locked
CRM & SSRS on same server and SPN question RRS feed

  • Question

  • We have a 4 server CRM web farm. all 4 servers have CRM web, sandbox, deployment services on them. 2 servers also have SSRS and the data extensions.  Users go to subdomain.domain.com for CRM and we have SSRS_subdomain.domain.com for the reports. We set up SPNs for the CRM friendly and the SSRS friendly but we can only set up the servernames for SPN's using the CRM service account. We cannot set up SPN's for the server names under the SSRS account since they are already registered for the CRM app pool account. We are not using claims or IFD.

    Peformance for the app is not an issue. SSRS reports are not used very frequently and the SSRS service has very little impact on CPU or memory.

    Is there an authentication reason we need to move SSRS off the CRM farm? I am particulary interested in the SPN issue and want to find out from an architectural standpoint if it is needed to have SPN's set up for the server names and the SSRS acounts as well as the friendly's for SSRS.

    We are not having issues now but want to determine if this might cause an issue should we deploy any reports that include data from other sources that the data extensions do not cover.
    Saturday, June 1, 2013 9:04 PM

All replies

  • Hi,

    Provided you are using SSRS via Crm with the reporting services connector, you don't

    need to set SPNs for the SSRS servers since the impersonation is handled without kerberos.

    hth


    Scott Durow
    Blog: www.develop1.net    Follow Me
    Rockstar365  Profile
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Sunday, June 2, 2013 9:39 PM
    Answerer
  • Hi,

    You shouldn't use the same service account on SSRS and CRM App, is not recommended.

    when you set up a different account for SSRS then you will need to set SPNs:

    • HTTP/SSRS subdomain
    • HTTP/SSRS servernames


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Monday, June 3, 2013 8:03 AM
    Answerer
  • Thank you for your reply. We are not using the same account for SSRS and CRM. This is why we cannot set the SPN for SSRS for the machine name. The machine names already have SPN's registered to the CRM App pool account. We do have the friendly name registered of the SSRS VIP registered using the SSRS service account.

    Thanks again for the reply.

    Monday, June 3, 2013 11:50 AM
  • Thank you. I did not think we did but trying to rule out any potential future architectural issues.
    Monday, June 3, 2013 11:51 AM
  • okay. in that case the subdomain for SSRS should work fine for you.


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Monday, June 3, 2013 1:15 PM
    Answerer