Tuesday, January 31, 2006

External Download of the Address Book for Communicator

I've run across an interesting behavior with downloading the address book files when logging in outside the network. PSS has confirmed that this is by design so I thought it would be valuable to share with others.

The address book is a set of files created nightly that sit on a file server. A new file is downloaded the first time you run Communicator each day. For details on the Address Book Service, see this link.

When installing ABS, you specify a folder to generate the files. In LCS, you create an entry that is basically a file share path which tells the communicator client where to download the files. To my knowledge, it uses windows authentication. If your machine is in the corporate domain and you are on the internal network, you are logged into both communicator and the file share automatically. There are two logins that occur each time you run communicator. One is for the LCS and one is for the address book share. Internally, you are not prompted. Nice.

It gets interesting when you are outside the firewall or running communicator externally. Because file shares do not resolve externally (VPN does not count as external here), Microsoft provides another way to get the address book files to you. You create an IIS virtual directory on the Enterprise Edition server pointing to the folder containing the files and publish it externally through your reverse proxy/firewall. It must be SSL over basic authentication too.

The documentation states to remove windows authentication on the website but check basic. Based on our IIS knowledge, this guarantees the user will be prompted to authenticate. No automatic windows integrated authentication happening here.

If my machine is in the domain and I leave the office, when I login to Communicator, I am NOT prompted to authenticate to LCS. Communicator uses my cached credentials. However, I still get the login prompt to download the address book files. I created a PSS ticket because I felt that if I use cached credentials, I should get single sign-on behavior although the IIS settings told me it wasn't going to happen. My logic is if Communicator can pass credentials to LCS then why can't it do the same for the ABS? If you cancel on the login prompt, you are still logged into LCS. Now that's confusing! For people whose machines are not members of the domain, you are prompted only once to login to both LCS and ABS which is nice.

This is a long winded way of saying that if you are external, you will be prompted to authenticate to the address book web site.... Unless you set the web site to anonymous