locked
How to allow domain users to connect to OCS 2007 from clinets on non-domain computers RRS feed

  • Question

  •  

    Hello,

     

    I ran into a istuation where a US company has employees who has user credentials on the domain of their parent company in Europe.  The parent company has its own domain and the US company has a workgroup.  The two networks are connected via an IPSec tunnel and the user access their mailboxes on the parent company's Exchange server by entering their DOMAIN\UID and password credentials.  Recently, the parent company implemeneted OCS 2007.  OCS client worked fine on Windows 2003 by importing the OCS server's certificate into the trusted certificate stor on the 2003 machine, and logging in to the server with the same DOMAIN\UID and password credntials.  However, the XP clients could not connect and kept reporting that the certificate was invalid.  The certificate was the same I used on the 2003 server, so I'm sure it was valid.  Also, the XP machines reported this error prior to generating the invalid certificate error:

    "Communicator was unable to authenticate because an authenticating authority was not reachable.
     
     Resolution:
     The server may be asking for Kerberos authentication and Communicator is not able to find the Kerberos Domain Controller in order to generate credentials and authenticate.  The network administrator will need to change the configuration on the server to utilize only NTLM authentication before Communicator can login from this location properly, or connectivity will need to be made available to an authenticating authority".

     

    I can't force the parent company to force NTLM; is there any way to make the client XP machines behave like the clients on the 2003 server?  I tried to change this registry key to 2 on the XP client but it didn't help:


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "lmcompatibilitylevel"=dword:00000002

     

    Thanks,

     

    Martha

    Sunday, July 6, 2008 6:23 AM

All replies

  • Manually configure the clients to connect throught he access edge.  It will force NTLM.

     

    Sunday, July 6, 2008 11:29 PM
  • My resolution was to ensure that the users when singing in to communicator include the ".com" in the domain.com\username part of the authentication.

     

     

     

    Wednesday, November 12, 2008 10:22 PM