• Article

Create a Kerberos Authentication Account

 

Topic Last Modified: 2012-04-06

To successfully complete the To create a Kerberos account procedure, you should be logged on to the server or domain minimally as a member of the Domain Admins group. In the event that your Active Directory Domain Services (AD DS) infrastructure is locked down or secured, it is possible that the Windows PowerShell cmdlets that automate the creation of the Kerberos account will not work correctly and will fail. If you are working in a locked down Active Directory, refer to the procedure following To create a Kerberos account titled To manually create a Kerberos account.

You can create Kerberos authentication accounts for each site or you can create a single Kerberos authentication account and use it for all sites. You use Windows PowerShell cmdlets to create and manage the accounts, including identifying the accounts assigned to each site. Topology Builder and the Lync Server 2010 Control Panel do not display Kerberos authentication accounts. Use the following procedure to create one or more computer accounts to be used for Kerberos authentication.

To create a Kerberos account

  1. As a member of the Domain Admins group, log on to a computer in the domain running Lync Server 2010 or on to a computer where the administrative tools are installed.

  2. Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.

  3. From the command line, run the following command:

    New-CsKerberosAccount -UserAccount "Domain\ComputerAccount" -ContainerDN "CN=Computers,DC=DomainName,DC=DomainExtension"

    For example:

    New-CsKerberosAccount -UserAccount "Contoso\KerbAuth" -ContainerDN "CN=Computers,DC=contoso,DC=com"

  4. Confirm that the Computer object was created by opening Active Directory User and Computers, expand the Users container, and then confirm that the Computer object for the Kerberos account is in the container.

    Note

    It might be confusing at first that you should create a computer object when the parameter for the cmdlet clearly seems to indicate you are creating a user account. In the hierarchy of Active Directory, the user object is inherited from the computer object, making the two account types very similar. One big difference is that the user account has a password that expires by default, where the computer account has a completely different password mechanism. This one behavior is the best reason to use a computer account over a user account.

To manually create a Kerberos account

  1. In a secured or locked down Active Directory Domain Services (AD DS) infrastructure, you do the following.

    Warning

    The following procedure requires that you have the remote server administration tools installed or you are working locally or remotely with the AD DS Tools feature installed.

  2. As a member of the Domain Admins group, log on to a computer in the domain running Lync Server 2010 or on to a computer where the administrative tools are installed.

  3. Click Start, click Administrative Tools, run Active Directory User and Computers.

  4. In Active Directory Users and Computers, create the computer account in the appropriate organizational unit (OU) or the Computers container.

  5. To access the Security tab of the user account, in Active Directory User and Computers, click View, then click Advanced Features. Advanced Features should now have a check mark to indicate that it is selected.

  6. In the organizational unit or Computers container, right-click the computer account that you created, and select Properties. Select the Security tab. On the Security tab, click Advanced.

  7. On the Advanced Security Settings tab for the selected computer account, click Add. On the Select User, Computer Service Account, or Group dialog, type RTCUniversalServerAdmins in Enter the object name to select. Click Check Names. If successful, click OK.

  8. Select the Object tab on the Permission Entry dialog of the computer account. Click the dropdown Apply to and select This object only.

  9. In the Permissions selection pane, select the following permissions:

    Permission Allow or Deny Inheritance Apply to

    Change Password

    Allow

    Not Inherited

    This object only

    Reset Password

    Allow

    Not Inherited

    This object only

    Read Permissions

    Allow

    Not Inherited

    This object only

    Write servicePrincipalName

    Allow

    Not Inherited

    This object only

  10. Click OK three times to close out of the dialogs. Close and exit Active Directory Users and Computers.

  11. Click Start, click Administrative Tools, run ADSI Edit.

  12. Right-click ADSI Edit, select Connect To, and select Select a well known Naming Context. Select Default naming context from the list. Click OK.

  13. In the organizational unit or container where the computer object is located, right-click the computer object and select Properties.

  14. On the Attribute Editor tab, locate the attribute userAccountControl, then click Edit.

  15. The Integer Attribute Editor displays the integer value of the userAccountControl. Change the value to 69664. The integer value shown sets the flags for PASSWD_NOTREQD, WORKSTATION_TRUST_ACCOUNT, and DON’T_EXPIRE_PASSWD.

  16. Click OK to commit the change to the attribute. Close ADSI Edit.