A question about SPN's RRS feed

  • Question

  • As far as I know when CRM is installed on multiple servers and you are using a domain account to run the CRMApppool - this domain account would need to have SPN's registered under it with the server name - for example - HTTP/server  |  HTTP/server.domain.dev for the account domain.dev\CRMService. So far so good.

    What i have noticed is:

    a. when you do create those SPN's you need to follow this article: http://support.microsoft.com/kb/2536453  if you don't you'll just get 401 - makes sense.

    b. but if you do not create SPN's and don't apply the above article - CRM WILL work even with the CRMappool running under the domain account.

    Now this account will be a part of the SQLAccessgroup in the CRM OU in active directory - which has permissions over the CRM Database.

    My question is - How are we able to access CRM without those SPN's if there is Kerberos double hopping - Client -> CRM - > SQL. As far as i know Kerberos authentication should be dropped without proper SPN's but it does work in this scenario. Does this has anything to do with the fact that the SQL authentication is with the SQLAccessgroup and not the account itself? (although I don't see the difference...)

    Would be happy to get a proper explanation for this - Thanks.

    Wednesday, April 2, 2014 11:01 AM