locked
Properly configuring SPN's for CrmAppPool. RRS feed

  • Question

  • I've been reading guides on how to use domain accounts instead of networkservice to run the IIS CrmAppPool group. Few quick questions:

    1. If I have multiple servers running CRM, can I use the same account for all of them and just keep adding the proper SPN's to it?
    2. I understand that the domain account needs to be added to the PrivUserGroup and SqlAccessGroup under active directory for each install of CRM, but does it need to be placed in the other groups? (ReportingGroup, UserGroup, PrivReportingGroup)
    3. Does using a domain account to run CrmAppPool work fine with NTLM security, or does it require kerberos?
    4. Finally, when I check the SPN's of the machine running CRM, I get back: HOST/CRMSERVER and HOST/CRMSERVER.FQDN. Most of the guides talk about adding HTTP/CRMSERVER. Is this because i'm not looking at networkservice of that machine? How do I check spn's of accounts on machines (is that possible?)

    Thanks in advance for any of the answers.

    Thursday, April 29, 2010 3:28 PM

Answers

  • 1. Yes

    2. If this account is crm admin just add it to PrivUserGroup and SqlAccessGroup

    3. CRMAppPool should work in both modes

    4. SETSPN /l SERVERNAME will list all SPNs. If you can´t find DOMAIN/USER there´s no SPN for that.


    Gruß Carsten Groth http://carstengroth.spaces.live.com
    • Marked as answer by nickpeterson Thursday, April 29, 2010 5:09 PM
    Thursday, April 29, 2010 5:02 PM

All replies

  • 1. Yes

    2. If this account is crm admin just add it to PrivUserGroup and SqlAccessGroup

    3. CRMAppPool should work in both modes

    4. SETSPN /l SERVERNAME will list all SPNs. If you can´t find DOMAIN/USER there´s no SPN for that.


    Gruß Carsten Groth http://carstengroth.spaces.live.com
    • Marked as answer by nickpeterson Thursday, April 29, 2010 5:09 PM
    Thursday, April 29, 2010 5:02 PM
  • Thankyou so much, it's great when you come up with a list of questions you're 85% sure of and someone else confirms all of them. Thanks again.
    Thursday, April 29, 2010 5:09 PM