Kerberos and Microsoft Lync Server 2010 Web Services
Microsoft Lync Server 2010 continues to support Kerberos and NTLM authentication, when accessing web services hosted on Lync Server 2010, in fact it is the recommend deployment option. There are number of advantages to using Kerberos including faster authentication, mutual authentication and more features available compared to NTLM.
To use Kerberos authentication against a service it is necessary to have an AD object holding the Service Principal Name (SPN) of the service and to act as the authentication principal for the application pool running the service. In OCS 2007/OCS 2007 R2 the AD objects were the user accounts used to run the services, typically RTCService and RTCComponentService. In Lync Server 2010 all services and application pools are running as Network Service so there are no objects to hold the SPN’s and authenticate against.
Using normal user accounts in OCS 2007/OCS 2007 R2 had the added complexities that they typically fell under password expiration policies leading to expired passwords and potential service down-time. Additional being user accounts they held certain privileges in the AD forest.
Design
To solve the problem of missing AD object to hold the SPN(s), missing authentication principal and the issues around using normal user accounts Lync Server 2010 introduces the use of computer account objects for this purpose. They can hold the SPN’s, can be used as authentication principals and is not subject to password expiration policies.
Configuration and how it works
To make it easy to configure the use of Kerberos authentication a number of PS cmdlets have been implemented:
- New-CsKerberosAccount - creates a new computer account which can be used by IIS to authenticate against and hold the relevant SPN’s. It is done by using LDAP to access a domain controller in the domain you specify for the account
- New/Set-CsKerberosAccountAssignment – assigns the Kerberos account to the site in CMS
- Enable-CsTopology - based on the Kerberos account assignments updates the SPN’s on the account as specified in the topology. It is done by using LDAP to access a domain controller in the domain you have specified for the account. The administrator running Enable-CsTopology needs to be 1) an RTCUniversalServerAdmin and 2) be granted setup permission for the AD container(s) in which the SPNs are located in order to add/remove them – this is done through setup delegation using Grant-CsSetupPermission.
- Set-CsKerberosAccountPassword– have two modes of operation depending on the parameters used:
- 1) It configures IIS on every server running the WebServices[1] service in every site associated with the account and resets the password for the computer account in AD
- 2) It configures IIS on a specific server running the WebServices service using another server running the WebServices service as the source for the password.
- The updating of IIS is done via DCOM to talk to ServerManager remotely. The reset of the password is done via LDAP
- Remove-CsKerberosAccountAssignment removes the Kerberos account assignment rom a site in CMS
Deployment Considerations
You can use the same Kerberos account for one or more sites. Depending on your site structure, network infrastructure and administration model it might be recommendable to use one Kerberos account per site. For instance if you use only one Kerberos account and have a global deployment with central administration updating the Kerberos account password will mean that the machine, on which you run the PS cmdlet, needs to contact all servers running the WebServices service in all sites using DCOM. Depending on your network infrastructure this might take long time.
Operations
- Whenever you add a site you need to decide, if you want to enable Kerberos and how you want to create/re-use the Kerberos account.
- Whenever you add a Kerberos account assignment to a site you need to enable the topology using the PS cmdlet Enable-CsTopology
- Whenever you add a server running the WebServices service into a site, which have assigned a Kerberos account, you need to configure IIS and set the password on the new server. This is done using the PS cmdlet Set-CsKerberosAccountPassword.
Troubleshooting
One problem you might see due to faulty Kerberos configuration is that access to Web Services or Lync Server Control Panel keeps prompting for username and password, even if the correct information is given.
The following PS cmdlets are very helpful in diagnosing what could be wrong in an environment
- Test-CsKerberosAccountAssignment tests that Kerberos account assignment is configured, the Kerberos account attributes are OK and that the IIS configuration is OK for all servers in the site running WebServices
- Test-CsTopology tests if Kerberos account assignment is configured on all sites and the attributes for all Kerberos account(s) used in the topology
You can also use the Windows 2008 command setspn –L <Kerberos account> to list the SPN’s registered on the Kerberos account. The SPN’s are stored in the servicePrincipalName attribute on the computer account object in AD.
Acknowledgements
Thanks to Jason, Adit, Weimin and Peter for background information
[1] To see the servers in the topology running the WebServices service use the PS cmdlet Get-CsService -WebServer
Comments
Anonymous
January 01, 2003
Jens>Courtesy Peter here is a link explain more about the advantages of using Kerberos over NTLM msdn.microsoft.com/.../aa480475.aspxAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Why the need to be a domain admin to create this computer account. Is there a method of granted elevated permissions for the purpose of account creation? Jens> You need the correct permissions to create the account, and I don't know if there is a way to do it using elevated permissions.Anonymous
December 23, 2010
Why do we actually do this ? i mean is it optional ? Jens: Yes, it's optional, since we'll fallback to using NTLM. However it is recommended to use Kerberos.Anonymous
April 17, 2011
Do you if developers can create some plugins to provide another types of authentication, like OAuth, for example? Thank you! Jens>I don't believe that is possible.Anonymous
June 20, 2011
The comment has been removedAnonymous
December 18, 2012
Thanks for the good info Jens