Resolved: Lync Server Front-End Service unable to start (Event ID: 7024)

I have Lync server 2010 environment, have Lync FEPool which contain 2 Front End servers (FE01 and FE02), one multi role server with archiving/monitory (ArcMonit01) roles and one Edge server (EDGEServ01).

Recently have to renew internal SSL certificates on FE servers.

After renewal of internal SSL the Lync Server Front-End service on first FE server (FE01) was able to start successfully but was unable to start on second server FE02.

while trying to start it manually got this error in event viewer/system logs (Event ID: 7024).

The Lync Server Front-End service terminated with service-specific error %%-1008124830.)

After comparing the settings of both FE servers and also the new SSL certificate properties i came to know that the name of FE02 was not added as SAN in the SSL Certificate.

So i recreate the new CSR, Add the name of  FE02 as SAN (FE02.mydomain.com) and got new SSL certificate against this new CSR from internal CA and then import on the server from which CSR was generated, assign on that server and export from that server that SSL and import on the FE02 and assign accordingly and after that "Lync Server Front-End Service" was started successfully FE02. 

So my issue was due to the second server name (FE02.mydomain.com) was not added as the SAN in the internal SSL certificate.

Solved: unable to configure new outlook profile, it keep asking for password

I was unable to configure outlook, while trying to configure outlook getting continues credentials prompt, not going ahead and getting the following error in event viewer of the client machine.

Log name: System

Event ID: 4

Error:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cas03$. The target name used was HTTP/autodiscover.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.com) is different from the client domain (domain.com), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Beside outlook issue, Lync 2010/Skype for business users were also getting the following credentials prompt and were same unable to authenticate, even typing the correct credentials many times. but were kept connected if just ignore the credentials prompt in skype for business

My environment: I have Hybrid environment with Exchange server 2013 on premise with office 365. same with Lync 2010 on premises and Skype for business online on Microsoft cloud.

After a lot of googling i came to know that lets check the UserPrinciplName with ServicePrinciplName using ADfind tool which you can download from (http://www.joeware.net/freetools/tools/adfind/index.htm) and after running the following command

adfind -f "servicePrincipalName=HOST/webmail.mydomian.com" -gcb




the output was blank / find nothing

so ran




adfind -f "servicePrincipalName=HOST/autodiscover.mydomain.com" -gcb

and found the following two values with a lot of other values

>userPrincipalName: nawaz@mydomain.com

>servicePrincipalName: host/autodiscover.mydomain.com

Now Nawaz@mydomain.com was my domain admin account and after disabling/deleting this account my issue was resolved, was able to configure outlook and also the credentials prompt from skype for business gone. seems the issue was this user Nawaz@mydomain.com