Introduction
This article discusses a new rule for Microsoft Lync Server , Best Practices Analyzer to warn if the Front-end server, Director, or Edge server is running Windows Server 2008 R2 and still has the default setting for NTLM SSP set to Requires 128-bit encryption.
More Information
Assume that you have a Lync Server environment. The Front End server, the Edge Server, or the Director is running on a Windows Server 2008 R2-based computer. In this situation, a Microsoft Lync client that is running on a Windows Vista-based or Windows XP-based computer may be unable to join an online meeting.
To make sure that the security setting for NTLM SSP is not set to Requires 128-bit encryption on the Windows Server 2008 R2-based computer, apply the following update, and then use Lync Server, Best Practices Analyzer to scan the environment:
2672346 Description of the cumulative update for Lync Server 2010, Best Practices Analyzer: February 2013
If the Requires 128-bit encryption option is enabled, you receive the following alert title and alert text for each computer that is affected:
Alert title
Lync users may not be able to join Live Meetings
Alert text
Lync Server on Windows Server 2008 R2 with NTLM SSP set to "Require 128-bit encryption" detected. Older clients running on Windows Vista or Windows XP will not be able to join online meetings. To resolve this issue and allow clients running on down level operating systems to connect you must set the NTLM Authentication level to "No Minimum." For more information please refer to KB 982021.
To resolve the issue in which the Lync client cannot join a Lync online meeting, change the security setting for NTLM SSP to No Minimum. Be aware that you need perform these steps on each computer that is affected. To change the security setting, follow these steps on the Windows Server 2008 R2-based computer:
-
Click Start, click Run, type secpol.msc, and then click OK.
-
Click to select Local Policies, and then click the Security Options node.
-
Make sure that the following policies are set to No Minimum:
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in WindowsIf you want to change the NTLM setting by using registry keys, follow these steps:
-
Click Start, click Run, type regedit in the Open box, and then click OK.
-
Locate and then select the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0
-
Right-click NtlmMinClientSec, and then click Modify.
-
In the Value data box, type 0, and then click OK.
-
Right-click NtlmMinServerSec, and then click Modify.
-
In the Value data box, type 0, and then click OK.
-
Exit Registry Editor.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
982021 Supportability is available for Office Communications Server 2007 R2 member server role on a Windows Server 2008 R2 operating system For more information about the changes in NTLM authentication, visit the following Microsoft website:
General information about the changes in NTLM authentication
