locked
Can't log on to SCSP - Control Panel RRS feed

  • Question

  • Hi,

    I'm in the process of migrating Lync 2013 to Skype for business side by side. I installed the new S4B pool and it looks fine. But when I try to log on to the CSCP using the URL of the pool (sfbfepool.contoso.com) I get a kerberos error. I'm prompted for credentials until I click cancel and then I get a 401.1 error. If I type the FQDN of the server(srvsfb.contoso.com), then I'm able to log on successfully.

    I checked the event viewer and I see this error:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srvsfb$. The target name used was HTTP/sfbfepool.contoso.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (contoso.COM) is different from the client domain (contoso.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    Monday, July 17, 2017 1:29 PM

Answers

All replies

  • Have you setup the Kerberos account also for the new pool?

    https://technet.microsoft.com/en-us/library/gg425901%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396


    regards Holger Technical Specialist UC

    • Proposed as answer by Alice-Wang Tuesday, July 18, 2017 6:54 AM
    • Unproposed as answer by Antuanfff Tuesday, July 18, 2017 10:10 AM
    Tuesday, July 18, 2017 3:54 AM
  • Hi Antuanfff,

    Agree with Holger.

    You could also use setspn.exe to find out what server is holding that SPN in AD
    http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

    Moreover, please run the command in SFB control check if there are any errors:
    Test-CsKerberosAccountAssignment, please refer to
    https://technet.microsoft.com/en-us/library/gg425938.aspx


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Antuanfff Tuesday, July 18, 2017 1:43 PM
    Tuesday, July 18, 2017 6:57 AM
  • Hi

    I have setup the kerberos account and it is holding the URL for both pools (Lync 2013 and S4B 2015):

    Loading Modules for Skype for Business Server 2015...
    PS C:\Users\sfbadm> Get-CsKerberosAccountAssignment


    Identity    : Site:BCN
    UserAccount : contoso\lynckerberos

    PS C:\Users\sfbadm> setspn -L contoso\lynckerberos
    Registered ServicePrincipalNames for CN=lynckerberos,CN=Users,DC=contoso,DC=com:
            http/SfbFePool.contoso.com
            http/LyncFePool.contoso.com
    PS C:\Users\sfbadm>


    • Edited by Antuanfff Tuesday, July 18, 2017 10:10 AM
    Tuesday, July 18, 2017 10:10 AM
  • If you use the IE, have you add your websites to the local intranet on the security page of the IE?

    regards Holger Technical Specialist UC

    • Marked as answer by Antuanfff Tuesday, July 18, 2017 1:43 PM
    Tuesday, July 18, 2017 10:16 AM
  • Hi,

    I guess you have pool fqdn added in internal DNS?

    Your certificate Subject name is Pool fqdn?

    Have you tried to replace poolfqdn with server fqdn and see if it works?

    Silver light is also required


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Tuesday, July 18, 2017 1:36 PM
  • I ran Test-CsKerberosAccountAssignment and I got an error in both FE servers(2013 and 2015). The account was added but it is not working in Lync 2013 or S4B 2015. It seems like the password is not set or it is expired. But I'm able to log in to CSCP in the Lync 2013 FE server using the pool FQDN even though the pool fqdn is not in Trusted Sites.

    I added the S4B pool FQDN to trusted sites and now I am able to log in to CSCP. So I don't understand why I am able to log in to CSCP on the Lync 2013 FE using the pool FQDN.

    Tuesday, July 18, 2017 1:51 PM