Prompts for credentials for downloading address book and expanding distribution list RRS feed

  • Question

  • I am in the process of preparing for my OCS 2007 deployment. In my test rollout I can send messages and text files, start video and voice calls, create and participate in live meetings all without a problem. However, when Communicator tries to download the GalContacts.db file or expand a distribution list group added from AD, I am prompted for credentials but the credentials do not work.


    In testing I have found that changing Abs virtual directory to allow anonymous connections stops the prompts (as expected), so I know the problem is not with the connection to the Abs share on the file server.


    I have changed from Integrated to Basic authentication over SSL and downloaded a file using IE7 by navigating to https://server.domain.com/abs/int/handler/file.dabs. I was prompted once for credentials and successfully authenticated, as expected.


    Similarly, if I set GroupExpansion authentication to anonymous in IIS, DL expansion works fine.


    So it seems that I have a problem with integrated authentication for these folders, despite everything else apparently working.


    I read the OCS team blog post here: http://communicationsserverteam.com/archive/2007/12/17/52.aspx. I get the KRB5KRB_AP_ERR_MODIFIED they talk about, but I'm not clear on how to fix that.


    On a domain controller I ran setspn -L ocsserver and got ocsserver and ocsserver.domain.com back.

    I ran setspn -L ocspool (the OCS pool name) and got back nothing.

    I ran ldifde -f output.txt -d "dc=domain,dc=local" and got a huge output file, but I'm not really sure what I'm looking for in that.


    Does anyone have any suggestions of what I can try?


    Thanks in advance!



    Monday, August 18, 2008 5:53 PM

All replies


    Hello? OCS team?
    Monday, December 1, 2008 9:12 PM
  • Monday, December 1, 2008 9:58 PM

    Looks like a very thorough blog posting, I'll check that out and experiment during my next planned outage. Thanks!
    Monday, December 1, 2008 10:04 PM
  • Hi,

    I am not from the OCS team but let's see if I can help in any way.

    I think the problem the article is describing is when you have the same SIP Service Principle Name configured on multiple service accounts which would lead to unpredictable results such as the KRB_AP_ERR_MODIFIED. The way to find out if you have multiple service accounts running with the same SPN would be to run "ldifde -f output.txt -d "dc=domain,dc=local" and then search the output.txt file for something like "OCSPOOL.DOMAIN.LOCAL". You should find this string on only one service account, that being the RTCService account. If you find it on multiple accounts you need to remove it from the ones that are not the actual service account for your OCS pool. You can use SETSPN -d to remove it.

    Alternatively you can install the OCS 2007 resource kit and run "cscript checkspn.vbs /check /sSurprisecspool.mydomain.net" to verify if the SPN are registered properly. This quote comes from the resource kit readme document located in the root of your reskit folder.

    checkspn.vbs /check /s:<Server FQDN>
    Checks whether the SPN for a specific Office Communications Server Standard Edition or Enterprise Edition server is registered under one account. The server is identified by its FQDN (fully qualified domain name). If there is more than one registration, the script prints the user accounts that have this SPN registered. This mode is useful for detecting that the servers SPN has been registered under multiple accounts. If this is the case, the duplicate SPNs must be deleted until there is exactly one account under which the SPN is registered. Having the same SPN registered under multiple accounts causes Kerberos protocol authentication to fail on the client.

    I also found this blog posting which may contain some additional troubleshooting steps for you...

    Address Book Chaos

    Hope this helps,
    Tonino Bruno

    Monday, December 1, 2008 10:06 PM
  • Another piece to check is the Default WebSite set to Anonymous.  You will get prompted for Auth there an fail to download.  The ABS VDIR should be Integrated Windows but the default site should be set to Anonymous.



    Monday, December 1, 2008 10:48 PM