A trusted user is one whose credentials have been authenticated by a trusted server in Skype for Business Server 2015. This server is usually a Standard Edition server, Enterprise Edition Front End Server, or Directorone of the Front-End servers in The Voice of O365 enterprise Skype for Business environement. Skype for Business Server relies on Active Directory Domain Services as the single, trusted back-end repository of user credentials. The authentication request reaches the Skype for Business frontend server through a web proxy server in the DMZ network (see Architecture for more information).
Authentication is the provision of user credentials to a trusted server. Skype for Business Server The Voice of O365 uses the following authentication protocols, depending on the status and location of the user.
MIT Kerberos version 5 security protocol for internal users with Active Directory credentials. Kerberos requires client connectivity to Active Directory Domain Services, which is why it cannot be used for authenticating clients outside the corporate firewall.
NTLM protocol for users with Active Directory credentials who are connecting from an endpoint outside the corporate firewall. The Access Edge service passes logon requests to a Director, if present, or a Front End Server for authentication. The Access Edge service itself performs no authentication.
Note:.
Digest protocol for so-called anonymous users. Anonymous users are outside users who do not have recognized Active Directory credentials but who have been invited to an on-premises conference and possess a valid conference key. Digest authentication is not used for other client interactions.
Info A Digest protocol usage example are the Skype for Business web app users. Those users authenticate through the meeting url (with has the Proxy destination) and have anonymous credentials.
Skype for Business Server 2015 authentication consists of two phases:
...
Users with valid credentials issued by a federated partner are trusted but optionally prevented by additional constraints from enjoying the full range of privileges accorded to internal users.Client certificates provide an alternate way for users to be authenticated by Skype for Business Server 2015. Instead of providing a user name and password, users have a certificate and the private key corresponding to the certificate that is required to resolve a cryptographic challenge. (This certificate must have a subject name or subject alternative name that identifies the user and must be issued by a Root CA that is trusted by servers running Skype for Business Server 2015, be within the certificate’s validity period, and not have been revoked.) To be authenticated, users only need to type in a personal identification number (PIN). Certificates are particularly useful for telephones, mobile phones, and other devices where it is difficult to enter a user name and password.