Symptoms
Lync Server web services can have connectivity issues that are centric to Kerberos authentication, which affect the Lync client's ability access to them. To address these types of authentication issues Lync Server allows the delegation of Kerberos authentication for Lync Server web services. This feature provides the convenience of using one synthetic computer account to provision Kerberos authentication for all Lync Server, servers that host web services for a Lync Server site. Once the single authentication principle for a site is put in place for Lync Server web services, maintaining it becomes a necessity. The Test-CsKerberosAccountAssignment Lync Server PowerShell command can be used to address authentication issues that may arise from using the single computer account to delegate Kerberos authentication for Lync Server web services.
In the following three scenarios the Test-CsKerberosAccountAssignment PowerShell command will fail due to an invalid Windows Active Directory configuration and the following error information will be returned to the Lync Server Management Shell console:
Scenario 1
Test-CsKerberosAccountAssignment : The service principal name http/pool01.contoso.com was not found on the container contoso\kerberosacct.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central
+ CategoryInfo: InvalidOperation: ([0] http/pool01.contoso.com:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : ServicePrincipalNameError,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-9e053676-c546-4e8a-ae71-03d554ba59f3.html".
Scenario 2
Test-CsKerberosAccountAssignment : The Kerberos configuration on server02.contoso.com is invalid. The expected assigned account is contoso\kerberostest. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central"
+ CategoryInfo : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the logfile for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d4c0954c-5c02-4f32-816d-7ff7a0bd5495.html".
Scenario 3
Test-CsKerberosAccountAssignment : The Kerberos configuration on server04.contoso.com is invalid. The expected assigned account is contoso\testkerberos. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central"
+ CategoryInfo : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d7a69316-bb4b-456c-a3a9-5628bbfa389a.html".
In the following three scenarios the Test-CsKerberosAccountAssignment PowerShell command will fail due to an invalid Windows Active Directory configuration and the following error information will be returned to the Lync Server Management Shell console:
Scenario 1
Test-CsKerberosAccountAssignment : The service principal name http/pool01.contoso.com was not found on the container contoso\kerberosacct.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central
+ CategoryInfo: InvalidOperation: ([0] http/pool01.contoso.com:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : ServicePrincipalNameError,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-9e053676-c546-4e8a-ae71-03d554ba59f3.html".
Scenario 2
Test-CsKerberosAccountAssignment : The Kerberos configuration on server02.contoso.com is invalid. The expected assigned account is contoso\kerberostest. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central"
+ CategoryInfo : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the logfile for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d4c0954c-5c02-4f32-816d-7ff7a0bd5495.html".
Scenario 3
Test-CsKerberosAccountAssignment : The Kerberos configuration on server04.contoso.com is invalid. The expected assigned account is contoso\testkerberos. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.
At line:1 char:33
+ Test-CsKerberosAccountAssignment <<<< -Identity "site:central"
+ CategoryInfo : InvalidData: ([0] contoso\kerberosacct:SourceCollection) [Test-CsKerberosAccountAssignment], Exception
+ FullyQualifiedErrorId : InvalidKerberosConfiguration,Microsoft.Rtc.Management.Deployment.TestKerberosAccountAssignmentCmdlet
WARNING: Test-CsKerberosAccountAssignment encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.
WARNING: Detailed results can be found at
"C:\Users\Administrator.CONTOSO\AppData\Local\Temp\Test-CsKerberosAccountAssignment-d7a69316-bb4b-456c-a3a9-5628bbfa389a.html".
Cause
Scenario 1
The Lync Sever PowerShell command Enable-CsTopology was not issued as a next step after the Lync Sever PowerShell command New-CsKerberosAccountAssignment was issued.
Scenario 2
The Lync Sever PowerShell command Set-CsKerberosAccountPassword was not issued after either:
A new Lync Server server was added to the site's topology
The Lync Sever PowerShell command Enable-CsTopology was not issued as a next step after the Lync Sever PowerShell command New-CsKerberosAccountAssignment was issued.
Scenario 2
The Lync Sever PowerShell command Set-CsKerberosAccountPassword was not issued after either:
- The New-CsKerberosAccountAssignment and Enable-CsTopology Lync Sever PowerShell commands
- The Lync Server Kerberos account had been created using the New-CsKerberosAccount Lync Sever PowerShell command
A new Lync Server server was added to the site's topology
Resolution
The following three resolution scenarios will require the use of a computer that hosts the Lync Server Administrative tools and permissions that are equivalent to the RTCUniversalServerAdmins group.
Using Server 2008
From the Lync Server Management Shell issue the following Lync Server PowerShell commnds that are listed in the example below:
Scenario 2
From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:
Scenario 3
When new Lync Servers are added to a Lync Server site their web services components maintain the Kerberos credentials from their original Windows Active Directory computer account. This excludes them from using the Lync Server Kerberos single authentication principle assignment that may be in place. The information listed below will assign the Lync Server Kerberos single authentication principle to the new Lync Server . From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:
Using Server 2008
- Click on Start, then choose All Programs
- Choose Microsoft Lync Server, then click on Lync Server Management Shell
- Click the Windows logo key to access the Start screen, click on the Lync Server Management Shell tile
From the Lync Server Management Shell issue the following Lync Server PowerShell commnds that are listed in the example below:
- PS C:\Users\Administrator.CONTOSO>New-CsKerberosAccountAssignment -UserAccount "contoso\kerberostest" -Identity "site:Central"
- PS C:\Users\Administrator.CONTOSO>Enable-CsTopology
Scenario 2
From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:
- Set-CsKerberosAccountPassword -UserAccount "contoso\kerberostest"
Scenario 3
When new Lync Servers are added to a Lync Server site their web services components maintain the Kerberos credentials from their original Windows Active Directory computer account. This excludes them from using the Lync Server Kerberos single authentication principle assignment that may be in place. The information listed below will assign the Lync Server Kerberos single authentication principle to the new Lync Server . From the Lync Server Management Shell issue the following Lync Server PowerShell commands that are listed in the example below:
- Set-CsKerberosAccountPassword -FromComputer "server01.contoso.com" ToComputer "server02.contoso.com"
More Information
For more details on troubleshooting the Lync Server Kerberos single authentication principle, review the TechNet web sites and blog sites listed below:
Kerberos and Microsoft Lync Server 2010 Web Services
New-CsKerberosAccount
New-CsKerberosAccountAssignment
Set-CsKerberosAccountPassword
Kerberos and Microsoft Lync Server 2010 Web Services
New-CsKerberosAccount
New-CsKerberosAccountAssignment
Set-CsKerberosAccountPassword