Skype4b: Users prompted for password. Security-Kerberos Event ID 4

Had a rather strange experience the other day that I think needs to be written about.

The scenario is as follows:
Clients registered for Skype for Business a long time ago suddenly starts to be prompted for username and password repeatedly. The problem occurs on Skype for Business users logging on to newly deployed Windows workstations/laptops.

The user had no problem logging in before the computer image was refreshed, but afterwards the password prompts started to show up. The request would be for the user to provide username and password in order to contact the certificate service. All certificates checked out to be fine on the client, but it would not receive a certificate from the FrontEnd server/pool.

The environment is a mixed in-place upgrade from Lync 2013 and some new servers on Skype for Business 2015 server.

After a while of troubleshooting without getting anywhere, I came across som strange messages in the event log saying something about Kerberos.

The Event ID 4 occurred in the System log, and the source was Security-Kerberos:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ddsskypefe16$. The target name used was HTTP/”FrontEndPoolFQDN”.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

I started investigating some more around Kerberos authentication in Skype for Business, and found that sometimes when you do an in-place upgrade, the Kerberos authentication breaks and the referenced account is no longer valid(for some reason). So, after hours of troubleshooting without any luck, I proceeded with removing the old Kerberos account and generated a new one using the following PS commands:

New-CsKerberosAccount -UserAccount “Domain\skypeauth” -ContainerDN “CN=Users,DC=domain,DC=com”

New-CsKerberosAccountAssignment -UserAccount “Domain\skypeauth” -Identity “Site:Main SIte”

Enable-CsTopology

Set-CsKerberosAccountPassword -UserAccount “Domain\skypeauth”

I then ran a test of the Kerberos account assignment:

Test-CsKerberosAccountAssignment -Identity “Site:Main Site” -Report “c:\atea\kerberos_report.htm” -Verbose

After doing this, It would seem like all users are able to log in

Advertisements

Headset review: Plantronics v8200 UC

Another headset review coming up. This time it’s the new Plantronics Voyager 8200 UC, a boom less headset for the business market aimed at the productive worker needing a headset to block out unwanted noise in an open office environment.

The Plantronics Voyager 8200 UC is such a headset. It’s delivered in a soft pouch together with a USB Bluetooth dongle(always use it when connecting to your PC/Mac), a USB charging cable and a mini jack cable for those times when Bluetooth cannot be used(in flight mode for example). The headset is available in two colors, black(the one showed in this post) and white. It has a quite nice finish with leather and aluminum, and no microphone boom.

The boom less construction is surprisingly effective, and both audio quality during conversations and the reduction of background noise is quite good. The callee is not able to hear any noise in the background when making a call, even in a quite noisy environment. The ANC has two settings when turned on, that is Medium and High. With my limited hearing I’m not able to separate the two 🙂

There are also functions for open mic, mute etc. all controlled from the buttons on the headset. When playing music, you can control play/pause, skip forward and backward etc. Incoming calls are prioritized, and answering calls are done with the buttons on the headset or by the auto answer function if the headset is lying on your desk. This is one of my favourite features with Plantronics headsets designed for UC and certified for Skype for Business. The proximity sensors allows for automatic features as ANC on/off and automatic pause of movies/music and answer/mute calls when the headset is put on or taken off. The automatic disabling of ANC when the headset is not used also acts as a power saving feature.
There are however something to bear in mind when it comes to proximity sensors and machine connectivity. As mentioned earlier in this post, the USB dongle has to be used when connecting to a PC or Mac. That being said, I’ve experienced differences between Mac OSx and Windows operating systems when it comes to operating the headset. Specially the Mac OSx seems somewhat limited in regards to controlling playback of music from the headset. I’m sure this is a problem related to the operating system API and not the headset as it works fine in a Windows Client.

When it comes to playing music or watching movies using this headset, it delivers very good sound(at least in my opinion). When using the BT dongle that comes with the headset, I’ve not experienced any problems with audio playback. Some people has experienced audio delay when streaming audio over Bluetooth, but this is not my impression. I’ve tested audio streaming both with USB dongle on my MacBook and with my iPhone and experienced no audio delay.

The Plantronics Voyager v8200 UC is in my opinion a very good all round headset which delivers excellent performance both when used as a productivity headset and as an entertainment headset streaming music and watching movies. It’s a very good alternative to the Plantronics Voyager Focus UC, which in my opinion has been the best UC headset on the market up until now 🙂

Skype for Business Event ID 1034.

After migrating to Skype for Business and removing Lync 2010/2013 pools, you may encounter an event ID 1034 stating that the LS File Transfer Agent encountered an error while accessing a file share.

