Extending existing Kerberos authentication to a new Lync Server 2013 deployment

Recently I was deploying Lync Server 2013 into an existing Lync Server 2010 environment that had Kerberos authentication configured for web services. Based on TechNet documentation, I was under the impression the new servers would take up the Kerberos account assignment automatically, but I was wrong.

We found that Lync 2013 failed to sign into the Lync Server 2013 pool. When we checked Fiddler, we were getting back an Unauthorised response from the Lync Server 2013 pool.

Synchronise the Kerberos Authentication Account to Lync Server 2013

After a deeper dig into TechNet (specifically the article Synchronize a Kerberos Authentication Account Password to IIS), I found that I needed to synchronise the existing Kerberos account from a Lync Server 2010 server to the new Lync Server 2013 Front End servers.

To do this, I ran this cmdlet to synchronise the Kerberos account from the 2010 pool to the 2013 server:

Set-CsKerberosAccountPassword -FromComputer 2010pool.contoso.com -ToComputer 2013fe1.contoso.com

I repeated this for each Lync Server 2013 Front End server just to cover all the bases.

Validation

Finally, I validated that the 2013 servers had the Kerberos account synchronised to them using the Test-CsKerberosAccountAssignment cmdlet from the TechNet article Test and Report Functional Readiness for Kerberos Authentication.

To do this, I ran the following cmdlet to generate a report that showed me that the 2013 servers had the account synchronised to them:

Test-CsKerberosAccountAssignment -Identity “site:UK” -Report “c:\logs\KerberosReport.htm” -Verbose

Once the report was generated, I opened it up to check that the new Lync Server 2013 Front End servers were listed and were marked as Successful.

When this process was completed, Lync 2013 successfully signed into the new Lync Server 2013 pool.

Leave a Reply

Your email address will not be published. Required fields are marked *