CRM 2011 - more ActiveDirectory and SPN questions ... ... RRS feed

  • Question

  • Trying to install CRM 2011 in an environment.  Now have the AD administrator asking all sorts of questions.   Can you help me?

    1.) The five groups:






    are all detailed in http://support.microsoft.com/kb/946677    When one manually adds a systemuser via the web-based UI in CRM 2011 -- put in the dommainname and it queries activedirectory -- it just adds that user to UserGroup security group, right?

    2.) What SPNs are required on the crmservice account?

    I found:

    SETSPN –a MSCRMSandboxService/<ComputerName> <service account>

    in http://technet.microsoft.com/en-us/library/gg554723.aspx but the person in charge of AD wants to know all setspn commands to run for all accounts ...

    3.) So apparently SharePoint in some cases (using self attribute ?)  will actually update an attribute in AD account, like 'MySite' or 'favorite site' or something.... Does CRM 2011 ever update any attributes in user's AD acct ... ?

    Friday, September 23, 2011 5:25 PM

All replies

  • First off , let the program create the security groups.  That's why the installation program only ask for an OU.

    The default authentication of the app pool in Network service which is a local account and so represents the machine account.

    After the install you will see the machine account in the several of the security groups.

    Since the service principle names are attributes of the maching object in the LDAP database they are read and returned in the Kerberos token.

     It's obvious that the GUIDs you see in the CRM database tables are a result of a users AD attributes.  That is why deleting a CRM user in Ad is not a good Idea but AD is used for Authentication.

    A person could write a series of articles on this but the forum is not the place for all that information.

    I've not seen it with CRM 2011 but I've had cases where Virtual servers with IP6 enabled had issues because of the new Windows 2008 TCP/IP Stack and larger packets.    I've noticed that IPv6 creates a different type of DNS A record in the forward lookup zone. After that there were lots of 18456 errors to the SQL databases.  Be sure NICS, HBAs, swithes and routers can handle all of this if your going to deploy Dynamics applications with IPv6 in the network.  IPv6 is our friend but we have to accomadate our friends.



    Curtis J Spanburgh
    Saturday, September 24, 2011 3:34 AM
  • Hi Williams,

    1. To install CRM u need to memeber in

      -PrivUser Group


    2. The below links will be helpful to u:




    3. no we cant able to update attributes in AD acct...



    Thanks & Regards, MS CRM Consultant, V.Surya.
    Saturday, September 24, 2011 1:18 PM
  • Surya.

    You can't be a member of a group if it has not even been created yet via the installation process.


    Curtis J Spanburgh
    Saturday, September 24, 2011 4:55 PM