I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic.  This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords.  Let me explain.


SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication.  In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password.  With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.  Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)  Now all the username/password doors are shut and your users use CBA to get in externally.


Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.

Super Contributor

We used this to disable basic auth externally a few weeks ago in SfB Server 2015.  I noticed that FBA login on the dial in PIN page still works externally, outside of modern auth.  According to the documentation, this should be disabled.  Has anyone else tested?  Is there a step missing in the documentation?


Hi David, FBA login should definitely not be working.  Can you open a support case for this with logs, etc.  so that we can investigate?

Super Contributor

I have, thank you.  I was hoping to see if it was something unique with my environment or a bug.  My suspicion is there a step missing in the documentation.  I'm sure we will get it working!

Super Contributor

I just discovered that BlockWindowsAuthExternally also disables the ability for both internal and external users to sign in to the Skype Meetings App.  The link to sign in is gone in both scenarios.

Regular Visitor

We tried disabling NTLM Externally by using Scenario BlockWindowsAuthExternally. But this results in all our internal clients not being able to login anymore.


NOTE: we are using skype in a resource forest, so users login with forest A accounts on their clients, their Skype accounts reside in forest B with the OriginatorSid set to the SID of the account in Forest A.

If I test a login internally with an account of Forest B directly, login does work. So at first sight it looks like Skype is treating users from the different forest as external.


Hi Tom, 

This should work. Can you please open a support ticket so that we can investigate properly?  And please include the client signin logs.  Thanks.