Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Strange authentication / SPN issue RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

    We have a live Crm environment with two application servers, a single async server and separate servers for the database and reporting services. The CrmAppPool is running under a domain service account, and the appropriate SPNs are set up i.e. http/<machinename> <domain>/<domain service account>. All pretty standard and all running perfectly.

    We are now adding two new application servers. We have installed Crm initially to run under the machine account and we could access the site without issue. We then updated the CrmAppPool to run under the domain service account. This is where things get strange.

    • when changed to run under the domain service account, the site is accessible via the machine name even though there is no SPN set for that machine
    • when we set an SPN for the machine the site is no longer available via machine name (classic double hop issue - three prompts for credentials then a 401)

    We have checked for duplicate SPNs and there don't appear to be any. When we delete the SPN the site is again available via the machine name. What's going on here? Our understanding was that if we the app pool is running under a domain service account then an SPN must be set.  Any insight greatly recieved!

    CRM 4.0, Windows Server 2008 64 bit

    Ragards,

    Gareth

    Sunday, May 8, 2011 7:59 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Khaja, thanks for the reply, which certainly set me on the right track.

    In fact it's not necessary to disable Kernel-mode authentication (which may impact performance).  The alternative is to set the useApplicationPoolCredentials attribute on the windowsAuthentication element to True.  This can either be done directly in the applicationHost.config file or using IIS manager (expand to the Crm web site, click on Configuration Editor, navigate to the Security section of the applicationHost.config and update useApplicationPoolCredentials to True).

    Also when running with Kernel-mode authentication mode enable, it's not in fact necessary to configure SPNs for the domain service account that the app pool is running under; it's enough to have the (default)  SPNs for the IIS machine account.

    For further details see the following:

    I have removed the domain-account SPNs and enabled useApplicationPoolCredentials and everything is now working perfectly.

    Regards,

    Gareth



    • Marked as answer by RiGiD Monday, May 9, 2011 2:37 PM
    • Edited by RiGiD Monday, May 9, 2011 3:10 PM Update
    Monday, May 9, 2011 2:37 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Go to IIS Manager->Sites->Microsoft Dynamics CRM->Authentication->Windows Authentication->Advanced Settings->Uncheck Enable Kernel Authentication

    do iisreset

    access the CRM.

     

    Regards,

    Khaja Mohiddin
    Monday, May 9, 2011 10:18 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Khaja, thanks for the reply, which certainly set me on the right track.

    In fact it's not necessary to disable Kernel-mode authentication (which may impact performance).  The alternative is to set the useApplicationPoolCredentials attribute on the windowsAuthentication element to True.  This can either be done directly in the applicationHost.config file or using IIS manager (expand to the Crm web site, click on Configuration Editor, navigate to the Security section of the applicationHost.config and update useApplicationPoolCredentials to True).

    Also when running with Kernel-mode authentication mode enable, it's not in fact necessary to configure SPNs for the domain service account that the app pool is running under; it's enough to have the (default)  SPNs for the IIS machine account.

    For further details see the following:

    I have removed the domain-account SPNs and enabled useApplicationPoolCredentials and everything is now working perfectly.

    Regards,

    Gareth



    • Marked as answer by RiGiD Monday, May 9, 2011 2:37 PM
    • Edited by RiGiD Monday, May 9, 2011 3:10 PM Update
    Monday, May 9, 2011 2:37 PM