none
Constant Credential Prompts from Lync 2010 Client

    General discussion

  • Hi,

    I've deployed both Lync Group Chat and standard Lync 2010 to my company's network through a GPO. The problem I am having is that certain client computer can install successfully but keep getting multiple password prompts such as

    Lync - Service Sign in
    Credentials are required - Type your user name and password to connect for certificate services.

    Lync - Service Sign in
    Credentials are required - Type your user name and password to connect to the corporate address book.

    Lync - Service Sign in
    Credentials are required - Type your user name and password to connect for retrieving response groups.

    Lync - Service Sign in
    Credentials are required - Type your user name and password to connect for retrieving location information.

     

    I input all the correct credentials, but the prompt comes right back up. But after I cancel them all Lync works perfectly fine. Whats odd to me is that I have it currently installed on my Dell Latitude E6500 and it works perfectly with no prompts. But using my credentials on a fresh computer/laptop, I get this problem myself. I have endlessly looked through various forums and cannot find a solution.

     

    Any help appreciated :)

    Thursday, February 10, 2011 7:28 PM

All replies

  • Thanks Ben
    Monday, February 14, 2011 11:07 PM
  • Hi,

    I actually meet the exact same problem. Did you find any workaround ?

    Thanx for your help,

    Regards,

    Bastien


    Bastien
    Wednesday, February 16, 2011 9:08 AM
  • Hey Bastien,

     

    I have not found anything for this, still waiting for MS to reply. I have searched through too many forums to find no solution that worked

    Wednesday, February 16, 2011 6:16 PM
  • On my side, I finally found the solution for my problem !

    For an unknown reason, there was a problem with my kerberos computer account (which is necessary for kerberos authentication). So I deleted it and recreated it with a different name. After that, everything was working fine ...

     

    Here is an example of the commands line I used :

     

    To get actual kerberos account which is actually used :

    Get-CsKerberosAccountAssignment –Identity “site:Redmond”

     

    To remove it :

    Remove-CsKerberosAccountAssignment –Identity “site:Redmond” 

    Enable-CsTopology

     

    To recreate a new one :

    New-CsKerberosAccount –UserAccount “Contoso\KerbAuth” –ContainerDN “CN=User,DC=contoso,DC=com”

    New-CsKerberosAccountAssignment –UserAccount “contoso\kerbauth” –Identity “site:redmond”

    Enable-CsTopology

    Set-CsKerberosAccountPassword –UserAccount “contoso\KerbAuth”

    Enable-CsTopology

     

    If you have more than one server in your Lync infrastructure, here is the procedure to Synchronize a Kerberos Authentication Account Password to IIS :

    Set-CsKerberosAccountPassword –FromComputer fe01.contoso.com –ToComputer dir01.contoso.com

    Enable-CsTopology

     

    To test it :

    Test-CsKerberosAccountAssignment –Identity “site:Redmond” –Report “c:\logs\KerberosReport.htm” -Verbose

     

    If this is not your problem, here is what I would advice you to look at :

    - Permissions on your share folder

    - Verifiy that your IIS is correctly configured (IIS Role Services that must be deployed are defined in the deploy guide)

    - If you are not sure of your IIS and Lync Web Components, you could try to uninstall them et reinstall them.

     

    Regards,

    Bastien.

     



    Bastien
    Thursday, February 17, 2011 8:39 AM
  • Hey Bastien,

     

    Did you do this to get your Lync server to run in Kerberos authentication for clients? If I'm understanding correctly..

     

    Cheers

    Tuesday, February 22, 2011 6:01 PM
  • Hi,

    Yes, I did this to support kerberos client authentication to Web Services. 

    Microsoft Lync Server 2010 supports NTLM and Kerberos authentication for Web Services. Office Communications Server 2007 and Office Communications Server 2007 R2 used the default RTCComponentService and RTCService as the user accounts to run the Web Services application pools, allowing for a service principal name (SPN) to be assigned to the user accounts and to act as the authentication principal. Lync Server uses NetworkService to run Web Services and NetworkService cannot have SPNs assigned to it.

    To solve the problem of not having Active Directory objects to hold the SPNs, Lync Server can use computer account objects for this purpose. The computer account objects can hold the SPNs and are not subject to password expiration, which was an issue with using user accounts in previous versions. 

    Regards,

    Bastien.

     



    Bastien
    Wednesday, February 23, 2011 9:26 AM
  • Hey Bastien,

     

    I followed the steps you provided earlier, everything went fine, created and assigned properly. Still getting these credential prompts on my Lync client computers. Were there any other steps after creation of the Kerberos computer account?

     

    When issuing the cmd:

    New-CsKerberosAccountAssignment –UserAccount “contoso\kerbauth” –Identity “site:redmond”

    Did you put in your Lync server in the "redmond" field?

     

    Sorry I'm fairly new to this whole Lync business

     

    Cheers

    Wednesday, February 23, 2011 6:04 PM
  • No, it's not the name of the lync server but the name of your "site".

    You can see the name of your site in topology builder. It's the name of your building just under "Lync server 2010".

    I didn't do anything else to make it works but, as I said, it could also be a permission problem on your files (share directory) or a configuration probelm in your IIS.

    Regards,

    Bastien.


    Bastien
    Thursday, February 24, 2011 10:40 AM
  • can someone help me out here... i am having these issues described.
     
     
    however after I go through the Kerberos Account Assignment I get the following error:
     
    InvalidKerberosConfiguration: The Kerberos configuration is invalid.
     
    InvalidKerberosConfiguration: The Kerberos configuration on "servername" is invalid. The expected assigned account is domain\kerbauth. Ensure that the account has not expired, and the configured password on the machine matches the Active Directory password of the account.

    Do I need to go to the properties on the computer 'Delegation" tab and trust this computer for delegation to any service (Kerberos only)?

    thanks

    • Edited by Zabulon Tuesday, May 10, 2011 4:26 PM added Delegation tab
    Tuesday, May 10, 2011 4:16 PM
  • Hi Bastien, thanks a lot... The problem occured after installing public certificates and it took over 2 days of checking certificates, SANs, comparing environment with OCS, ... before I found your article, that solved the problem...
    ------- Michal Stoppl
    Tuesday, May 17, 2011 11:58 AM
  • It may be that your time settings are not correct. Make sure your time zone and time is set correctly.

    Thanks

    Friday, February 24, 2012 5:16 PM