Any issues with disabling NTLM on the primary Registrar?


  • Hi there,

    I'm trying to understand whether there's any negatives to disabling NTLM on the Global Registar in my Lync Dev environment, and just leaving Kerberos and Certificate based auth enabled?

    I've tested disabling it, and I've confirmed that my remote (domain joined) machines can continue connecting into Lync using certificate based auth, and my internal users use Kerberos which is the desired result for me.

    The reason I ask is that the MS documentation on the registrar says:

    We recommend that you enable both Kerberos and NTLM when a server supports authentication for both remote and enterprise clients. The Edge Server and internal servers communicate to ensure that only NTLM authentication is offered to remote clients. If only Kerberos is enabled on these servers, they cannot authenticate remote users. If enterprise users also authenticate against the server, Kerberos is used.

    Why do they recommend that both NTLM and Kerberos are enabled? Does disabling it prevent some remote access scenarios I'm not aware of?

    Regards, James

    James Frost

    Monday, February 27, 2012 6:40 AM


All replies

  • Hi James ,

    Do you have any internet/external users on dev deployment ? Did you get a chance to test the functionality if any ?

    Kerberos will not work on non-domain PCs when you are accessing from outside org network. Kerberos will work internal and remote users connected via internal WAN/VPN.



    Monday, February 27, 2012 11:53 AM
  • Hi Saleesh,

    I did test it with my external users, and it works fine as the authentication falls back to certificate based (TLS-DSK) auth... which is actually the preferred result for my deployment anyway.

    The only reason I can see to leave NTLM on is for environments where you have external users connecting in from non-domain joined machines that haven't had a chance to request a certificate yet? If that doesn't apply to your environment, is there any reason not just to turn it off?

    Regards, James.

    James Frost

    • Edited by James Frost Monday, February 27, 2012 12:02 PM
    Monday, February 27, 2012 12:02 PM
  • You are right , non-domain machines will fall back to NTLM if it is configured.

    In your case , external access is working with cert-based authentication, so you can turn off NTLM.



    Monday, February 27, 2012 1:20 PM