Blog Post

Skype for Business Blog
1 MIN READ

SfB Server Now Supports Blocking NTLM Externally

Natasha Desai's avatar
Natasha Desai
Icon for Microsoft rankMicrosoft
Sep 25, 2018

I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic.  This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords.  Let me explain.

 

SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication.  In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password.  With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.  Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)  Now all the username/password doors are shut and your users use CBA to get in externally.

 

Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.

Updated Sep 25, 2018
Version 1.0
modern authentication
Skype for Business

15 Comments

Show More
  • Tom Baeten's avatar
    Tom Baeten
    Copper Contributor
    Mar 04, 2019

    We tried disabling NTLM Externally by using Scenario BlockWindowsAuthExternally. But this results in all our internal clients not being able to login anymore.

     

    NOTE: we are using skype in a resource forest, so users login with forest A accounts on their clients, their Skype accounts reside in forest B with the OriginatorSid set to the SID of the account in Forest A.

    If I test a login internally with an account of Forest B directly, login does work. So at first sight it looks like Skype is treating users from the different forest as external.

  • David Phillips's avatar
    David Phillips
    Iron Contributor
    Dec 10, 2018

    I just discovered that BlockWindowsAuthExternally also disables the ability for both internal and external users to sign in to the Skype Meetings App.  The link to sign in is gone in both scenarios.

  • David Phillips's avatar
    David Phillips
    Iron Contributor
    Nov 30, 2018

    I have, thank you.  I was hoping to see if it was something unique with my environment or a bug.  My suspicion is there a step missing in the documentation.  I'm sure we will get it working!

  • Natasha Desai's avatar
    Natasha Desai
    Icon for Microsoft rankMicrosoft
    Nov 30, 2018

    Hi David, FBA login should definitely not be working.  Can you open a support case for this with logs, etc.  so that we can investigate?

  • David Phillips's avatar
    David Phillips
    Iron Contributor
    Nov 30, 2018

    We used this to disable basic auth externally a few weeks ago in SfB Server 2015.  I noticed that FBA login on the dial in PIN page still works externally, outside of modern auth.  According to the documentation, this should be disabled.  Has anyone else tested?  Is there a step missing in the documentation?