Creating an Kerberos account for Lync 2010
Posted by JGelijsteen on May 25th, 2012
In Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2, IIS ran under a standard user account. This had the potential to cause issues: if that password expired you could lose your Web Services, an issue that was often difficult to diagnose. To help avoid the issue of expiring passwords, Microsoft Lync Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS. Because these accounts use the Kerberos authentication protocol, the accounts are referred to as Kerberos accounts, and the new authentication process is known as Kerberos web authentication. This enables you to manage all your IIS servers by using a single account.
Below are the Powershell Script for creating the Kerberos computer account.
New-CsKerberosAccount –UserAccount “DOMAIN\KerbAuth” –ContainerDN “cn=Users,DC=DOMAIN,DC=lan” New-CsKerberosAccountAssignment –UserAccount “Domain\KerbAuth” –Identity “site:SITENAME” Enable-CsTopology Set-CsKerberosAccountPassword –UserAccount “DOMAIN\KerbAuth” Enable-CsTopology
To test the Kerberos account use the following Powershel script.
Test-CsKerberosAccountAssignment –Identity “site:SITENAME” –Report “c:\logs\KerberosReport.htm” -Verbose