Topic Last Modified: 2010-10-01

Determines whether or not a user can log on to Microsoft Lync Server 2010 by using a certificate downloaded from the certificate provisioning service.


Test-CsClientAuth [-TargetFqdn <String>] -UserCredential <PSCredential> -UserSipAddress <String> [-Force <SwitchParameter>] [-OutVerboseVariable <String>] [-RegistrarPort <Nullable>] [-TargetUri <String>]


Parameter Required Type Description



PS credential object

User credential object for the user account to be used in the test. The value passed to UserCredential should be an object reference obtained by using the Get-Credential cmdlet. For example, this code returns a credentials object for the user litwareinc\kenmyer and stores that object in a variable named $x:

$x = Get-Credential "litwareinc\kenmyer"

You need to supply the user password when running this command.



SIP Address

SIP address of the user to be used in the test. For example: -UserSipAddress




SIP port used by the Registrar service. This parameter is not required if the Registrar uses the default port 5061.




URL of the certificate provisioning service. If this parameter is not included then the Test-CsClientAuth will use the certificate provisioning service configured for the Registrar pool.




Fully qualified domain name (FQDN) of the Registrar pool where client authentication is to be tested. For example: -TargetFqdn "".



Switch Parameter

Suppresses the display of any non-fatal error message that might occur when running the command.



Switch Parameter

Reports detailed activity to the screen as the cmdlet runs.

Detailed Description

Client certificates provide an alternate way for users to be authenticated by Lync Server 2010. In order to determine whether or not a user can log on to the system by using a client certificate, you can run the Test-CsClientAuth cmdlet. When you run this Test-CsClientAuth you must specify the Registrar pool and SIP address of the user account being tested; you must also be able to supply the user’s logon name and password. After calling Test-CsClientAuth, the cmdlet will contact the certificate provisioning service and download a copy of any client certificates for the specified user. If a client certificate can be found and downloaded, Test-CsClientAuth will then attempt to log on using that certificate. If logon succeeds, Test-CsClientAuth will log off and report that the test succeeded.

If a certificate cannot be found or downloaded, or if the cmdlet is unable to logon using that certificate, then Test-CsClientAuth will report that the test failed.

Who can run this cmdlet: To return a list of all the role-based access control (RBAC) roles this cmdlet has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:

Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Test-CsClientAuth"}

Input Types


Return Types

Test-CsClientAuth returns an instance of the Microsoft.Rtc.SyntheticTransactions.TaskOutput object.


-------------------------- Example 1 --------------------------

Copy Code
$cred1 = Get-Credential "litwareinc\kenmyer"

Test-CsClientAuth -TargetFqdn -UserSipAddress "" -UserCredential $cred1

The commands shown in Example 1 test the ability of the user litwareinc\kenmyer to log on to the Registrar pool by using a client certificate. To carry out this task, the first command in the example uses Get-Credential to create credential object for the user in question. The resulting credential object (which requires you to enter the password for the user) is stored in a variable named $cred1.

The second command then calls Test-CsClientAuth, specifying the FQDN of the Registrar pool (TargetFqdn), the user’s SIP address (UserSipAddress) and the credential object created in the initial command (UserCredential).

See Also