locked
CRM 2011 kerberos authentication and kernel mode RRS feed

  • Question

  • Hello All,

    For a project we are trying to setup kerberos for a CRM 2011/SharePoint 2010 environment. We need to do this because SharePoint is integrated with CRM and we want to have a fluent authentication between these systems.

    I'm not yet talking about SharePoint, first I want to properly configure CRM 2011. I tried to enable "Negotiate: Kerberos" as the authentication provider for the CRM site, but  then I got the error: 

    The following Negotiable 2 based providers cannot be used when kernel mode authentication is enabled. Turn off kernel
    mode authentication in order to use these providers: "Negotiate:kerberos"

    I presume I have to disable kernel mode for the site, but does this mean I need to set the SPN's manually for the web application used by CRM? I though kernel mode was invented to ease the processing of setting SPN's manually. Why can't it be used with kerberos negotiation?

    KR

    Sven

    Wednesday, April 18, 2012 8:47 AM

Answers

  • Sven that looks good, you have a kerberos ticket there.

    Do you still get the prompt for authentication? or logs you automatically?

    Btw when you use network service accounts, these contain SPNs configured by default, so even on applications you may have not configured SPNs etc.. if you using network service accounts this will automatically work. The AD delegation is needed when you use domain accounts and multiple hops to reach the data, if you use one single box to host all the components you will not need delegation.


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Wednesday, April 18, 2012 2:37 PM
    Answerer

All replies

  • Hi Sven,

    for enabling Kerberos in CRM, you need to set SPN and you need to modify config file as shown below (this is from CRM configuration manual), this should be enough and CRM should work without disableaing Kerne-mode.

    C:\Windows\System32\inetsrv\config

    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

    http://social.msdn.microsoft.com/Forums/en-US/crmdeployment/thread/1d1f43b1-9b88-4cce-820b-6e9fe28c833a

    And according the above post, I guess kernel mode just "ease-up management", you register SPN for computer account, instead for each individual service account. But you still need to registered it. I'm not sure CRM will work (according to configuration manual, where above adjustment are needed).

    "Register every SPN for each application hosted webserver under the machine account in Active Directory, regardless of the identity of the web app pool that the application is being hosted in"

    http://www.adopenstatic.com/cs/blogs/ken/archive/2008/02/12/16189.aspx

    Regards,

                        

                  



    • Edited by Ursa Pangos Wednesday, April 18, 2012 10:32 AM
    Wednesday, April 18, 2012 10:10 AM
  • Thanks Ursa,

    I have some issues though...

    - I've set UseAppPoolCredentials to true

    - I've set the two SPN's for my apppool account

    Registered ServicePrincipalNames for CN=XRM AppPool,OU=CRM 2011,OU=Service Accou
    nts,OU=LRM,DC=lrm,DC=local:
            http://CRM-SERVER.LRM.LOCAL
            http://CRM-SERVER

    However, when I try to go to the CRM2011 URL, I get a prompt asking for my credentials. If I disable useAppPoolCredentials it does seem to work, I presume it goes via NTLM then.

    Do I need to set something regarding to trust delegation in AD?

    //EDIT

    Also when I try to set the SPN for different account (async service acount), I get this message:

    C:\Users\Administrator>setspn -s http://CRM-SERVER "LRM\sa_xrm_asyncservice"

    Checking domain DC=lrm,DC=local
    CN=XRM AppPool,OU=CRM 2011,OU=Service Accounts,OU=LRM,DC=lrm,DC=local
            http://CRM-SERVER.LRM.LOCAL
            http://CRM-SERVER

    Duplicate SPN found, aborting operation!

    Wednesday, April 18, 2012 12:28 PM
  • Hi Sven,

    if you have registered SPN correctly with assigned service account like

    setspn -A http/CRM-SERVER.LRM.LOCAL "LRM.LOCAL\service_account"

    setspn -A http/CRM-SERVER "LRM.LOCAL\service_account"

    and you gave above service account permission to delegate kerberos service (in AD), then it should work.

    If it is asking you for credentials and they work, when you entered them, then is probably just internet security settings.

    Have you put your link (http/CRM-SERVER) in Local Intranet sites in IE Explorer? Also security for Local Intranet should be adjusted > Custom Level > Automatically logon only in Intranet zones.

    Regards

    Wednesday, April 18, 2012 12:39 PM
  • Hi, 

    Currently doing some tests, now it seems to work with or without the SPN set for that account. Probably because it's falling back to NTLM?

    1) How do I set permission to delegate on the service account? //EDIT: I see the Delegation tab shows up once the SPN is set!

    2) How do I know whether authentication is over NTLM or Kerberos?

    Thanks a lot!!!!


    Wednesday, April 18, 2012 12:55 PM
  • Hi Sven,

    See if you don't have duplicate SPNs this will cause authentication issues. See if the following article helps you with your queries:

    http://quantusdynamics.blogspot.co.uk/2011/12/extreme-performance-with-dynamics-crm.html

    Regards

    Nuno


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Wednesday, April 18, 2012 1:24 PM
    Answerer
  • I think there is still something wrong...

    Looking with Fiddler I see two times a 401 (HTTP/1.1 401 Unauthorized)

    First:

    No Proxy-Authenticate Header is present.

    WWW-Authenticate Header is present: Negotiate

    WWW-Authenticate Header is present: NTLM

    Second:

    Authorization: Negotiate YIGBBgYrBgEFBQKgdzB1oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQQQ/TlRMTVNTUAABAAAAl7II4gwADAAzAAAACwALACgAAAAGAbEdAAAAD1NSVi1DUk0tREVWQ0VHRUtBQ1JNREVW

    (Looks like Kerberos)

    Then I get a 200 HTTP/1.1 200 OK

    Negotiate oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=

    In the Auth tab I see:

    Authorization Header (Negotiate) appears to contain a Kerberos ticket:...

    Strange thing is that I see the same behavior on a system where I have done NO kerberos config at all :/

    Wednesday, April 18, 2012 2:03 PM
  • Sven that looks good, you have a kerberos ticket there.

    Do you still get the prompt for authentication? or logs you automatically?

    Btw when you use network service accounts, these contain SPNs configured by default, so even on applications you may have not configured SPNs etc.. if you using network service accounts this will automatically work. The AD delegation is needed when you use domain accounts and multiple hops to reach the data, if you use one single box to host all the components you will not need delegation.


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Wednesday, April 18, 2012 2:37 PM
    Answerer
  • Yes it's just strange that I get two times 401 without any login prompt and then a 200.

    Now SharePoint will follow and then I'll see if the double hop problem is solved.


    Thanks

    Wednesday, April 18, 2012 2:47 PM
  • Hi Sven,

    I don't know how far did you come with solution, but to reply your question: where to set permission for delegation.

    You have to find object in AD (service account or computer account), and you'll see additional tab on that object properties > Delegation, then you select Trust this computer for delegation to specified services only > Use Kerberos only.

    This needs to be done for service account under which you have registered SPN, if it's not network service account, then you don't need this step.

    Regards

    Thursday, April 19, 2012 7:30 AM
  • My WinXP clients would not authenticate to the CRM server at all after I set SPNs for the CRM app service account - kept getting 401 errors.

    In my case the resolution was to also add SPNs for the CRM sandbox account.

    Tuesday, April 24, 2012 11:14 PM