Associates a Kerberos account (used for IIS authentication) with a site.
Syntax
Set-CsKerberosAccountAssignment [-Identity <XdsIdentity>] [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-UserAccount <String>] [-WhatIf [<SwitchParameter>]] |
Set-CsKerberosAccountAssignment [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-Instance <PSObject>] [-UserAccount <String>] [-WhatIf [<SwitchParameter>]] |
Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
|
Identity |
Required |
String |
Unique identifier of the site where the Kerberos account was assigned. (This is the Identity of the site, not of the user account.) For example: -Identity "site:Redmond". |
|
UserAccount |
Required |
String |
User principal name of the new account. For example: -UserAccount "kerberostest@litwareinc.com". Note that your command will fail if the specified user account already exists. |
|
Instance |
Optional |
KerberosAccountAssignment object |
Allows you to pass a reference to an object to the cmdlet rather than set individual parameter values. |
|
Force |
Optional |
Switch Parameter |
When present, suppresses all error messages except for fatal errors. |
|
WhatIf |
Optional |
Switch Parameter |
Describes what would happen if you executed the command without actually executing the command. |
|
Confirm |
Optional |
Switch Parameter |
Prompts you for confirmation before executing the command. |
Detailed Description
In Office Communications Server 2007 and Office Communications Server 2007 R2, Internet Information Service ran under a standard user account. This has the potential to cause problems: if that password expired (which it would, depending on your enterprise password policies) you might lose your Communications Server Web services, and would definitely have to diagnose the problem and then change the password. To help avoid the problem of expiring passwords, Microsoft Communications Server 2010 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS.
To run your Web servers under this single authentication principal you must first create a computer account (which, again, is not tied to an actual computer) using the New-CsKerberosAccount cmdlet; this account is then assigned to one or more sites. After the assignment has been made, the association is enabled by running the Enable-CsTopology cmdlet; among other things, this creates the required Service Principal Name (SPN) in Active Directory. SPNs provide a way for client applications to locate a particular service. Because these accounts use the Kerberos authentication protocol, the accounts are often referred to as Kerberos accounts and the new authentication process is known as Kerberos Web authentication.
The Set-CsKerberosAccountAssignment cmdlet enables you to change the Kerberos account assigned to a given site. This cmdlet is used for sites that are already associated with an account. To assign an account to a site that currently is not associated with a Kerberos account use the New-CsKerberosAccountAssignment cmdlet instead.
Return Types
Set-CsKerberosAccountAssignment does not return any objects or values. Instead, the cmdlet modifies existing instances of the Microsoft.Rtc.Management.WriteableConfig.Settings.KerberosAccount.KerberosAccountAssignment object.
Examples
-------------------------- Example 1 ------------------------
 Copy Code |
|
|---|---|
Set-CsKerberosAccountAssignment -UserAccount "kerberostest@litwareinc.com" -Identity "site:Redmond" Enable-CsTopology |
|
The commands shown in Example 1 associate an existing Kerberos account (kerberostest@litwareinc.com) with the Redmond site, then use Enable-CsTopology to enable this new association. To do this, the first command in the example uses Set-CsKerberosAccountAssignment to associate the account kerberostest@litwareinc.com with the Redmond site; the second command then calls Enable-CsTopology in order to create the required Service Principal Name in Active Directory and, at the same time, enable the modified account assignment.