Deploying Communicator Web Access in Multiple Domains

Communications Server 2007 R2

Topic Last Modified: 2009-01-22

If you are deploying the 2007 R2 version of Communicator Web Access in an Active Directory forest that includes multiple domains it is important that all the domains trust one another. If they do not, then users with accounts in a given domain might experience difficulty logging on to Communicator Web Access. In particular, they might have their logon attempt rejected along with the message that there computer clock has not been set correctly. The rejected logon and the misleading error message, result from the way that the Kerberos authentication protocol handles these requests.

If you cannot set up a trust relationship between all the domains, you can temporarily fix the problem by resetting the World Wide Web service. Alternatively, you can disable Kerberos, which forces Internet Information Services (IIS) to use NTLM authentication. With NTLM authentication, this problem does not occur.

  1. Log on to the computer as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. In Internet Information Services (IIS) Manager, expand the name of your domain and then expand Web Sites.

  4. Click the name of your Communicator Access Web site, and then double-click Authentication in the Features pane.

  5. Right-click Windows Authentication and then click Disabled.

  1. Log on to the computer as a member of the local Administrators group.

  2. Click Start and then click Run.

  3. In the Run dialog box, type cmd and then press ENTER.

  4. In the command window, type the following command and then press ENTER. Note that NTLM must be typed in all uppercase letters:

    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"