Skype4b: Users prompted for password. Security-Kerberos Event ID 4

Had a rather strange experience the other day that I think needs to be written about.

The scenario is as follows:
Clients registered for Skype for Business a long time ago suddenly starts to be prompted for username and password repeatedly. The problem occurs on Skype for Business users logging on to newly deployed Windows workstations/laptops.

The user had no problem logging in before the computer image was refreshed, but afterwards the password prompts started to show up. The request would be for the user to provide username and password in order to contact the certificate service. All certificates checked out to be fine on the client, but it would not receive a certificate from the FrontEnd server/pool.

The environment is a mixed in-place upgrade from Lync 2013 and some new servers on Skype for Business 2015 server.

After a while of troubleshooting without getting anywhere, I came across som strange messages in the event log saying something about Kerberos.

The Event ID 4 occurred in the System log, and the source was Security-Kerberos:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ddsskypefe16$. The target name used was HTTP/”FrontEndPoolFQDN”.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

I started investigating some more around Kerberos authentication in Skype for Business, and found that sometimes when you do an in-place upgrade, the Kerberos authentication breaks and the referenced account is no longer valid(for some reason). So, after hours of troubleshooting without any luck, I proceeded with removing the old Kerberos account and generated a new one using the following PS commands:

New-CsKerberosAccount -UserAccount “Domain\skypeauth” -ContainerDN “CN=Users,DC=domain,DC=com”

New-CsKerberosAccountAssignment -UserAccount “Domain\skypeauth” -Identity “Site:Main SIte”

Enable-CsTopology

Set-CsKerberosAccountPassword -UserAccount “Domain\skypeauth”

I then ran a test of the Kerberos account assignment:

Test-CsKerberosAccountAssignment -Identity “Site:Main Site” -Report “c:\atea\kerberos_report.htm” -Verbose

After doing this, It would seem like all users are able to log in

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s