Authentication is the provision of user credentials to a trusted server. Lync Server 2010 uses the following authentication protocols, depending on the status and location of the user: Kerberos, NTLM protocol and Digest Protocol. Below is an animated explanation of Kerberos.  Lync uses MIT Kerberos version 5 security protocol for internal users with Active Directory credentials. Kerberos requires client connectivity to Active Directory Domain Services, which is why it cannot be used for authenticating clients outside the corporate firewall.  Kerberos security protocol comes from Greek mythology of a three-headed dog.  Kerberos is a three-step security process used for authorization and authentication.  The three-heads of Kerberos are: 1-User, 2-KDC-Key Distribution Service (security server) and 3-Services (servers).  Kerberos is a standard feature of Windows software.  To create the trust on the Forest on the external side of the firewall, the administrator publishes the following ports on the internal server domain controllers: Kerberos-sec (port 88) UDP-User Datagram Protocol.  Other potential ports are: Microsoft-DS (port 445), LDAP TCP (port 389) Lightweight Directory Access Protocol Transmission Control Protocol or LDAP UDP (port 389).   Kerberos-sec (security) (Port 88) UDP is an assigned/known UDP port.  Ports are used to determine function such as Port 21 TCP for FTP-File Transfer Protocol or Port 80 TCP/UDP for HTTP-HyperText Transfer Protocol (web surfing).  If you have other thoughts on Lync security, authentication and other aspects of Lync administration, please send them along.