![]() When a user is a member of many AD DS groups, the size of the Kerberos authentication token for the user increases. You may have to do this when the user is a member of many Active Directory Domain Services (AD DS) user groups. For example, in the following image, TRLABV3 is the internal host name, and ADFSSvc is the service account:Ĭonfigure the AD FS 2.0 server to accept request headers that are larger than 40 kilobytes (KB). Make sure that the AD FS 2.0 service is running under the domain-based service account that was mentioned in the previous step. SPN registration failed during initial configuration of the farm. For more info, see the following TechNet wiki:ĪD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service AccountThe reasons that you may have to set the SPN manually on the AD FS 2.0 service account are as follows: When you deploy an AD FS 2.0 Federation Server farm, you must specify a domain-based service account that needs a registered SPN to enable Kerberos authentication to function correctly. Before you modify it, back up the registry for restoration in case problems occur.īecause there are many possible causes, it's best to work through all the following solutions, and then verify the configuration. Serious problems might occur if you modify the registry incorrectly. Important Follow the steps in this section carefully. The issue doesn't apply to users on Microsoft Lync 2010, users who aren't on Skype for Business Online, or users who connect from outside their corporate network. Note This issue only applies to Enterprise SSO users who sign in to Skype for Business Online by using Lync 2013 from inside their corporate network. Cannot sign in because the server is temporarily unavailable.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |