Skype4b: Users prompted for password. Security-Kerberos Event ID 4

Had a rather strange experience the other day that I think needs to be written about.

The scenario is as follows:
Clients registered for Skype for Business a long time ago suddenly starts to be prompted for username and password repeatedly. The problem occurs on Skype for Business users logging on to newly deployed Windows workstations/laptops.

The user had no problem logging in before the computer image was refreshed, but afterwards the password prompts started to show up. The request would be for the user to provide username and password in order to contact the certificate service. All certificates checked out to be fine on the client, but it would not receive a certificate from the FrontEnd server/pool.

The environment is a mixed in-place upgrade from Lync 2013 and some new servers on Skype for Business 2015 server.

After a while of troubleshooting without getting anywhere, I came across som strange messages in the event log saying something about Kerberos.

The Event ID 4 occurred in the System log, and the source was Security-Kerberos:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ddsskypefe16$. The target name used was HTTP/”FrontEndPoolFQDN”.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

I started investigating some more around Kerberos authentication in Skype for Business, and found that sometimes when you do an in-place upgrade, the Kerberos authentication breaks and the referenced account is no longer valid(for some reason). So, after hours of troubleshooting without any luck, I proceeded with removing the old Kerberos account and generated a new one using the following PS commands:

New-CsKerberosAccount -UserAccount “Domain\skypeauth” -ContainerDN “CN=Users,DC=domain,DC=com”

New-CsKerberosAccountAssignment -UserAccount “Domain\skypeauth” -Identity “Site:Main SIte”

Enable-CsTopology

Set-CsKerberosAccountPassword -UserAccount “Domain\skypeauth”

I then ran a test of the Kerberos account assignment:

Test-CsKerberosAccountAssignment -Identity “Site:Main Site” -Report “c:\atea\kerberos_report.htm” -Verbose

After doing this, It would seem like all users are able to log in

Advertisements

Headset review: Plantronics v8200 UC

Another headset review coming up. This time it’s the new Plantronics Voyager 8200 UC, a boom less headset for the business market aimed at the productive worker needing a headset to block out unwanted noise in an open office environment.

The Plantronics Voyager 8200 UC is such a headset. It’s delivered in a soft pouch together with a USB Bluetooth dongle(always use it when connecting to your PC/Mac), a USB charging cable and a mini jack cable for those times when Bluetooth cannot be used(in flight mode for example). The headset is available in two colors, black(the one showed in this post) and white. It has a quite nice finish with leather and aluminum, and no microphone boom.

The boom less construction is surprisingly effective, and both audio quality during conversations and the reduction of background noise is quite good. The callee is not able to hear any noise in the background when making a call, even in a quite noisy environment. The ANC has two settings when turned on, that is Medium and High. With my limited hearing I’m not able to separate the two 🙂

There are also functions for open mic, mute etc. all controlled from the buttons on the headset. When playing music, you can control play/pause, skip forward and backward etc. Incoming calls are prioritized, and answering calls are done with the buttons on the headset or by the auto answer function if the headset is lying on your desk. This is one of my favourite features with Plantronics headsets designed for UC and certified for Skype for Business. The proximity sensors allows for automatic features as ANC on/off and automatic pause of movies/music and answer/mute calls when the headset is put on or taken off. The automatic disabling of ANC when the headset is not used also acts as a power saving feature.
There are however something to bear in mind when it comes to proximity sensors and machine connectivity. As mentioned earlier in this post, the USB dongle has to be used when connecting to a PC or Mac. That being said, I’ve experienced differences between Mac OSx and Windows operating systems when it comes to operating the headset. Specially the Mac OSx seems somewhat limited in regards to controlling playback of music from the headset. I’m sure this is a problem related to the operating system API and not the headset as it works fine in a Windows Client.

When it comes to playing music or watching movies using this headset, it delivers very good sound(at least in my opinion). When using the BT dongle that comes with the headset, I’ve not experienced any problems with audio playback. Some people has experienced audio delay when streaming audio over Bluetooth, but this is not my impression. I’ve tested audio streaming both with USB dongle on my MacBook and with my iPhone and experienced no audio delay.

The Plantronics Voyager v8200 UC is in my opinion a very good all round headset which delivers excellent performance both when used as a productivity headset and as an entertainment headset streaming music and watching movies. It’s a very good alternative to the Plantronics Voyager Focus UC, which in my opinion has been the best UC headset on the market up until now 🙂