Wednesday, July 13, 2011

Kerberos Web Authentication for Lync Web Services

I know that everyone runs the Lync Best Practices Analyzer (BPA) on a regular basis…right?  After running the BPA, you might see the following warning:

Pool fully qualified domain name (FQDN) “fqdn” is not found as a http service principal name (SPN) on any user or computer.  Kerberos web authentication is not configured..

Lync Kerb - BPA warn

The warning pops up due to the fact that Lync uses NetworkService to run the Web Services and NetworkService cannot have SPNs assigned to it (this is a change from how OCS handled it).

I am not going to address the “why use kerberos authentication?” because there is already a great article written by Jens Trier Rasmussen.  I suggest reading it before proceeding.

The rest of this post will describe the process of enabling Kerberos authentication for the Lync Web Services.

1) Create a Kerberos account

Pre-req: member of Domain Admins and computer running Lync Management Shell (LMS)

From the LMS, run:  New-CsKerberosAccount –UserAccount “Domain\UserAccount” –ContainerDN “CN=Users,DC=DomainName,DC=DomainExtenstion”

My command:  New-CsKerberosAccount –UserAccount “Homelab\LyncKerbAcct” –ContainerDN “OU=UC Objects,DC=homelab,DC=local”

Lync Kerb - create acct

Note that the –UserAccount parameter is used even though we are creating a computer account with this command.

Lync Kerb - create acct aduc - markup

2) Assign the Kerberos account to a site

Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)

To use the Kerberos account, you must assign it to a site.  While you can create multiple Kerberos accounts for your environment, you can only assign one account per Lync site.

From the LMS run: New-CsKerberosAccountAssignment –UserAccount “Domain\UserAccount” –Identity “site:SiteName”

My command: New-CsKerberosAccountAssignment –UserAccount “Homelab\LyncKerbAcct” –Identity “site:Datacenter”

Then run Enable-CsTopology

Lync Kerb - assign site

3) Set Kerberos account password and Synchronize to IIS

Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)

From the LMS run: Set-CsKerberosAccountPassword –UserAccount “Domain\UserAccount”

My command: Set-CsKerberosAccountPassword –UserAccount “Homelab\LyncKerbAcct”

Lync Kerb - set password

If any servers are added to the topology in the site (like Front-ends and Directors) you will need to synchronize the Kerberos account password to IIS of the new server.

From LMS run: Set-CsKerberosAccountPassword –FromComputer SourceComputer –ToComputer DestinationComputer

My command: Set-CsKerberosAccountPassword –FromComputer lablyncfe01.homelab.local –ToComputer lablyncfe02.homelab.local

Lync Kerb - set assign

4) Testing to make sure Kerberos is working properly

To test for full functional readiness of Kerberos within a site, the following command can be run to create a report:

From LMS run: Test-CsKerberosAccountAssignment –Identity “site:SiteName” –Report “C:\reportpath\reportname.htm” –Verbose

My command: Test-CsKerberosAccountAssignment –Identity “site:Datacenter” –Report “C:\Temp\KerbTest.htm”

Lync Kerb - test command

Report generated:

Lync Kerb - test report

Hope this helps!

9 comments:

  1. Great guide, thanks!

    ReplyDelete
  2. Just FYI, I have many Lync servers, so I skipped Step 3. And the test failed. After more reading, I found enable-cstopology will force that same sync to all Lync servers.

    ReplyDelete
  3. do you have to do this? I have existing system that works fine, do l still need to do this? will the procedure change if l have to do this for existing system?

    ReplyDelete
    Replies
    1. This is not required and your implementation will work fine without it. Kerberos auth is more efficient and considered best practice.

      Delete
  4. A further heads up..I was having trouble connecting to the Control Panel (The URL worked fine) as well as getting the "Credentials are Required" box on many users. Manually typing the creds didnt work.
    Finally found that an over zelous Administrator had deleted my Lync Kerberos Account.
    Thanks for the process of re-adding the account!

    ReplyDelete
  5. Unser Unternehmen bietet beste Qualität und Web-Entwicklung Dienstleistungen in Deutschland. Wir bieten derzeit Web und mobile Anwendung Entwicklungsdienstleistungen .http://www.accuratesolutionsltd.com/web-entwicklung/

    ReplyDelete
  6. Ihr Blog ist sehr interessant, ich lese jeden Artikel und ich es gefällt mir wirklich! Vielen Dank, ich für neue Artikel und Tipps warten.

    ReplyDelete