In the last month I found what seems to be a bug when trying to lock down authentication forms.
From external I wanted to disable ole NTLM and only use modern authentication.
Just a note I was on a Skype for business enterprise editions setup with CU 10H1
To change the authentication from the Skype side you will need to run a “set-csauthconfig” with the scenario that you would like
I wanted to use Scenario 2. Allow NTLM or Kerb internally for my legacy hardware like Polycom or BiAmps
Scenario 2: External: MA; Internal: MA + Win; Parameter: BlockWindowsAuthExternally. This topology blocks NTLM externally, but allows NTLM or Kerb
Issue: After making the change we found our legacy hardware was unable to sign in. After running logs we found that Skype server only wanted MA authentication. Logging a call with Microsoft they agreed that Scenario 2 has a bug in this environment.
The Work around: After playing around because waiting for Microsoft to build a fix “ain’t no one got time for that”. I found that using Scenario 4
External: MA; Internal: Win; Parameter: BlockWindowsAuthExternallyAndModernAuthInternally. This topology blocks NTLM externally and MA internally. It allows all clients to use legacy authentication methods internally (even ADAL-capable clients).
This actually gave us the expected results and allowed for legacy hardware to sign in. Not sure if its the forcing of no MA internally that was the key, but scenario 2 should have worked.