Microsoft Lync Server 2010 continues to support Kerberos and NTLM authentication, when accessing web services hosted on Lync Server 2010, in fact it is the recommend deployment option. There are number of advantages to using Kerberos including faster authentication, mutual authentication and more features available compared to NTLM.
To use Kerberos authentication against a service it is necessary to have an AD object holding the Service Principal Name (SPN) of the service and to act as the authentication principal for the application pool running the service. In OCS 2007/OCS 2007 R2 the AD objects were the user accounts used to run the services, typically RTCService and RTCComponentService. In Lync Server 2010 all services and application pools are running as Network Service so there are no objects to hold the SPN’s and authenticate against.
Using normal user accounts in OCS 2007/OCS 2007 R2 had the added complexities that they typically fell under password expiration policies leading to expired passwords and potential service down-time. Additional being user accounts they held certain privileges in the AD forest.
To solve the problem of missing AD object to hold the SPN(s), missing authentication principal and the issues around using normal user accounts Lync Server 2010 introduces the use of computer account objects for this purpose. They can hold the SPN’s, can be used as authentication principals and is not subject to password expiration policies.
Configuration and how it works
To make it easy to configure the use of Kerberos authentication a number of PS cmdlets have been implemented:
You can use the same Kerberos account for one or more sites. Depending on your site structure, network infrastructure and administration model it might be recommendable to use one Kerberos account per site. For instance if you use only one Kerberos account and have a global deployment with central administration updating the Kerberos account password will mean that the machine, on which you run the PS cmdlet, needs to contact all servers running the WebServices service in all sites using DCOM. Depending on your network infrastructure this might take long time.
One problem you might see due to faulty Kerberos configuration is that access to Web Services or Lync Server Control Panel keeps prompting for username and password, even if the correct information is given.
The following PS cmdlets are very helpful in diagnosing what could be wrong in an environment
You can also use the Windows 2008 command setspn –L <Kerberos account> to list the SPN’s registered on the Kerberos account. The SPN’s are stored in the servicePrincipalName attribute on the computer account object in AD.
Thanks to Jason, Adit, Weimin and Peter for background information
 To see the servers in the topology running the WebServices service use the PS cmdlet Get-CsService -WebServer
Why do we actually do this ? i mean is it optional ?
Jens: Yes, it's optional, since we'll fallback to using NTLM. However it is recommended to use Kerberos.
Do you if developers can create some plugins to provide another types of authentication, like OAuth, for example? Thank you!
Jens>I don't believe that is possible.
The cmdlets seem to set up SPNs for the DNS load balanced pool names, but not the hardware load balanced web names. This doesn't seem right. For instance if you have pool.contoso.com with two IP addresses in DNS for a two-node FE pool and another A record web.contoso.com, which resolves to the VIP on the HLB for web traffic, even though Lync knows about the name it does not add an SPN for it. Is this an oversight in the documentation or in the coding of the cmdlets?
Jens> The cmdlet should add SPN's of PoolFqdn's based on the topology document, i.e. get-csservice -webserver | fl poolfqdn
Why the need to be a domain admin to create this computer account. Is there a method of granted elevated permissions for the purpose of account creation?
Jens> You need the correct permissions to create the account, and I don't know if there is a way to do it using elevated permissions.
Jens>Courtesy Peter here is a link explain more about the advantages of using Kerberos over NTLM msdn.microsoft.com/.../aa480475.aspx
I have a single pool, with 1 FE in it (Enterprise). When I enabled Kerberos I noticed that I no longer had access to the Lync Control Panel. I added my ControlPanel Url to my "Local Intranet" zone in IE and this seemed to have worked for the FE. But when I go to any other server that I want to access my Control Panel from and do the above, I get blocked with a 401 error? Undo the Kerberos authentication and I go back to having access from everywhere? Have I missed a step?
Jens>Please try to issue the cmd set-cskerberosaccountpassword -user <user> to make sure all FE's in the environment has the correct password. You can also try test-cstopology to see if it complains about Kerberos issues. If it still fails I think the best option is to contact Microsoft Product Support.
Thanks for the good info Jens