Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
CRM 2011 Kerberos impossible? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    After installing CRM 2011 I have two application pools that each run under a different account.

    The Crm App Pool that runs under DOMAIN\svc_CrmAppPoolAccount
    and the Crm Deployment Service App Pool that runs under DOMAIN\svc_CrmDeploymentServiceAppPoolAccount

    The server name is 'CRM' so the web application is reachable through:
    http://crm.domain.com

    and the deployment service through:
    http://crm.domain.com/XRMDeployment

    So far so good, but how to register the SPN's?

    I can not register both accounts with
    HTTP/crm.domain.com
    HTTP/crm

    Or well... actually I CAN! And if I do so... event though I get an error message in the event log that I have duplicate SPN's it all works. If I try to register the SPN for the deployment application pool service account like this(which sounded logical):
    HTTP/crm.domain.com/XRMDeployment
    HTTP/crm/XRMDeployment

    I can no longer log in at all!

    Now... here comes my simple question:

    If I install conform the best practices.... how to register the SPN's in the correct way?

    Regards,

    Wesley Bakker

    Listen carefully, I will say this only once.
    Monday, March 28, 2011 2:14 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Wesly,

    first of all verify which spn's did you already registered, you can do that by:

    setspn -l DOMAIN\svc_CrmAppPoolAccount

    and

    setspn -l DOMAIN\svc_CrmDeploymentServiceAppPoolAccount

    then delete the spn's that are duplicated.

    For CRM you need to register:

    setspn -a http/crmserver_netbiosname "domain\application_pool_account" (in your case DOMAIN\svc_CrmAppPoolAccount)

    setspn -a http/crmserver_FQDNAME "domain\application_pool_account"

    These two SPN's are almost the same (one is presenting netbios name and another fqdname)

    Acording to the manual you should also register some spn's for CRM services (Sandbox, Asynchronus, Deployment, Application,..)

    I think this should be enough.

    SETSPN –a MSCRMDeploymentServiceAppPool/<ComputerName> <service account> (in your caseDOMAIN\svc_CrmDeploymentServiceAppPoolAccount)

     



    • Edited by Ursa Pangos Tuesday, March 29, 2011 1:02 PM mistake
    • Proposed as answer by Ursa Pangos Thursday, March 31, 2011 1:16 PM
    • Marked as answer by webbes Friday, April 1, 2011 3:21 PM
    Tuesday, March 29, 2011 12:34 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Wesly,

    first of all verify which spn's did you already registered, you can do that by:

    setspn -l DOMAIN\svc_CrmAppPoolAccount

    and

    setspn -l DOMAIN\svc_CrmDeploymentServiceAppPoolAccount

    then delete the spn's that are duplicated.

    For CRM you need to register:

    setspn -a http/crmserver_netbiosname "domain\application_pool_account" (in your case DOMAIN\svc_CrmAppPoolAccount)

    setspn -a http/crmserver_FQDNAME "domain\application_pool_account"

    These two SPN's are almost the same (one is presenting netbios name and another fqdname)

    Acording to the manual you should also register some spn's for CRM services (Sandbox, Asynchronus, Deployment, Application,..)

    I think this should be enough.

    SETSPN –a MSCRMDeploymentServiceAppPool/<ComputerName> <service account> (in your caseDOMAIN\svc_CrmDeploymentServiceAppPoolAccount)

     



    • Edited by Ursa Pangos Tuesday, March 29, 2011 1:02 PM mistake
    • Proposed as answer by Ursa Pangos Thursday, March 31, 2011 1:16 PM
    • Marked as answer by webbes Friday, April 1, 2011 3:21 PM
    Tuesday, March 29, 2011 12:34 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks a bunch!
    Listen carefully, I will say this only once.
    Friday, April 1, 2011 3:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I finally found the underlying reason I couldn't get it all to work. If you use IIS 7 and Kernel Mode Authentication(which is enabled by default), you should NOT register SPN's for your application pool accounts at all. So either disable Kernel Mode Authentication and register SPN's for your service accounts OR leave Kernel Mode Authentication enabled and don't bother with the SPN's.

    There a nice writeup over here:

    http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

     

    Regards,

    Wesley

    Listen carefully, I will say this only once.
    Tuesday, April 5, 2011 10:28 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Try this, it works for me :)

    See this

    http://social.msdn.microsoft.com/Forums/en/crm/thread/995cf557-ae16-4379-8f9d-d6cd64295ba4

    C:\Windows\System32\inetsrv\config 

    <security>

                    <authentication>

                        <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

                            <providers>

                                <clear />

                                <add value="Negotiate" />

                                <add value="NTLM" />

                            </providers>

                            <extendedProtection tokenChecking="None" />

                        </windowsAuthentication>

                        <anonymousAuthentication enabled="true" />

                        <digestAuthentication enabled="false" />

                        <basicAuthentication enabled="false" />

                    </authentication>

                </security>

    • Proposed as answer by Ursa Pangos Thursday, April 14, 2011 11:27 AM
    Thursday, April 14, 2011 11:27 AM