|
OCS user login problem in multi forest environment
(17-Jan-09) |
OCS user cant login
when OCS is enabled for "Kerberos and NTLM
Authentication"
=================================================================
Office
Communications Server is deployed in one forest, a
resource forest that hosts Office Communications Servers
but does not host any logon enabled user accounts.
Outside of the
resource forest, user forests hosts enabled user
accounts but no Office Communications Servers. Within
the resource forest, a corresponding disabled user
account or contact exits for each user account in the
user forests. (You use the MIIS, IIFP etc to create
corresponding disabled account or a contact in different
forest.)
When the user tries
to login in Office Communicator in user forest, it
can't. When you change the authentication type of LCS or
OCS server to "NTLM", it works fine. If LCS or OCS is
configured with "Kerberos and NTLM", it makes the user
to fail during login in Office Communicator.
When communicator
tries to login, it gets following error...
Communicator was unable to authenticate to the server...
It happens due to
the trust type between these two forests.
If it is an
external trust, they will be able to use only NTLM. If
they will have forest trust (Both side Windows 2003
native functional level), then they can use NTLM and
Kerberos both.
External trust
doesn’t support Kerberos.
http://technet.microsoft.com/en-us/library/cc755700.aspx
In order to enable
Kerberos authentication, you need to enable forest
trusts. Please see the following link about how to do
that.
http://technet.microsoft.com/en-us/library/cc776940.aspx
Related Links:
Inter forest
LCS\OCS deployment without identity integration
application (MIIS, IIFP etc...)
