locked
SPN & Kerberos Error RRS feed

  • Question

  • I have two servers, SBS 2008 running ADFS and Server 2008 Std running SQL/CRM. When setting up CRM I used one user (CRMSandbox) for the Sandbox services and another one (CRMAdmin) for the other services. I am now getting the following event in the Event Viewer

    Event 3, Security-Kerberos
    A Kerberos Error Message was received: on logon session
    Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
    Server Realm: [domain].local
    Server Name: HTTP/[SbsComputerName].[domain].local
    Target Name: HTTP/[SbsComputerName].[domain].local@[domain].local

    Here is how I did setup the users:

    * In SBS Console create two users CRMAdmin & CRMSandbox. User role = Network Admin
       -> In AD these users can be found in [domain].local -> MyBusiness -> Users -> SBSUsers
    * setspn -A HTTP/[SbsComputerName] [Domain]\CRMAdmin
       setspn -A HTTP/[SbsComputerName].[Domain].local [Domain]\CRMAdmin
       setspn -A HTTP/[SbsComputerName] [Domain]\CRMSandbox
       setspn -A HTTP/[SbsComputerName].[Domain].local [Domain]\CRMSandbox
    * Go to AD -> [domain].local -> MyBusiness -> Users -> SBSUsers. For both users
       Under tab "Delegation" select "Trust this user for delegation to any service"
    * Go to AD -> [Domain].local -> MyBusiness -> Computers -> SBSServers -> [CrmServer]
       Under "Delegation" select "Trust this user for delegation to any service"

    Any help is appreciated.

    Monday, May 14, 2012 4:59 PM

All replies

  • Hi hfaun,

                    Did you restart the CRM server and AD FS services after setting the SPNs?


    Regards,
    Damian Sinay

    Monday, May 14, 2012 5:12 PM
  • I did reboot. As soon from the command listed previously, I use the same inputs for both CRMAdmin and CRMSandbox. I wonder if that is the issue. setspn -X gives me

    HTTP/[SbsComputerName].[Domain].local is registered on these accounts
      CN=CRM Sandbox,OU=SBSUsers,OU=Users=OU=MyBusiness,DC=[domain],DC=local
      CN=CRM Admin,OU=SBSUsers,OU=Users=OU=MyBusiness,DC=[domain],DC=local

    HTTP/[SbsComputerName] is registered on these accounts
      CN=CRM Sandbox,OU=SBSUsers,OU=Users=OU=MyBusiness,DC=[domain],DC=local
      CN=CRM Admin,OU=SBSUsers,OU=Users=OU=MyBusiness,DC=[domain],DC=local

    found 2 groups of duplicate SPNs

    So if I can't use the same arguments for both users (CRMAdmin & CRMSandbox) then what do I need to use for each of them?

    Monday, May 14, 2012 6:07 PM