Assign a Kerberos Authentication Account to a Site
Topic Last Modified: 2010-11-08
To successfully complete this procedure you should be logged on as a user who is a member of the RTCUniversalServerAdmins group.
After creating the Kerberos account, you must assign it to a site. This is a Lync Server 2010 site, not an Active Directory site. You can create multiple Kerberos authentication accounts per deployment, but you can assign only one account to a site. Use the following procedure to assign a previously created Kerberos authentication account to a site. For details about creating the Kerberos account, see Create a Kerberos Authentication Account.
To assign a Kerberos authentication account to a site
As a member of the RTCUniversalServerAdmins group, log on to a computer in the domain running Lync Server 2010 or on to a computer where the administrative tools are installed.
Start the Lync Server Management Shell: Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.
From the command line, run the following two commands:
New-CsKerberosAccountAssignment -UserAccount "Domain\UserAccount" -Identity "site:SiteName" Enable-CsTopology
New-CsKerberosAccountAssignment -UserAccount "contoso\kerbauth" -Identity "site:redmond" Enable-CsTopology
You must specify the UserAccount parameter by using the Domain\User format. The User@Domain.extension format is not supported for referring to the computer objects created for Kerberos authentication purposes.
After making any changes to Kerberos authentication, such as adding an account or removing an account, you must run Enable-CsTopology from the Lync Server Management Shell command prompt.