The other day i had to enable my Lync Environment for Kerberos Authentication. I was going to use KCD and had a LoadBalancer involved and there for i had to configure an account to be run instead of doing the usual delegation to the computer accounts.
I found information about this on TechNet, this is kind of the same as running the RollAlternateServiceAccount script on an Exchange server.
http://technet.microsoft.com/en-us/library/gg398734.aspx
I started with creating the account to be used, this uses a Computer account instead of a service account.
New-CsKerberosAccount -UserAccount “GSEC\LyncKerbAuth” -ContainerDN “OU=Lync,OU=Service Accounts,OU=Users,DC=gsec,DC=se”
Next i need to assign the account to my Lync site. First i check the name of the site by running
Get-CsSite
Then i run the following command
New-CsKerberosAccountAssignment -UserAccount “GSEC\LyncKerbAuth” -Identity “site:Gsec”
After this is done you need to run
Enable-CsTopology
Now it’s time to set a password for the account
Set-CsKerberosAccountPassword -UserAccount “GSEC\LyncKerbAuth”
To verify that this works run
Test-CsKerberosAccountAssignment -Identity “site:Gsec” -Report “c:\logs\FileName.htm” -Verbose
It will create an HTLM file with the details
Now i need to set the SPN for the account
Setspn -S http/lyncweb LyncKerbAuth
Setspn -S http/lyncweb.gsec.se LyncKerbAuth
Now all the settings are done and you can publish Lync with KCD and a loadbalancer without having problems with the SPN.
