3 November 2012

Lync login issue

The Problem
I was having trouble connecting to the Control Panel (The URL worked fine) as well as getting the "Credentials are Required" box on many users.
Id get 4 consecutive "Credentials are Required" boxes as below.






Manually typing the creds didnt work and cancelling or closing the boxes resulted in the client logging in anyway. BUT as you would imaging there is no access to any of the services as reported on in the warnings.
The most obvious was that the GAL wasn't being downloaded or updated anymore

The Culprit
Finally found that an over zelous Administrator had deleted my Lync Kerberos Account.

The fix (4 Steps)

1. Create a Kerberos account
Pre-req: member of Domain Admins and computer running Lync Management Shell (LMS)

New-CsKerberosAccount –UserAccount “LyncLab\KerberosUserAccount” –ContainerDN “CN=Users,DC=LyncLab,DC=local”

Note
The –UserAccount parameter is used even though we are creating a computer account with this command.

2. Assign the Kerberos account to a site
Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)
To use the Kerberos account, you must assign it to a site.  While you can create multiple Kerberos accounts for your environment, you can only assign one account per Lync site.

New-CsKerberosAccountAssignment –UserAccount “LyncLab\KerberosUserAccount” –Identity “site:MyLyncSiteName”

Enable-CsTopology

3. Set Kerberos account password and Synchronize to IIS
Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)
Set-CsKerberosAccountPassword –UserAccount “LyncLab\KerberosUserAccount”

If any servers are added to the topology in the site (like Front-ends and Directors) you will need to synchronize the Kerberos account password to IIS of the new server.

Set-CsKerberosAccountPassword –FromComputer SourceComputerFQDN –ToComputer DestinationComputerFQDN

4) Testing to make sure Kerberos is working properly
To test for full functional readiness of Kerberos within a site, the following command can be run to create a report:

Test-CsKerberosAccountAssignment –Identity “site:MyLyncSiteName” –Report “C:\Temp\Kerberos test.htm” –Verbose

No comments:

Post a Comment