Setting up OCS to work with kerberos RRS feed

  • Question

  • Hi guys,


    I have a question related to setting up kerberos authenitcation with Communicator Web Access. As far as I know on the OCS frontend server the combination of Kerberos/NTLM is used as default authentication protocol. After having a authentication or ticket granting server in place what needs to be done on the OCS side to get authenitcation working using kerberos? Does anyone of you have documentation with best practises on configuring kerberos? 


    I found the following instructions regarding MOSS2007.




    Can we follow the same procedure for the communicator web access server? Since kerberos is not supported for external users; do I have to setup a seperate website that is authenticating using basic authentication for external users?



    Friday, September 12, 2008 12:09 PM

All replies

  • From CWA planning guide...
    Forms-Based Authentication

    Forms-based authentication can be used by internal users (for example, those who are using a non-Windows operating system) and must be used by remote users. In forms-based authentication, a sign-in page is submitted to the server with the user’s credentials. The Communicator Web Access (2007 release) authentication module and the use of SSL ensure that credentials are encrypted.

    Well.. for external user, you would be setting up a server with external virtual directory and enable form based authentication.

    R. Kinker
    MCSE 2003 (Messaging), MCTS - LCS 2005, MCTS - OCS 2007
    Friday, September 12, 2008 8:38 PM
  • And what about setting up the internal CWA virtual website? Which extra settings do I need to apply to enable authentication using Kerberos?




    Monday, September 15, 2008 12:42 PM
  • Thomas,


    The internal website should use kerberos automaticaly if the user (or group policy) put the communicator website in the intranet zone, if a site is in the intranet zone then the credentials will automatically be forwarded to the server.

    If you really need to configure kerberos follow these steps :


    1. make spn : setspn -A http/<communicatorurl> domain\computername


    where communicator url is  the http(s) link of the website, so for https and with computername dwnlocs02 it should be :

    setspn -A http/communicator.domain.org domain\dwnlocs02


    2.go to active directory users and computers, choose properties of the server running cwa and go to tab delegation

    choose that it can delegate kerberos for any service. I did not test it only with http as service.


    That's it.


    I will post a complete installation manual at http://dwjack.spaces.live.com/ for cwa internal and with using ISA / TMS




    Thursday, September 18, 2008 10:48 PM
  • Thank you all for your help!




    Friday, September 19, 2008 11:01 AM
  • Interesting to know is that Communicator Web Access also has an option for single sign on that works based on kerberos.


    "Integrated Windows authentication uses Kerberos Version 5 network authentication, which is available only to internal users. Kerberos is used by default for internal users who sign in by using the Internet Explorer® Internet browser, who are signed in with domain credentials, and whose computer is running a supported version of Windows; the NTLM challenge/response authentication protocol is used when computers are not domain members or when Kerberos is not available.

    When you use integrated Windows authentication, Communicator Web Access users can be authenticated by using quick sign-in. After configuring the necessary security settings in Internet Explorer, the user signs in to Communicator Web Access by entering a URI such as the following: https://server.contoso.com/quicksignin."


    You can read more about it on






    Monday, September 22, 2008 12:10 PM