This article guides you through the correct steps for configuring Kerberos Authentication
In order to have a more scalable Skype for Business deployment it is advised to enable Kerberos Authentication on Skype for Business. Configuring Kerberos Authentication in Skype for Business is described on TechNet over here:
Setting up Kerberos authentication in Lync Server 2013
After creating the Kerberos Computer Account there is an optional step in the following article
Assign a Kerberos authentication account to a site in Lync Server 2013
OPTIONAL: You may have configured an override FQDN (fully qualified domain name) for your WebServices, as per Change the Web Services URL in Lync Server 2013. If that’s the case, you’ll need to add a SPN for this FQDN as well. For example, if the FWDN was webservices.contoso.local, you would run: setspn -S http/webservices.contoso.local kerbauth
In fact this step is not Optional and Microsoft should remove the word “Optional” in this step because it is confusing and if you are DNS Load Balancing the Skype for Business Front-End or Director Servers (about 99% of all deployments I have seen) you HAVE to configure this step or your Kerberos Authentication will not work for the Skype for Business Web Services.
What Microsoft automatically configures as SPNs are all of the Pool Names of the Front-End & Director Pools on the Kerberos Account but not the Web Services URLs that you have overridden.
setspn -L DOMAIN\kerbauth (By default configured with deployment tools)
So you have to configure the following for all you Front-End & Director Pools that are DNS Load Balanced and therefore have a different URL configured on the Internal Web Services then the Pool Name.
setspn -S http/webservices.contoso.local DOMAIN\kerbauth
Where webservices.contoso.com is
- Internal Webservices URL for your Front-End Pool
- Internal Webservices URL for your Director Pool
NOTE: setspn needs “HTTP/WEBSERVICES” and “HTTPS/WEBSERVICES” will not work, additionally it does not work to use “HTTP://” it is not for web but for Kerberos
All of your Front-End & Director Pools must be listed in the Service Principal Name configuration on the Kerberos Account (DOMAIN\kerbauth in this example)
setspn -L DOMAIN\kerbauth must list all of your Internal Webservices (1 Front-End & 1 Director Pool in this example)
To verify this on the clients you can use KLIST which will show you the Kerberos Tickets that the client has in the cache, when opening for example the Response Group Settings web page you will be authenticated and if Kerberos is used then there will be a ticket listed for http/sfbweb01.domain.com (or whatever your url is)
You should see in the KLIST output something similar to this
#4> Client: TestUser @ DOMAIN.LOCAL
Server: HTTP/sfbweb.domain.com @ DOMAIN.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 4/7/2017 16:52:02 (local)
End Time: 4/8/2017 2:43:56 (local)
Renew Time: 4/14/2017 16:43:56 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
My personal opinion is that this is a bug in the Deployment Tools for Skype for Business, instead of using just the Pool Names the deployment tools should also add the overridden Web Services URLs.