Lync Server Test-CsKerberosAccountAssignment PowerShell command fails due to an invalid Windows Active Directory configuration

Article ID: 2796134 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Lync Server web services can have connectivity issues that are centric to Kerberos authentication, which affect the Lync client's ability access to them. To address these types of authentication issues Lync Server allows the delegation of Kerberos authentication for Lync Server web services. This feature provides the convenience of using one synthetic computer account to provision Kerberos authentication for all Lync Server, servers that host web services for a Lync Server site. Once the single authentication principle for a site is put in place for Lync Server web services, maintaining it becomes a necessity. The Test-CsKerberosAccountAssignment Lync Server PowerShell command can be used to address authentication issues that may arise from using the single computer account to delegate Kerberos authentication for Lync Server web services.  

In the following three scenarios the Test-CsKerberosAccountAssignment PowerShell command will fail due to an invalid Windows Active Directory configuration and the following error information will be returned to the Lync Server Management Shell console:

Scenario 1

Test-CsKerberosAccountAssignment : The service principal name http/pool01.contoso.com was not found on the container contoso\kerberosacct.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<<  -Identity "site:central
+ CategoryInfo: InvalidOperation: ([0] http/pool01.contoso.com:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
    + FullyQualifiedErrorId : ServicePrincipalNameError,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-9e053676-c546-4e8a-ae71-03d554ba59f3.html".

Scenario 2

Test-CsKerberosAccountAssignment : The Kerberos configuration on server02.contoso.com is invalid. The expected assigned account is contoso\kerberostest. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<<  -Identity "site:central"
    + CategoryInfo          : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
    + FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the logfile for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at

"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d4c0954c-5c02-4f32-816d-7ff7a0bd5495.html".

Scenario 3

Test-CsKerberosAccountAssignment : The Kerberos configuration on server04.contoso.com is invalid. The expected assigned account is contoso\testkerberos. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<<  -Identity "site:central"
    + CategoryInfo          : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
    + FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d7a69316-bb4b-456c-a3a9-5628bbfa389a.html".

Cause

Scenario 1

The Lync Sever PowerShell command Enable-CsTopology was not issued as a next step after the Lync Sever PowerShell command New-CsKerberosAccountAssignment was issued.

Scenario 2

The Lync Sever PowerShell command Set-CsKerberosAccountPassword was not issued after either: 

  • The New-CsKerberosAccountAssignment and Enable-CsTopology Lync Sever PowerShell commands
  • The Lync Server Kerberos account had been created using the New-CsKerberosAccount Lync Sever PowerShell command
Scenario 3

A new Lync Server server was added to the site's topology

Resolution

The following three resolution scenarios will require the use of a computer that hosts the Lync Server Administrative tools and permissions that are equivalent to the RTCUniversalServerAdmins group.

Using Server 2008
  1. Click on Start, then choose All Programs
  2. Choose Microsoft Lync Server, then click on Lync Server Management Shell
Using Server 2012

  1. Click the Windows logo key to access the Start screen, click on the Lync Server Management Shell tile
Scenario 1

From the Lync Server Management Shell issue the following Lync Server PowerShell commnds that are listed in the example below:

  1. PS C:\Users\Administrator.CONTOSO>New-CsKerberosAccountAssignment -UserAccount "contoso\kerberostest" -Identity "site:Central"
  2. PS C:\Users\Administrator.CONTOSO>Enable-CsTopology
Note The steps listed above will add the Service Principal Name (SPN) for web services to the contoso\kerberostest account

Scenario 2

From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:

  1. Set-CsKerberosAccountPassword -UserAccount "contoso\kerberostest"
Note The step listed above will set a new secure password for the contoso\kerberostest computer account.

Scenario 3

When new Lync Servers are added to a Lync Server site their web services components maintain the Kerberos credentials from their original Windows Active Directory computer account. This excludes them from using the Lync Server Kerberos single authentication principle assignment that may be in place. The information listed below will assign the Lync Server Kerberos single authentication principle to the new Lync Server . From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:

  1. Set-CsKerberosAccountPassword -FromComputer "server01.contoso.com" ToComputer "server02.contoso.com"
Note The Set-CsKerberosAccountPassword -FromComputer value should be the FQDN of a Lync Server that has the correct secure password assignment.

More information

For more details on troubleshooting the Lync Server Kerberos single authentication principle, review the TechNet web sites and blog sites listed below:

Kerberos and Microsoft Lync Server 2010 Web Services

New-CsKerberosAccount

New-CsKerberosAccountAssignment

Set-CsKerberosAccountPassword
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2796134 - Last Review: July 21, 2013 - Revision: 1.1
Applies to
  • Microsoft Lync Server 2010 Enterprise Edition
  • Microsoft Lync Server 2010 Standard Edition
  • Microsoft Lync Server 2013
Keywords: 
kbsurveynew KB2796134

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com