[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]

Returns information about the Kerberos account assignments configured for use in the organization.


add-attachmentfilterentry -Name <String> -Type <ContentType | FileName> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




Unique identifier of the site where the Kerberos account was assigned. (This is the Identity of the site, not of the user account.) For example: -Identity "site:Redmond". Note that you cannot use wildcards when specifying the site identity. To employ wildcards, use the –Filter parameter instead.

If neither the –Identity nor the –Filter parameter is included then Get-CsKerberosAccountAssignment will return all the Kerberos account assignments configured for use in the organization.




Enables you to use wildcard characters when specifying the Kerberos account assignment (or assignments) to be returned. For example, this syntax returns all the account assignments that include the string value "Europe": -Filter "*Europe*".

You cannot use both the –Identity and the –Filter parameters in the same command.



Switch Parameter

This parameter is for testing purposes only.

Detailed Description

In Office Communications Server 2007 and Office Communications Server 2007 R2, Internet Information Service ran under a standard user account. This has the potential to cause problems: if that password expired (which it would, depending on your enterprise password policies) you might lose your Communications Server Web services, and would definitely have to diagnose the problem and then change the password. To help avoid the problem of expiring passwords, Microsoft Communications Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS.

To run your Web servers under this single authentication principal you must first create a computer account (which, again, is not tied to an actual computer) using the New-CsKerberosAccount cmdlet; this account is then assigned to one or more sites. After the assignment has been made, the association is enabled by running the Enable-CsTopology cmdlet; among other things, this creates the required Service Principal Name (SPN) in Active Directory. SPNs provide a way for client applications to locate a particular service. Because these accounts use the Kerberos authentication protocol, the accounts are often referred to as Kerberos accounts and the new authentication process is known as Kerberos Web authentication.

The Get-CsKerberosAccountAssignment cmdlet provides a way for you to return information about the Kerberos account assignments currently in use in your organization.

Return Types

Get-CsKerberosAccountAssignment returns instances of the Microsoft.Rtc.Management.WriteableConfig.Settings.KerberosAccount.KerberosAccountAssignment object.


-------------------------- Example 1 ------------------------

Copy Code

The command shown in Example 1 returns information about all the Kerberos account assignments currently in use in the organization.

-------------------------- Example 2 ------------------------

Copy Code
Get-CsKerborosAccountAssignment -Identity "site:Redmond"

Example 2 returns information about a single Kerberos account assignment: the account assignment for the Redmond site.

-------------------------- Example 3 ------------------------

Copy Code
Get-CsKerborosAccountAssignment -Filter "*Redmond*"

In Example 3, information is returned for all the Kerberos accounts that have been assigned to sites that have the string value "Redmond" somewhere in their site Identity. To do this, the –Filter parameter is included along with the filter value "*Redmond".

-------------------------- Example 4 ------------------------

Copy Code
Get-CsKerborosAccountAssignment | Where-Object {$_.UserAccount -match "litware"}

The preceding command returns information about all the Kerberos account assignments where the identity of the assigned user account includes the string value "litware". To carry out this task, the command first calls Get-CsKerberosAccountAssignment without any parameters; that returns a collection of all the Kerberos accounts assignments currently in use. This collection is then piped to the Where-Object cmdlet, which picks out only those assignments where the identity of the user account includes (-match) the string value "litware".