[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]

Removes one or more Kerberos account assignments.


add-attachmentfilterentry -Name <String> -Type <ContentType | FileName> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




Unique identifier of the site where the Kerberos account assignment is to be removed. (This is the Identity of the site, not of the user account.) For example: -Identity "site:Redmond".



Switch Parameter

When present, suppresses all error messages except for fatal errors.



Switch Parameter

This parameter is for testing purposes only.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.



Switch Parameter

Prompts you for confirmation before executing the command.

Detailed Description

In Office Communications Server 2007 and Office Communications Server 2007 R2, Internet Information Service ran under a standard user account. This has the potential to cause problems: if that password expired (which it would, depending on your enterprise password policies) you might lose your Communications Server Web services, and would definitely have to diagnose the problem and then change the password. To help avoid the problem of expiring passwords, Microsoft Communications Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS. Because these accounts use the Kerberos authentication protocol, the accounts are often referred to as Kerberos accounts and the new authentication process is known as Kerberos Web authentication.

To run your Web servers under this single authentication principal, you must first create a computer account (which, again, is not tied to an actual computer) using the New-CsKerberosAccount cmdlet; this account is then assigned to one or more sites. After the assignment has been made, the association is enabled by running the Enable-CsTopology cmdlet; among other things, this creates the required Service Principal Name (SPN) in Active Directory. SPNs provide a way for client applications to locate a particular service.

Each Microsoft Communications Server site can be associated with, at most, a single Kerberos account. (However, each account can be associated with multiple sites.) At any time you can use the Remove-CsKerberosAccountAssignment cmdlet to remove the association between a site and an account. This cmdlet does not delete the account in question; it simply severs the association between the account and the site, effectively disabling Kerberos Web authentication in that site.

Return Types

Remove-CsKerberosAccountAssignment does not return any objects or values. Instead, the cmdlet deletes existing instances of the Microsoft.Rtc.Management.WriteableConfig.Settings.KerberosAccount.KerberosAccountAssignment object.


-------------------------- Example 1 ------------------------

Copy Code
Remove-CsKerberosAccountAssignment -Identity "site:Redmond"

The preceding command removes the Kerberos account assignment from the Redmond site.

-------------------------- Example 2 ------------------------

Copy Code
Get-CsKerberosAccountAssignment | Remove-CsKerberosAccountAssignment

In Example 2, all the Kerberos account assignments currently in use are deleted. To do this, the command first calls Get-CsKerberosAccountAssignment (without any parameters) in order to return a collection of all the Kerberos account assignments. This collection is then piped to Remove-CsKerberosAccountAssignment, which deletes each assignment in the collection.