How does certificate authority work
This excerpt from a TechNet library article (linked below) refers to OCS 2007 R2, but the process is still mostly the same in Lync (except only TLS is allowed, no TCP at all) and describes the sign-in process pretty well:
Office Communicator must determine which server it should log on to by using the user’s URI (for example, firstname.lastname@example.org) and any manual settings configured on the client. If manual settings were provided, the server to use is clear. However, if the URI was the only indicator provided, some discovery is required.
Communicator discovery varies based on configuration. After the client discovers the server to connect to, it tries to connect by using TCP or TLS over TCP. If TLS is used, the server provides a certificate to
authenticate itself to the client. The client must validate the certificate before it continues. The client might negotiate compression (if using TLS over TCP), and then it initiates a SIP registration.
Next, the client sends a SIP REGISTER message to the server without any credentials. This prompts Office Communications Server to challenge for user credentials, and specifies to the Communicator client the authentication protocols that it accepts.
When it comes to providing credentials, Communicator has two options. Communicator can use the user’s current Windows credentials to log on, or it can prompt the user for credentials.
Hope this helps.
Justin Morris | Consultant | Modality Systems
If this post has been useful please click the green arrow to the left or click "Propose as answer"Source: social.technet.microsoft.com