Lync client sign in process

There are many blogs and posts on Lync client sign in process. With this blog, I have tried to put everything on one page.

There are 5 steps in Lync sign in process.

1. Locating a server
2. TCP connectivity check
3. TLS encryption
4. Authentication and authorization
5. Redirection

Step 1: Locating a server (Application layer) 
Lync client does below DNS queries which are hard coded in client. 

1. lyncdiscoverinternal.<domain>   A (host) record for the Autodiscover service on the internal Web services
2. lyncdiscover.<domain>   A (host) record for the Autodiscover service on the external Web services
3. _sipinternaltls._tcp.<domain>   SRV (service locator) record for internal TLS connections
4. _sipinternal._tcp.<domain>   SRV (service locator) record for internal TCP connections (performed only if TCP is allowed)
5. _sip._tls.<domain>   SRV (service locator) record for external TLS connections
6. sipinternal.<domain>   A (host) record for the Front End pool or Director, resolvable only on the internal network
7. sip.<domain>   A (host) record for the Front End pool or Director on the internal network, or the Access Edge service when the client is external
8. sipexternal.<domain>   A (host) record for the Access Edge service when the client is external

All the DNS queries happens simultaneously.

For detailed information on Lync server DNS records and requirements Click here

In the DNS query, the client will get the address of registrar server. 
Registrar server could be FE/FE pool/Director server/ Edge server - depending on
the configuration and user location.

Step 2: TCP connectivity check (Network layer) 
Once the client gets registrar server's address, client initiates connectivity 
check before it actually attempts to connect the server. In this step, three way 
handshake happens.  
*This can be checked via Netmon tool.

Step 3: TLS Encryption

Upon successful completion of Connectivity check between Lync client and Lync server, client initiates TLS encryption with server.

* This can be checked via Netmon tool.

Step 4: Authentication and authorization

In Lync, we have 3 authentication methods. Kerberos, NTLM and TLS-DSK

* Kerberos uses 2 way handshake mechanism. 
* Kerberos can be used only if the client is connected to the AD directly. 
* NTLM and TLS-DSK uses 3 way handshake mechanism.

Kerberos method:

NTLM Authentication method:

TLS – DSK Authentication method:

Step 5: Redirection

If a user is external to Lync environment, client connects to Lync edge server 
or Directory server, depending upon configuration. If a user is internal and 
Directory server is deployed, Lync client connects to Director server and then 
the client is redirected to the Lync FE server.