I upgraded my servers to Lync 2013 a few months back and all has been working fine….. but in the past few days, i upgraded a couple of home machines with fresh installs – everything was working ok apart from Lync 2013 client, which came up with access denied errors. (but if signed in on an existing install, everything was still fine)
After some investigation, i found the following event in the System Event Log (event ID 4)
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server im04$. The target name used was HTTP/im04.company.com.au. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.COM.AU) is different from the client domain (company.COM.AU), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
fair enough…. next thing setspn -q http/im04.company.com.au, which returned the account LyncKerbAuth… a computer account created by the lync install process.
“thats correct” i thought…. but after some short searching, found the test PS commandlet of “Test-CSKerberosAccountAssignment -Identity <sitename> -Report “C:TempLog.htm” -Verbose” which failed with lots of red!
Test-CSKerberosAccountAssignment : The Kerberos configuration on im04.company.com.au is invalid. The expected assigned account is companylynckerbauth. Ensure that the account has not expired, and the
configured password on the machine matches the Active Directory password of the account.
After some short searching, the process to reset the account is
- Set-CsKerberosAccountAssignment -UserAccount “CompanyLycKerbAuth” -Identity “site:<sitename>” (this step sets Lync to use that account)
- Enable-CsTopology (this step activates the above change)
- Set-CsKerberosAccountPassword -UserAccount CompanyLyncKerbAuth (this step sorts out the passwords)
Then i ran Test-CSKerberosAccountAssignment -Identity <sitename> -Report “C:TempLog.htm” -Verbose again, and got muchy less red – and all clients can now logon.
Not sure how it broke – maybe something in the 2010 to 2013 migration process that i missed – but it is/was a little odd that it didnt show up for existing clients and seemed to lay dormant for a few months – or it coulld have been something to do with Lync 2013 CU1.
Anyhoo – hope that helps someone else that might into the same issue.