SfB Server Now Supports Blocking NTLM Externally
Published Sep 25 2018 10:30 AM 9,017 Views
Microsoft

I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic.  This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords.  Let me explain.

 

SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication.  In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password.  With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.  Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)  Now all the username/password doors are shut and your users use CBA to get in externally.

 

Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.

15 Comments
Steel Contributor

We used this to disable basic auth externally a few weeks ago in SfB Server 2015.  I noticed that FBA login on the dial in PIN page still works externally, outside of modern auth.  According to the documentation, this should be disabled.  Has anyone else tested?  Is there a step missing in the documentation?

Microsoft

Hi David, FBA login should definitely not be working.  Can you open a support case for this with logs, etc.  so that we can investigate?

Steel Contributor

I have, thank you.  I was hoping to see if it was something unique with my environment or a bug.  My suspicion is there a step missing in the documentation.  I'm sure we will get it working!

Steel Contributor

I just discovered that BlockWindowsAuthExternally also disables the ability for both internal and external users to sign in to the Skype Meetings App.  The link to sign in is gone in both scenarios.

Copper Contributor

We tried disabling NTLM Externally by using Scenario BlockWindowsAuthExternally. But this results in all our internal clients not being able to login anymore.

 

NOTE: we are using skype in a resource forest, so users login with forest A accounts on their clients, their Skype accounts reside in forest B with the OriginatorSid set to the SID of the account in Forest A.

If I test a login internally with an account of Forest B directly, login does work. So at first sight it looks like Skype is treating users from the different forest as external.

Microsoft

Hi Tom, 

This should work. Can you please open a support ticket so that we can investigate properly?  And please include the client signin logs.  Thanks.

Microsoft

Update: We did find a real bug with Forms Based Auth not being blocked when you blocked Window Auth externally. The fix for this will be in a upcoming CU for SfB server.  ETA for this release is Calendar year 2019 Q3. 

Copper Contributor

Hi, I turned off NTLM for external users using BlockWindowsAuthExternally. Internal users can still connect. However, none of the external users can connect via Skype for Business client.

 

This looks like I missed a step. Should modern authentication have kicked in automatically or is that a separate procedure that needs to be setup prior to disabling NTLM for external users ?

 

 

Microsoft

@sengstar2005 , You have to enable Modern Auth separately. It does not automatically kick in when you disable NTLM. They are two separate procedures.

 

Here are some useful links.  The exact instructions will depend on what topology you have.

SfB and Modern Auth Supported Topologies: https://technet.microsoft.com/en-us/library/mt803262.aspx

Instructions to Deploy Modern Auth : https://aka.ms/ModernAuthOverview

MA with SfB Onprem and AAD: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Modern-Auth-for-SfB-OnPrem-with-AAD/b...

Copper Contributor

OK, thanks Natasha. That explains it.

Steel Contributor

I opened a case for the Skype Meetings App problem I mentioned earlier in the thread, and was told after months of the case being open that this is expected behavior since the app is now considered only external.  Huh?  This isn't documented anywhere.  I still have users who use the meetings app that need to authenticate internally.  Disabling basic auth externally should not break the ability to authenticate to the meetings app internally.

Copper Contributor

Hi Natasha,

 

I started going through the articles about enabling Modern Authentication. I got a few questions.

 

Currently without Modern Authentication :

 

1. Our domain-joined desktops uses Skype for Business clients. It connects to our on-prem Skype server, and this connects to our on-prem Exchange server for status availability i.e. in a meeting.

2. External users using mobile phones with Skype for Business clients connect externally (via NTLM). I can see on the mobile Skype client my Exchange appointments as well.

 

If I turn on Modern Authentication ONLY ON THE SKYPE Server :

 

1. Will my domain-joined desktops with Skype for Business clients still continue to use NTLM internally, or will they have to be re-configured to use Modern Authentication before they can connect to Skype server ?

2. If my domain-joined desktops with Skype clients change to use Modern Authentication, will that stop them seeing the Exchange calendar (because I didn't enable Modern Authentication on the Exchange server) ?

3. Will I also need to re-configure my mobile Skype client to use Modern Authentication or will the external NTLM authentication still work until I disable it  ?

4. If I re-configure my mobile Skype client to use Modern Authentication, will that stop it being able to see my Exchange calendar because I hadn't enable Modern Authentication on the on-prem Exchange server ?

 

 

 

 

 

 

 

 

Copper Contributor

Hi Natasha

 

You mentioned in one of your answers that you have found a serious problem in blocking NTLM and this should be fixed somewhere in Q3 2019 (ETA for this release is Calendar year 2019 Q3). Do you have any further details about this fix? When will it be available? Or is it already availabel? Could not found any information about this issue has been fixed in any release notes.

 

Microsoft

Beni,  The fix was released in SfB 2015 CU10.  Here is a article referencing the change.

Copper Contributor

Hello Natash,

 

I have one more query for blocking access 

Can we block external access to a particular user ...?

Version history
Last update:
‎Sep 25 2018 10:30 AM
Updated by: