[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]

Creates a new Kerberos account used for Internet Information Service authentication.


New-CsKerberosAccount -UserAccount <String> [-Confirm [<SwitchParameter>]] [-ContainerDN <String>] [-Force <SwitchParameter>] [-Report <String>] [-WhatIf [<SwitchParameter>]]


Parameter Required Type Description




User principal name of the new account. For example: -UserAccount "kerberostest@litwareinc.com". Note that your command will fail if the specified user account already exists.



Active Directory distinguished name

Distinguished name of the Active Directory container where the new user account is to be created. For example: -ContainerDN "ou=Finance,dc=litwareinc,dc=com".




Enables you to specify a file path for the log file created when the cmdlet runs. For example: -Report "C:\Logs\KerberosAccount.htm".



Switch Parameter

When present, suppresses all error messages except for fatal errors.



Switch Parameter

Describes what would happen if you executed the command without actually executing the command.



Switch Parameter

Prompts you for confirmation before executing the command.

Detailed Description

In Office Communications Server 2007 and Office Communications Server 2007 R2, Internet Information Service ran under a standard user account. This has the potential to cause problems: if that password expired (which it would, depending on your enterprise password policies) you might lose your Communications Server Web services, and would definitely have to diagnose the problem and then change the password. To help avoid the problem of expiring passwords, Microsoft Communications Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS.

To run your Web servers under this single authentication principal you must first create a computer account (which, again, is not tied to an actual computer) using the New-CsKerberosAccount cmdlet; this account is then assigned to one or more sites. After the assignment has been made, the association is enabled by running the Enable-CsTopology cmdlet; among other things, this creates the required Service Principal Name (SPN) in Active Directory. SPNs provide a way for client applications to locate a particular service. Because these accounts use the Kerberos authentication protocol, the accounts are often referred to as Kerberos accounts and the new authentication process is known as Kerberos Web authentication.

Return Types

New-CsKerberosAccountAssignment creates new instances of the Microsoft.Rtc.Management.WriteableConfig.Settings.KerberosAccount.KerberosAccount object.


-------------------------- Example 1 ------------------------

Copy Code
New-CsKerberosAccount -UserAccount "kerberostest@litwareinc.com" -ContainerDN "cn=Users,dc=litwareinc,dc=com"

New-CsKerberosAccountAssignment -UserAccount "kerberostest@litwareinc.com" -Identity "site:Redmond"

The two commands shown in Example 1 create a new Kerberos account (kerberostest@litwareinc.com) and then assign that account to the Redmond site. To do this, the first command in the example creates an account with the UPN kerberostest@litwareinc.com; this account will be created in the Users container in the Litwareinc.com domain. After the account has been created, the second command uses New-CsKerberosAccountAssignment to assign that Kerberos account to the Redmond site.

After you make the new account assignment you must then run Enable-CsTopology in order to enable the changes.