How does user authentication happens in Lync branch site ?
- Lync client will generate a DNS SRV request to identify Lync Pool FQDN .This request will forward to Lync central AD site and it returns director pool FQDN .
- Lync client will send a TLS sip registration request to director and director will returns a certificate challenge for client
- Client connects lync 2010 certificate service its windows credential . Server create a certificate and returns it to client as well as SBA device via replication .
- With issued certificate , client will sent a sip register request to director . Director will again redirect the request to branch site SBA as user’s primary pool is set to SBA.
- Client will sent a new sip registration request to SBA , it will authenticate after verifying the certificate . Client will cache the certificate for reuse .
Why certificate based authentication model ?
- Incase WAN connection goes down between branch site and central site , user would still authenticate with local certificate .
- No dependency on central site domain controller.
- Above authentication process is a one-time activity for new users , hence local authentication against SBA would be fast .