to utilize only NTLM authentication before Communicator can login from this location properly, or connectivity will need to be made available to an authenticating authority"

 

also as for testing I removed the OCS 2007 R2 client and installed the new Lync RC client on the same machine , I know it is not supported scenario but I was just testing it. Now the user was able to login but it disconnects after 10 seconds then reconnects again , it keep in this loop. I also found the same warning in the event log.

I know why this is happening and I know it would have been solved from the beginning if i forced the OCS to use NTLM only rather than Kerberos but this was not something i can force.

So in the end the Solution was this problem was simple :

Ensure that the users when singing in to communicator 2007 or Lync 2010 to include the ".local" in the domain.local\username part of the authentication and not DOMAIN\username.

About these ads

3 Responses to “How to allow domain users to connect to Lync 2010 or OCS 2007 from Clients running on non-domain computers”

  1. […] How to allow domain users to connect to Lync 2010 or OCS 2007 from Clients running on non-domain computers « Mino – The UC Guy Posted on September 15, 2010 by johnacook http://theucguy.wordpress.com/2010/09/15/how-to-allow-domain-users-to-connect… […]

  2. nizar said

    Thank you Mino for this article, I have the same issue with a lab of Lync 2010, when i tried to connect from a non-domain computer and I used username@domain.com and the problem occure and i can’t use domain.com\username, where to configure this login address?

    Regards

  3. Zach said

    I have this exact problem. I’m at a client and trying to log in to their OCS. Same client version, certificates loaded, DNS confirmed, confirmed SIP ID, confirmed password. It works on one co-workers laptop, but no others other than domain computers (I can log into his and he cannot log into my machine).

    I tried the domain.local\username but this didn’t work (“Communicator was unable to authenticate because an authenticating authority was not reachable.”).

    What I see in the trace file is the the OCS server offering NTLM and Kerberos but the client only using Kerberos. I don’t think this will work since it’s not a domain computer.

    Any other ideas other than domain.local\username?

    Zach

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 28 other followers

%d bloggers like this: