The Problem
Lync password prompts when connecting over Edge server : “Lync needs your user name and password to connect for retrieving calendar data from Outlook”
When the Lync client signs in, it also attempts to retrieve availability data via Exchange Web Services. It does so via the Autodiscover functionality built into Exchange.
Lync Communicator will issue SOAP requests (over HTTPS) to the published Autodiscover server, who returns the URLs for the Microsoft Exchange Client Access Server(s) that will feed the availability data back to Lync Communicator.
The additional prompt for authentication comes from Communicator being hard-wired to authenticate using NTLM. When IIS (on the Exchange CAS machines) returns it’s WWW-Authenticate headers, it does so in the form of:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
When Communicator attempts to negotiate authentication using your cached credentials (over the Internet), it will fail with a “401.2 Unauthorized”, and subsequently prompt you for authentication as above.
How do we do that?
Client side
From Internet Explorer – Tools, Internet Options, Advanced, scroll down to the “Security” section, un-check “Enable Integrated Windows Authentication”, you should no longer receive the additional authentication prompt from Lync
Server Side
I prefer the server side fix as it solves the problem for everyone in a single swoop
In this fix we are instructing IIS on the Exchange CAS server(s) to offer NTLM as the first authentication provider (with Negotiate as the fallback provider) in the WWW-Authenticate header.
On the CAS Server do the following:
- Open the IISmanager
- expand the Default Web site
- Select EWS and Autodicover and click on authentication
- Select Windows Authentication
- on the right hand pane select ” providers”
- Move the “NTLM” to the top
- Click ok
- Close IIS manager
- open command prompt
- type “iisreset /noforce”
- make sure IIS admin service and WWW services are started.
I did have one final prompt for credentials, probably cause the cache had been altered by my endless testing, but this time adding my credentials was successful.