CRM 2011 kerberos authentication and kernel mode
-
mercoledì 18 aprile 2012 08:47
Hello All,
For a project we are trying to setup kerberos for a CRM 2011/SharePoint 2010 environment. We need to do this because SharePoint is integrated with CRM and we want to have a fluent authentication between these systems.
I'm not yet talking about SharePoint, first I want to properly configure CRM 2011. I tried to enable "Negotiate: Kerberos" as the authentication provider for the CRM site, but then I got the error:
The following Negotiable 2 based providers cannot be used when kernel mode authentication is enabled. Turn off kernel
mode authentication in order to use these providers: "Negotiate:kerberos"I presume I have to disable kernel mode for the site, but does this mean I need to set the SPN's manually for the web application used by CRM? I though kernel mode was invented to ease the processing of setting SPN's manually. Why can't it be used with kerberos negotiation?
KR
Sven
Tutte le risposte
-
mercoledì 18 aprile 2012 10:10
Hi Sven,
for enabling Kerberos in CRM, you need to set SPN and you need to modify config file as shown below (this is from CRM configuration manual), this should be enough and CRM should work without disableaing Kerne-mode.
C:\Windows\System32\inetsrv\config
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
And according the above post, I guess kernel mode just "ease-up management", you register SPN for computer account, instead for each individual service account. But you still need to registered it. I'm not sure CRM will work (according to configuration manual, where above adjustment are needed).
"Register every SPN for each application hosted webserver under the machine account in Active Directory, regardless of the identity of the web app pool that the application is being hosted in"
http://www.adopenstatic.com/cs/blogs/ken/archive/2008/02/12/16189.aspx
Regards,
- Modificato Ursa Pangos mercoledì 18 aprile 2012 10:32
-
mercoledì 18 aprile 2012 12:28
Thanks Ursa,
I have some issues though...
- I've set UseAppPoolCredentials to true
- I've set the two SPN's for my apppool account
Registered ServicePrincipalNames for CN=XRM AppPool,OU=CRM 2011,OU=Service Accou
nts,OU=LRM,DC=lrm,DC=local:
http://CRM-SERVER.LRM.LOCAL
http://CRM-SERVERHowever, when I try to go to the CRM2011 URL, I get a prompt asking for my credentials. If I disable useAppPoolCredentials it does seem to work, I presume it goes via NTLM then.
Do I need to set something regarding to trust delegation in AD?
//EDIT
Also when I try to set the SPN for different account (async service acount), I get this message:
C:\Users\Administrator>setspn -s http://CRM-SERVER "LRM\sa_xrm_asyncservice"
Checking domain DC=lrm,DC=local
CN=XRM AppPool,OU=CRM 2011,OU=Service Accounts,OU=LRM,DC=lrm,DC=local
http://CRM-SERVER.LRM.LOCAL
http://CRM-SERVER
Duplicate SPN found, aborting operation!- Modificato Sven Vanoirbeek mercoledì 18 aprile 2012 12:32
-
mercoledì 18 aprile 2012 12:39
Hi Sven,
if you have registered SPN correctly with assigned service account like
setspn -A http/CRM-SERVER.LRM.LOCAL "LRM.LOCAL\service_account"
setspn -A http/CRM-SERVER "LRM.LOCAL\service_account"
and you gave above service account permission to delegate kerberos service (in AD), then it should work.
If it is asking you for credentials and they work, when you entered them, then is probably just internet security settings.
Have you put your link (http/CRM-SERVER) in Local Intranet sites in IE Explorer? Also security for Local Intranet should be adjusted > Custom Level > Automatically logon only in Intranet zones.
Regards
-
mercoledì 18 aprile 2012 12:55
Hi,
Currently doing some tests, now it seems to work with or without the SPN set for that account. Probably because it's falling back to NTLM?
1) How do I set permission to delegate on the service account? //EDIT: I see the Delegation tab shows up once the SPN is set!
2) How do I know whether authentication is over NTLM or Kerberos?
Thanks a lot!!!!
- Modificato Sven Vanoirbeek mercoledì 18 aprile 2012 12:59
-
mercoledì 18 aprile 2012 13:24Postatore
Hi Sven,
See if you don't have duplicate SPNs this will cause authentication issues. See if the following article helps you with your queries:
http://quantusdynamics.blogspot.co.uk/2011/12/extreme-performance-with-dynamics-crm.html
Regards
Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
-
mercoledì 18 aprile 2012 14:03
I think there is still something wrong...
Looking with Fiddler I see two times a 401 (HTTP/1.1 401 Unauthorized)
First:
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLMSecond:
Authorization: Negotiate YIGBBgYrBgEFBQKgdzB1oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQQQ/TlRMTVNTUAABAAAAl7II4gwADAAzAAAACwALACgAAAAGAbEdAAAAD1NSVi1DUk0tREVWQ0VHRUtBQ1JNREVW
(Looks like Kerberos)
Then I get a 200 HTTP/1.1 200 OK
Negotiate oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=
In the Auth tab I see:
Authorization Header (Negotiate) appears to contain a Kerberos ticket:...
Strange thing is that I see the same behavior on a system where I have done NO kerberos config at all :/
-
mercoledì 18 aprile 2012 14:37Postatore
Sven that looks good, you have a kerberos ticket there.
Do you still get the prompt for authentication? or logs you automatically?
Btw when you use network service accounts, these contain SPNs configured by default, so even on applications you may have not configured SPNs etc.. if you using network service accounts this will automatically work. The AD delegation is needed when you use domain accounts and multiple hops to reach the data, if you use one single box to host all the components you will not need delegation.
Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
- Contrassegnato come risposta Sven Vanoirbeek venerdì 20 aprile 2012 06:37
-
mercoledì 18 aprile 2012 14:47
Yes it's just strange that I get two times 401 without any login prompt and then a 200.
Now SharePoint will follow and then I'll see if the double hop problem is solved.
Thanks -
giovedì 19 aprile 2012 07:30
Hi Sven,
I don't know how far did you come with solution, but to reply your question: where to set permission for delegation.
You have to find object in AD (service account or computer account), and you'll see additional tab on that object properties > Delegation, then you select Trust this computer for delegation to specified services only > Use Kerberos only.
This needs to be done for service account under which you have registered SPN, if it's not network service account, then you don't need this step.
Regards
-
martedì 24 aprile 2012 23:14
My WinXP clients would not authenticate to the CRM server at all after I set SPNs for the CRM app service account - kept getting 401 errors.
In my case the resolution was to also add SPNs for the CRM sandbox account.
