diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
index 9043959fda0678f0312b2c5785f2574cc639b5be..deaab1ed36a41d4b60b1e034fdda5c06723592bc 100644
--- a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
+++ b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -279,7 +279,7 @@ public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRea
     public User createAccountByAdmin(StaplerRequest req, StaplerResponse rsp, String addUserView, String successView) throws IOException, ServletException {
         checkPermission(Jenkins.ADMINISTER);
         User u = createAccount(req, rsp, false, addUserView);
-        if(u != null) {
+        if (u != null && successView != null) {
             rsp.sendRedirect(successView);
         }
         return u;
diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java
index 74ef40624e3bc978188f74e5c9b5f8337b7dd1da..17f9e0e6e71dd3eefe6d3f776a43f4bfe08635e6 100644
--- a/core/src/main/java/jenkins/install/SetupWizard.java
+++ b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -42,6 +42,7 @@ import hudson.model.User;
 import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.security.HudsonPrivateSecurityRealm;
 import hudson.security.SecurityRealm;
+import hudson.security.csrf.CrumbIssuer;
 import hudson.security.csrf.DefaultCrumbIssuer;
 import hudson.util.HttpResponses;
 import hudson.util.PluginServletFilter;
@@ -220,7 +221,7 @@ public class SetupWizard extends PageDecorator {
      * Called during the initial setup to create an admin user
      */
     @RequirePOST
-    public void doCreateAdminUser(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+    public HttpResponse doCreateAdminUser(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
         Jenkins j = Jenkins.getInstance();
         j.checkPermission(Jenkins.ADMINISTER);
         
@@ -233,7 +234,7 @@ public class SetupWizard extends PageDecorator {
                 admin.delete(); // assume the new user may well be 'admin'
             }
             
-            User u = securityRealm.createAccountByAdmin(req, rsp, "/jenkins/install/SetupWizard/setupWizardFirstUser.jelly", req.getContextPath() + "/");
+            User u = securityRealm.createAccountByAdmin(req, rsp, "/jenkins/install/SetupWizard/setupWizardFirstUser.jelly", null);
             if (u != null) {
                 if(admin != null) {
                     admin = null;
@@ -252,6 +253,11 @@ public class SetupWizard extends PageDecorator {
                 Authentication a = new UsernamePasswordAuthenticationToken(u.getId(),req.getParameter("password1"));
                 a = securityRealm.getSecurityComponents().manager.authenticate(a);
                 SecurityContextHolder.getContext().setAuthentication(a);
+                CrumbIssuer crumbIssuer = Jenkins.getInstance().getCrumbIssuer();
+                JSONObject data = new JSONObject().accumulate("crumbRequestField", crumbIssuer.getCrumbRequestField()).accumulate("crumb", crumbIssuer.getCrumb(req));
+                return HttpResponses.okJSON(data);
+            } else {
+                return HttpResponses.okJSON();
             }
         } finally {
             if(admin != null) {
@@ -458,6 +464,7 @@ public class SetupWizard extends PageDecorator {
     /**
      * Remove the setupWizard filter, ensure all updates are written to disk, etc
      */
+    @RequirePOST
     public HttpResponse doCompleteInstall() throws IOException, ServletException {
         completeSetup();
         return HttpResponses.okJSON();
diff --git a/war/src/main/js/api/pluginManager.js b/war/src/main/js/api/pluginManager.js
index 04d754f0e7d0a0bee0360fa0c4c96b7a06e2754a..923c2c1ddb96d0e46ecc899763ce73e0fb0a0659 100644
--- a/war/src/main/js/api/pluginManager.js
+++ b/war/src/main/js/api/pluginManager.js
@@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) {
  * Call this to complete the installation without installing anything
  */
 exports.completeInstall = function(handler) {
-	jenkins.get('/setupWizard/completeInstall', function() {
+	jenkins.post('/setupWizard/completeInstall', {}, function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,
@@ -219,7 +219,7 @@ exports.installPluginsDone = function(handler) {
  * Restart Jenkins
  */
 exports.restartJenkins = function(handler) {
-	jenkins.get('/updateCenter/safeRestart', function() {
+	jenkins.post('/updateCenter/safeRestart', {}, function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,
diff --git a/war/src/main/js/api/securityConfig.js b/war/src/main/js/api/securityConfig.js
index 7e4997df22d395232baa87990cd2ad46b6d0d287..0741043d49cd9f223903d0e5259fb9a3d3d68601 100644
--- a/war/src/main/js/api/securityConfig.js
+++ b/war/src/main/js/api/securityConfig.js
@@ -11,8 +11,13 @@ exports.saveFirstUser = function($form, success, error) {
 	jenkins.staplerPost(
 			'/setupWizard/createAdminUser',
 		$form,
-		success, {
-			dataType: 'html',
+		function(response) {
+        		var crumbRequestField = response.data.crumbRequestField;
+			if (crumbRequestField) {
+				require('window-handle').getWindow().crumb.init(crumbRequestField, response.data.crumb);
+			}
+			success(response);
+		}, {
 			error: error
 		});
 };