State of knowledge

October 2025

ProCall 8 Enterprise from 8.1
ProCall Infinity (DataCenter)  from 2210.3

Functionality

Kerberos authentication has been implemented in such a way that Kerberos is used by default to log ProCall Desktop for Windows onto the UCServer.
No further action is required by the user or the administration.

Service Principal Name (SPN) Registration

The UCServer registers its Service Principal Name (SPN) for the service class "eucsrv" at startup.

Required authorisations

The account under which the UCServer runs must have the authorisation Validated Write servicePrincipalName or Confirmed Write to Service Principal.
For computer accounts (and services running under LocalSystem), this is the Windows default.

When closing, the UCServer removes its SPN registration again.

An SPN (e.g. "eucsrv/cti-server") can only ever be entered for one account (either computer account or user account or service account).

Authentication methods

By default, the UCServer offers Kerberos and NTLM for domain authentication to ProCall Desktop for Windows.

Negotiate is disabled by default and should currently not be used in negotiation - especially in conjunction with "VPN-less" connections.

Restrict methods

The methods offered can be limited as follows:

  • For ProCall Enterprise:

    general.xml

    <UserManagerDisabledAuthMethods>
	<Method>Negotiate</Method>
</UserManagerDisabledAuthMethods>
    XML

  • For ProCall Infinity (DataCenter):

    Configuration database

    Key: "general.usermanager.UserManagerDisabledAuthMethods"
Value: ["Negotiate"]
    CODE

If the <UserManagerDisabledAuthMethods> element or the "general.usermanager.UserManagerDisabledAuthMethods" key is not present, the default (=Negotiate disabled) applies.

If the element or key is present, but without <Method> or value, all methods (including Negotiate) are activated.

Other methods can be deactivated as follows:

  • For ProCall Enterprise:

    general.xml

    <UserManagerDisabledAuthMethods>
	<Method>Negotiate</Method>
	<Method>Kerberos</Method>
</UserManagerDisabledAuthMethods>
    XML

  • For ProCall Infinity (DataCenter): 

    Configuration database

    Key: "general.usermanager.UserManagerDisabledAuthMethods"
Value: ["Negotiate", "Kerberos"]
    CODE

It may not be possible to use Kerberos in certain domain constellations.
We then recommend deactivating the Kerberos authentication method.

If several authentication methods are offered, the methods of ProCall Desktop for Windows are used with the following priority:

  1. Negotiate
  2. Kerberos
  3. NTLM

Switched off methods are skipped. If the login fails with the first method used, the login is considered to have failed and no further method is attempted. The token request under Kerberos is an exception. If no token can be issued by the authentication server, a fallback to NTLM is attempted (provided NTLM is not disabled). 

If all authentication methods are disabled, the client still uses NTLM to prevent misconfigurations.

Check

SPN entries

SPN entries can be checked via the command prompt as follows:

  • All SPNs registered for an account/server: "setspn -L <sAMAccountName>" ( "setspn -L <NTDOMAIN\sAMAccoutnName>")/ "setspn -L <Computerkonto>"
  • All servers for which an SPN with the service class "eucsrv" is registered:  "setspn -q eucsrv/*" 

You can check whether UCServer has registered the SPN at startup as follows:

Search for "AddSpnToCurrentAccount" in the UCServer Log (EventLog_x.txt).
The output is exemplified as follows: 

07.10.2025 10:29:40:984;4;9648;EKerberos::AddSpnToCurrentAccount;Kerberos SPN for service class eucsrv has been added.
→ SPN has been registered.

07.10.2025 11:39:07:625;2;5316;EKerberos::AddSpnToCurrentAccount;Failed to add Kerberos SPN for service class eucsrv
→ SPN has not been registered.



Kerberos

The use of Kerberos can be checked as follows:

You can search for "Using SSPI method" in the client log. The output is exemplary as follows: 

Logausgabe

03.2023 08:34:03:775;32;mainthread-6992;ENetCtiClientBase::LoginSSPI;Using SSPI method Kerberos with parameter "eucsrv/cti-server.estos.de"
CODE

UCServer could not register its SPN for the service class "eucsrv" at startup - Possible causes 

SPN already registered for another account (user or computer account)

IIf SPN is registered for a different account (user or computer account) than expected, SPN can be deleted manually:

setspn D eucsrv/cti-server cti-server

→ SPN for computer account cti-server is deleted.

setspn D eucsrv/cti-server Administrator

→ SPN for user Administrator is deleted.

Missing account authorisation

The account under which the UCServer is running does not have the authorisation Validated Write servicePrincipalName or Confirmed Write to Service Principal.