Survivable branch appliance – User authentication

 How does user authentication happens in Lync branch site ?  

  • Lync client will generate a DNS SRV request to identify Lync Pool FQDN .This request will forward to Lync central AD site and it returns director pool FQDN .
  • Lync client will send a TLS sip registration request to director and director will returns a certificate challenge for client
  • Client connects lync 2010 certificate service  its windows credential . Server create a certificate and returns it to client as well as SBA device via replication .
  • With issued certificate , client will sent a sip register request to director . Director will again redirect the request to branch site SBA as user’s primary pool is set to SBA.
  • Client will sent a new sip registration request to SBA , it will authenticate after verifying the certificate . Client will cache the certificate for reuse . 

Why certificate based authentication model ?  

  • Incase WAN connection goes down between branch site and central site , user would still authenticate with local certificate .
  • No dependency on central site domain controller.
  • Above authentication process is a one-time activity for new users , hence local authentication against SBA would be fast .