Creating an Kerberos account for Lync 2010

In Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2, IIS ran under a standard user account. This had the potential to cause issues: if that password expired you could lose your Web Services, an issue that was often difficult to diagnose. To help avoid the issue of expiring passwords, Microsoft Lync Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS. Because these accounts use the Kerberos authentication protocol, the accounts are referred to as Kerberos accounts, and the new authentication process is known as Kerberos web authentication. This enables you to manage all your IIS servers by using a single account.

 

Below are the Powershell Script for creating the Kerberos computer account.

New-CsKerberosAccount –UserAccount “DOMAIN\KerbAuth” –ContainerDN “cn=Users,DC=DOMAIN,DC=lan”
New-CsKerberosAccountAssignment –UserAccount “Domain\KerbAuth” –Identity “site:SITENAME”
Enable-CsTopology
Set-CsKerberosAccountPassword –UserAccount “DOMAIN\KerbAuth”
Enable-CsTopology

To test the Kerberos account use the following Powershel script.

Test-CsKerberosAccountAssignment –Identity “site:SITENAME” –Report “c:\logs\KerberosReport.htm” -Verbose

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>