Topic Last Modified: 2017-03-15

Verifies the configuration of the Kerberos account assigned to a site. This cmdlet was introduced in Lync Server 2010.

Test-CsKerberosAccountAssignment -Identity <XdsIdentity> [-Report <String>]

The command shown in Example 1 verifies that the Kerberos account assigned to the Redmond site is configured correctly and is working as expected.

Test-CsKerberosAccountAssignment -Identity site:Redmond

In Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2, IIS ran under a standard user account. This had the potential to cause issues: if that password expired you could lose your Web Services, an issue that was often difficult to diagnose. To help avoid the issue of expiring passwords, Skype for Business Server 2015 enables you to create a computer account (for a computer that doesn’t actually exist) that can serve as the authentication principal for all the computers in a site that are running IIS. Because these accounts use the Kerberos authentication protocol, the accounts are referred to as Kerberos accounts, and the new authentication process is known as Kerberos web authentication. This enables you to manage all your IIS servers by using a single account.

The Test-CsKerberosAccountAssignment cmdlet provides a way for you to verify that a Kerberos account has been associated with a given site, that this account has been configured correctly, and that the account is working as expected.


Parameter Required Type Description




Name of the site where the Kerberos account was assigned. For example: -Identity "site:Redmond".




Enables you to specify a file path for the log file created when the cmdlet runs. For example: -Report "C:\Logs\TestKerberos.html".

None. The Test-CsKerberosAccountAssignment cmdlet does not accept pipelined input.

The Test-CsKerberosAccountAssignment cmdlet does not return any objects or values.