03-25-2019 06:43 AM
03-25-2019 06:43 AM
we are currently migrating from Lync 2010 server to Skype for Business 2015 server.
A user migrated to the skype pool is able to log on a windows 7 machine using Lync 2010 Client.
On a Windows 10 Machine with Lync 2013 client, the logon does not work and credentials are asked.
the autodiscover service seems to be able to discover the correct url (the pool real name was replaced by pool01.domain.com).
the error we get is (translated from french error message)
an error happened during the communication with endpoint on « https://pool01.domain.com/WebTicket/WebTicketService.svc ».
the server sent a HTTP State « 401 (0x191) » with text « Unauthorized ».
the requested resource requires an user authentication
03-26-2019 05:16 AMSolution
well, it turns out that it was a kerberos problem.
I noticed this message in the client :
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the front-end-name$ server. The target name used was HTTP / skype01.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This may occur when the target primary server name (SPN) is registered to a different account than the one used by the target service. Ensure that the target SPN is registered only on the account used by the server. This error can also occur if the target service account password differs from what is configured on the Kerberos Key Distribution Center for this target service. Ensure that the service on the server and Kerberos Key Distribution Center are both configured to use the same password. If the server name is not complete, and the target domain (DOMAIN.COM) differs from the client domain (DOMAIN.COM), check if there are server accounts with the same name in both domains, or use the full name to identify the server.
searching for this error, I found that there was a powershell command to test kerberos account assignment (Test-CsKerberosAccountAssignment).
It returned this error :
The Kerberos configuration on front-end.domain.com is invalid. The expected
assigned account is domain.com\lynckerbacct. Ensure that the account has not expired, and the configured password on
the machine matches the Active Directory password of the account.
so using those addresses
I launched the command Set-CsKerberosAccountPassword -UserAccount domain.com\lynckerbacct and after that, no more error with Test-CsKerberosAccountAssignment and the Lync 2013 client was able to log on without problem.