Missing Kerberos Account Assignments after SfB Server 2015 In-place Upgrade

Recently we were asked why in a multi site deployment the Kerberos Account Assignments disappeared on a global level, after a single site performed an In-Place Upgrade to Skype for Business Server 2015.

When we look at the planning details for the In-Place Upgrade to Skype for Business Server 2015, it mentions that we need to have additional considerations if we previously deployed Kerberos Authentication:

Kerberos authentication considerations
If you use Kerberos authentication for Web Services, you must reassign Kerberos accounts and reset the password after the In-Place Upgrade is complete. To learn how to do this, see Setting up Kerberos authentication.

Plan to upgrade to Skype for Business Server 2015

Then, when we use the Skype for Business Server 2015 In-Place Upgrade Setup, we can see that one of the steps is Deleting Kerberos Assignments:


During this step, all Kerberos Accounts Assignments from all sites in the Lync/SfB environment will be removed and not just for the current site where the pool belongs.

Here is an example from the lab before running the In-Place Upgrade Setup:


And after running the In-Place Upgrade:


Please keep in mind that every time we use Skype for Business Server 2015 In-Place Upgrade Setup to upgrade a Front End / Mediation / Director / Persistent Chat Server, the Kerberos Accounts Assignment will be removed.

As reference, the Kerberos Account Assignments are stored in the CMS (XDS Database). We can use the following query in order to obtain the XML document that contains them:

SELECT it.ItemId, it.BatchId, it.BatchPartialVersion, it.Data
FROM [xds].[dbo].[Item] it, [xds].[dbo].[Document] doc
WHERE it.DocId = doc.DocId
AND doc.Name like ‘%Kerberos%’


And inside the XML document: