How to allow domain users to connect to Lync 2010 or OCS 2007 from Clients running on non-domain computers
Posted by Mino on September 15, 2010
I had a situation in our company where we have exceptional few users who got Domain credentials but they are working on Computers that are not joined to the domain.
However these computers run over the LAN or WAN, can communicate with the internal DNS and got the certificate chain of the CA imported to them and they use DOMAIN\UID and password credentials to login to mail , MOSS and everything is working fine.
When I installed the OCS 2007 R2 client on their machines and tried to login with the same behavior as mail using DOMAIN\UID , I was not able to log in and I received the below event log warning:
"Communicator was unable to authenticate because an authenticating authority was not reachable.”
The server may be asking for Kerberos authentication and Communicator is not able to find the Kerberos Domain Controller in order to generate credentials and authenticate. The network administrator will need to change the configuration on the server to utilize only NTLM authentication before Communicator can login from this location properly, or connectivity will need to be made available to an authenticating authority"
also as for testing I removed the OCS 2007 R2 client and installed the new Lync RC client on the same machine , I know it is not supported scenario but I was just testing it. Now the user was able to login but it disconnects after 10 seconds then reconnects again , it keep in this loop. I also found the same warning in the event log.
I know why this is happening and I know it would have been solved from the beginning if i forced the OCS to use NTLM only rather than Kerberos but this was not something i can force.
So in the end the Solution was this problem was simple :
Ensure that the users when singing in to communicator 2007 or Lync 2010 to include the ".local" in the domain.local\username part of the authentication and not DOMAIN\username.