The file share referenced will be the share on the removed Lync 2010/2013 pool. If you run the command Get-CsCentralManagementStoreReplicationStatus -CentralManagementStoreStatus, you will se an entry of DeletedReplicas that states the server FQDN of your deleted Lync pool/server. If the server is deleted from the topology not to be used again, you can proceed with deleting the server from the XDS database.

 

The easiest way to accomplish this, is to make sure that all Lync server components are removed from the Lync server in question. Simply go ahead and remove the Lync components from the server using Add/Remove programs. Make sure to reboot the server after the removal of the Lync components. The error message in the event log should disappear after this operation.

If this is not successfull, you will have to remove the replica ID’s from the SQL database(XDS).

This procedure from the UC Lobby blog by David Paulino should do the trick.

Issuing certificates with longer validity

Nice post, should be carried out in every environment where internal certificates are in use. Having the Lync/Skype for Business service beeing interrupted every second year because of short term internal certificates is nothing else but annoying.

Rune's blog about things I see and UC

In my previous job as a hired consultant I generally wanted the Lync/Skype for Business servers to have certificates lasting beyond the two year default validity period. Why? Because I, along with the customer, would consider a Lync or Skype for Business solution to have a horizon stretching beyond two years – and therefore issuing a certificate that would expire only after two years would be meaningless.

View original post 87 more words

How to set IPv4 as preferred IP on Windows Server using PowerShell

Nice tip from Ståle Hansen on how to set IPv4 as preferred IP on Windows Server using PowerShell.

msunified.net

IPv6 Internet

Sometimes working with Lync and Skype for Business I see that the services are trying to contact other servers or localhost which returns an IPv6 address. If the service is set to run only on IPv4 the service will fail and not find the listening interface since it is not listening on IPv6. In these cases I do not disable IPv6 but prefer IPv4. This needs to be done in registry and a reboot is required after the change. Do not disable IPv6 on the network card because that will not work.

Here is a simple way to do it using PowerShell

Check the values below for other options

  1. Type to re-enable all IPv6 components (Windows default setting).
  2. Type 0xff to disable all IPv6 components except the IPv6 loopback interface. This value also configures Windows to prefer using IPv4 over IPv6 by changing entries in the prefix policy table. For more…

View original post 75 more words

Missed Call Notification – Not Working…..

A known problem and the solution 🙂

UC Consultant Blog...

Since November 2015 there has been issues with Missed Call Notification from Lync/S4B to Outlook.
There has been written many blogpost about this, but I will here try to summarize how to fix it – Until Microsoft release a permanent fix for the issue.

The following Windows Update’s are relevant for this issue.

I have been trying to solve this at several customers, but made a breaktrough today.

I have been searching for KB3101496 – Nothing to find!
Searched in Registry clearly shows that the patch is installed, but it’s not visible in Control Panel

Additional research pointet me in the direction of KB3114351.

Looking for KB3114351 in Control Panel showed that this patch was installed.
Did a Uninstall of this patch, with a following reboot.
After a reboot, the KB3101496 was again visible in Control Panel.
Did a uninstall of this patch as well, following with a…

View original post 61 more words

Lync server KB3080353 breaks your mobile and web app clients

Nice post by Rune Stoknes on a recently discovered faulty patch from Microsoft on the Lync server.
This post proves why you should never rely on Windows Update to install your Lync patches. Always use the LyncServerUpdateInstaller that comes with the CU released for Lync/Skype4B.

Rune's blog about things I see and UC

Keeping your servers up to date is essential, and not only the application server parts but the OS and others as well. The other day I went with a Windows Update that also included a Lync Server security update. After a short while I would get feedback from users no longer being able to use the mobile client, and later I also got reports on the Web App not working.

View original post 222 more words

Is your next productivity headset the Plantronics Voyager Focus UC?

This headset is an excellent choice if you require something a bit more advanced than most people 🙂 The features implemented in this headset makes it a great choice for both soft phone clients and mobile phones as well as for listening to music when you’re working.

One of my favourite functions is the Auto Answering feature which lets you answer an incoming call just by putting on your headset if its in the charging cradle or lying on your desk. It will answer any incoming call wether it’s to your soft phone client or mobile phone.

Great posts by Ståle Hansen and Matt Landis.

msunified.net

I say, yes!

Why?

  • It is optimized for Skype for Business
  • It is wireless using bluetooth, connection to up to eight devices, two at the same time
  • It has noise cancelling, removing the white noise but keeps voices when people are talking to you
  • It has really good music quality, can be compared to the best music headsets on the market
  • By installing the Plantronics Hub software it will set your Skype for Business status to “In a Call” when you answer the call on your cellphone
  • It can easily be charged using MicroUSB or the charging stand

Check out my thoughts on the headset on YouTube

Also check out the video review by MVP Matt Landis

Link to the product page: http://www.plantronics.com/us/product/voyager-focus-uc?skuId=sku7140027#fndtn-overview

View original post