Tuesday, January 31, 2006

External Download of the Address Book for Communicator



I've run across an interesting behavior with downloading the address book files when logging in outside the network. PSS has confirmed that this is by design so I thought it would be valuable to share with others.

The address book is a set of files created nightly that sit on a file server. A new file is downloaded the first time you run Communicator each day. For details on the Address Book Service, see this link.

When installing ABS, you specify a folder to generate the files. In LCS, you create an entry that is basically a file share path which tells the communicator client where to download the files. To my knowledge, it uses windows authentication. If your machine is in the corporate domain and you are on the internal network, you are logged into both communicator and the file share automatically. There are two logins that occur each time you run communicator. One is for the LCS and one is for the address book share. Internally, you are not prompted. Nice.

It gets interesting when you are outside the firewall or running communicator externally. Because file shares do not resolve externally (VPN does not count as external here), Microsoft provides another way to get the address book files to you. You create an IIS virtual directory on the Enterprise Edition server pointing to the folder containing the files and publish it externally through your reverse proxy/firewall. It must be SSL over basic authentication too.

The documentation states to remove windows authentication on the website but check basic. Based on our IIS knowledge, this guarantees the user will be prompted to authenticate. No automatic windows integrated authentication happening here.

If my machine is in the domain and I leave the office, when I login to Communicator, I am NOT prompted to authenticate to LCS. Communicator uses my cached credentials. However, I still get the login prompt to download the address book files. I created a PSS ticket because I felt that if I use cached credentials, I should get single sign-on behavior although the IIS settings told me it wasn't going to happen. My logic is if Communicator can pass credentials to LCS then why can't it do the same for the ABS? If you cancel on the login prompt, you are still logged into LCS. Now that's confusing! For people whose machines are not members of the domain, you are prompted only once to login to both LCS and ABS which is nice.

This is a long winded way of saying that if you are external, you will be prompted to authenticate to the address book web site.... Unless you set the web site to anonymous

Wednesday, January 25, 2006

Knowing When PIC is Enabled

LCS Public IM Connectivity is a licensed service Microsoft provides that allows a company's Live Communication Server implementation to federate with the 3 public IM vendors - MSN, Yahoo, and AOL. Company's must purchase licenses from Microsoft and then go through a provisioning process.

At the end of December after we had submitted our online provisioning form we were notified that there was a hiatus in new provisioning through early January. Interestingly, we received an email in mid-January stating that provisioning had been approved. We configured LCS to allow Public IM connectivity. However, our Communicator clients could not add PIC contacts.

Our users who had MSN passport accounts using their corporate email address were sent warning emails that their MSN accounts would no longer work after a specified date. There is a process to convert these passport accounts that allow users to continue to use MSN Messenger with their existing contact lists.

In short, Public IM connectivity began working the day after the email stated the change would take place. This date was not in the provisioning approval email. I am curious to see if anyone else has experienced this scenario.

What this means is that somebody in the IT department may want to create an MSN passport account for messenger using a corporate email address before provisioning so they receive the true enablement date!