Jens Trier Rasmussen

The odd bit of information about Lync Server 2013, Lync 2010, Exchange 2013, SharePoint Server 2013, Exchange 2010 SP1, OCS 2007 R2, Exchange 2010 and OC 2007 R2

Kerberos and Microsoft Lync Server 2010 Web Services

Kerberos and Microsoft Lync Server 2010 Web Services

  • Comments 7
  • Likes

Microsoft Lync Server 2010 continues to support Kerberos and NTLM authentication, when accessing web services hosted on Lync Server 2010, in fact it is the recommend deployment option. There are number of advantages to using Kerberos including faster authentication, mutual authentication and more features available compared to NTLM.

To use Kerberos authentication against a service it is necessary to have an AD object holding the Service Principal Name (SPN) of the service and to act as the authentication principal for the application pool running the service. In OCS 2007/OCS 2007 R2 the AD objects were the user accounts used to run the services, typically RTCService and RTCComponentService. In Lync Server 2010 all services and application pools are running as Network Service so there are no objects to hold the SPN’s and authenticate against.

Using normal user accounts in OCS 2007/OCS 2007 R2 had the added complexities that they typically fell under password expiration policies leading to expired passwords and potential service down-time. Additional being user accounts they held certain privileges in the AD forest.

Design

To solve the problem of missing AD object to hold the SPN(s), missing authentication principal and the issues around using normal user accounts Lync Server 2010 introduces the use of computer account objects for this purpose. They can hold the SPN’s, can be used as authentication principals and is not subject to password expiration policies.

Configuration and how it works

To make it easy to configure the use of Kerberos authentication a number of PS cmdlets have been implemented:

  • New-CsKerberosAccount - creates a new computer account which can be used by IIS to authenticate against and hold the relevant SPN’s. It is done by using LDAP to access a domain controller in the domain you specify for the account
  • New/Set-CsKerberosAccountAssignment – assigns the Kerberos account to the site in CMS
  • Enable-CsTopology  - based on the Kerberos account assignments updates the SPN’s on the account as specified in the topology. It is done by using LDAP to access a domain controller in the domain you have specified for the account. The administrator running Enable-CsTopology needs to be 1) an RTCUniversalServerAdmin and 2) be granted setup permission for the AD container(s) in which the SPNs are located in order to add/remove them – this is done through setup delegation using Grant-CsSetupPermission.
  • Set-CsKerberosAccountPassword– have two modes of operation depending on the parameters used:
    • 1) It configures IIS on every server running the WebServices[1] service in every site associated with the account and resets the password for the computer account in AD
    • 2) It configures IIS on a specific server running the WebServices service using another server running the WebServices service as the source for the password.
    • The updating of IIS is done via DCOM to talk to ServerManager remotely. The reset of the password is done via LDAP
  • Remove-CsKerberosAccountAssignment removes the Kerberos account assignment rom a site in CMS

Deployment Considerations

You can use the same Kerberos account for one or more sites. Depending on your site structure, network infrastructure and administration model it might be recommendable to use one Kerberos account per site. For instance if you use only one Kerberos account and have a global deployment with central administration updating the Kerberos account password will mean that the machine, on which you run the PS cmdlet, needs to contact all servers running the WebServices service in all sites using DCOM. Depending on your network infrastructure this might take long time.

Operations

  • Whenever you add a site you need to decide, if you want to enable Kerberos and how you want to create/re-use the Kerberos account.
  • Whenever you add a Kerberos account assignment to a site you need to enable the topology using the PS cmdlet Enable-CsTopology
  • Whenever you add a server running the WebServices service into a site, which have assigned a Kerberos account, you need to configure IIS and set the password on the new server. This is done using the PS cmdlet Set-CsKerberosAccountPassword.

Troubleshooting

One problem you might see due to faulty Kerberos configuration is that access to Web Services or Lync Server Control Panel keeps prompting for username and password, even if the correct information is given.

The following PS cmdlets are very helpful in diagnosing what could be wrong in an environment

  • Test-CsKerberosAccountAssignment tests that Kerberos account assignment is configured, the Kerberos account attributes are OK and that the IIS configuration is OK for all servers in the site running WebServices
  • Test-CsTopology tests if Kerberos account assignment is configured on all sites and the attributes for all Kerberos account(s) used in the topology

You can also use the Windows 2008 command setspn –L <Kerberos account> to list the SPN’s registered on the Kerberos account. The SPN’s are stored in the servicePrincipalName attribute on the computer account object in AD.

Acknowledgements

Thanks to Jason, Adit, Weimin and Peter for background information


[1] To see the servers in the topology running the WebServices service use the PS cmdlet Get-CsService -WebServer

Comments
  • Why do we actually do this ? i mean is it optional ?

    Jens: Yes, it's optional, since we'll fallback to using NTLM. However it is recommended to use Kerberos.

  • Do you if developers can create some plugins to provide another types of authentication, like OAuth, for example? Thank you!

    Jens>I don't believe that is possible.

  • The cmdlets seem to set up SPNs for the DNS load balanced pool names, but not the hardware load balanced web names.  This doesn't seem right.  For instance if you have pool.contoso.com with two IP addresses in DNS for a two-node FE pool and another A record web.contoso.com, which resolves to the VIP on the HLB for web traffic, even though Lync knows about the name it does not add an SPN for it.  Is this an oversight in the documentation or in the coding of the cmdlets?

    Jens> The cmdlet should add SPN's of PoolFqdn's based on the topology document, i.e. get-csservice -webserver | fl poolfqdn

  • Why the need to be a domain admin to create this computer account. Is there a method of granted elevated permissions for the purpose of account creation?

    Jens> You need the correct permissions to create the account, and I don't know if there is a way to do it using elevated permissions.

  • Jens>Courtesy Peter here is a link explain more about the advantages of using Kerberos over NTLM msdn.microsoft.com/.../aa480475.aspx

  • Hi Jens,

    I have a single pool, with 1 FE in it (Enterprise).  When I enabled Kerberos I noticed that I no longer had access to the Lync Control Panel.  I added my ControlPanel Url to my "Local Intranet" zone in IE and this seemed to have worked for the FE.  But when I go to any other server that I want to access my Control Panel from and do the above, I get blocked with a 401 error?  Undo the Kerberos authentication and I go back to having access from everywhere?  Have I missed a step?

    Jens>Please try to issue the cmd set-cskerberosaccountpassword -user <user> to make sure all FE's in the environment has the correct password. You can also try test-cstopology to see if it complains about Kerberos issues. If it still fails I think the best option is to contact Microsoft Product Support.

  • Thanks for the good info Jens

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment