There are many blogs and posts on Lync client sign in process. With this blog, I have tried to put everything on one page.
There are 5 steps in Lync sign in process.
- Locating a server
- TCP connectivity check
- TLS encryption
- Authentication and authorization
Step 1: Locating a server (Application layer) Lync client does below DNS queries which are hard coded in client.
- lyncdiscoverinternal.<domain> A (host) record for the Autodiscover service on the internal Web services
- lyncdiscover.<domain> A (host) record for the Autodiscover service on the external Web services
- _sipinternaltls._tcp.<domain> SRV (service locator) record for internal TLS connections
- _sipinternal._tcp.<domain> SRV (service locator) record for internal TCP connections (performed only if TCP is allowed)
- _sip._tls.<domain> SRV (service locator) record for external TLS connections
- sipinternal.<domain> A (host) record for the Front End pool or Director, resolvable only on the internal network
- sip.<domain> A (host) record for the Front End pool or Director on the internal network, or the Access Edge service when the client is external
- sipexternal.<domain> A (host) record for the Access Edge service when the client is external
All the DNS queries happens simultaneously.
For detailed information on Lync server DNS records and requirements Click here
In the DNS query, the client will get the address of registrar server. Registrar server could be FE/FE pool/Director server/ Edge server - depending on the configuration and user location.
Step 2: TCP connectivity check (Network layer) Once the client gets registrar server's address, client initiates connectivity check before it actually attempts to connect the server. In this step, three way handshake happens. *This can be checked via Netmon tool.
Step 3: TLS Encryption
Upon successful completion of Connectivity check between Lync client and Lync server, client initiates TLS encryption with server.
* This can be checked via Netmon tool.
Step 4: Authentication and authorization
In Lync, we have 3 authentication methods. Kerberos, NTLM and TLS-DSK
* Kerberos uses 2 way handshake mechanism. * Kerberos can be used only if the client is connected to the AD directly. * NTLM and TLS-DSK uses 3 way handshake mechanism.
NTLM Authentication method:
TLS – DSK Authentication method:
Step 5: Redirection
If a user is external to Lync environment, client connects to Lync edge server or Directory server, depending upon configuration. If a user is internal and Directory server is deployed, Lync client connects to Director server and then the client is redirected to the Lync FE server.