locked
Duplicate SPNs required for IFD deployment RRS feed

  • Question

  • We're using CRM 2011 with the IFD setup. We have a couple CRM deployments (production and dev) using the same ADFS server.

    We're getting the following error on our domain controller:

    The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/adfs.missionlinen.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for HTTP/adfs.missionlinen.com in Active Directory.

    I ran the command "setspn -X" to show the duplicate SPNs with the following output:

    http/adfs is registered on these accounts:
            CN=crm application service,OU=Service Accounts,OU=Domain Infrastructure,DC=missionlinen,DC=com
            CN=CRMPRD,CN=Computers,DC=missionlinen,DC=com

    http/adfs.missionlinen.com is registered on these accounts:
            CN=crm application service,OU=Service Accounts,OU=Domain Infrastructure,DC=missionlinen,DC=com
            CN=CRMPRD,CN=Computers,DC=missionlinen,DC=com

    ADFS is our ADFS 2.0 server

    "crm application service" is the account identity of the IIS CRMAppPool on the CRM server

    CRMPRD is the server where CRM is running

    Ideally we'd like to use the "crm application service" account since we have a dev and qa crm server using the same ADFS server. However, if I remove either entry, CRM authentication fails. It only seems to work with the duplicate SPNs.

    I've gone through the procedure to edit the applicationhost.config file from http://support.microsoft.com/kb/2536453 to enable kernel mode authentication but use the CRMAppPool domain account for Kerberos authentication. This did not work.

    It can't be right that CRM authentication only works with duplicate SPN entries for the adfs server. Is there anything else we should be checking? 

    Tuesday, February 14, 2012 12:42 AM

Answers

  • Remove the duplicate SPNs from your computer account CRMPRD and set all SPNs on the service account on which CRM apppool is running.

    Apart for the SPNs Matt has mentioned above also add the SPNs for the URL for ADFS as well as the CRM internal URL on the CRM app pool account. Make sure your adfs service is running on the same account as crm app pool, only then add the adfs spn on crm app pool or else add it on the account on which the adfs service is running.

    IMPORTANT:-

    Instead of manually editing the appilication host file of IIS please do the following once again:-

    On CRM server open command prompt

    Navigate to %windir%\system32\inetsrv

    Type appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true


    Arpita

    • Marked as answer by DavePa Thursday, February 23, 2012 5:49 PM
    Sunday, February 19, 2012 8:14 PM

All replies

  • I think you have misconfigured the SPNs (and it is weird that this even works).  SPNs should be set for the hostname the service runs on, not the AD server.  You should need the following 3 SPNS based on your environment.

    Where "svc account" is your service account and fqdn is  your fully qualified domain name.

    setspn -a http/CRMPRD "svc account"

    setspn -a http/CRMPRD.fqdn "svc account"

    setspn -a HOST/CRMPRD "svc account"

    setspn -a HOST/CRMPRD.fqdn "svc account"

    Mind you the fqdn versions of these need to be the URL that the client is using to access the site.  So if your host is CRMPRD but users use http://foo.fqdn.com then you need to have http/host definations for http://food.fqdn.com and not CRMPRD. 

    Or am I missing what you are asking? 


    If this post was helpful please mark it as helpful, if it solved your problem please mark it as answered.
    Visit my Blog: http://matthewchurilla.blogspot.com/

    Tuesday, February 14, 2012 4:36 PM
  • Remove the duplicate SPNs from your computer account CRMPRD and set all SPNs on the service account on which CRM apppool is running.

    Apart for the SPNs Matt has mentioned above also add the SPNs for the URL for ADFS as well as the CRM internal URL on the CRM app pool account. Make sure your adfs service is running on the same account as crm app pool, only then add the adfs spn on crm app pool or else add it on the account on which the adfs service is running.

    IMPORTANT:-

    Instead of manually editing the appilication host file of IIS please do the following once again:-

    On CRM server open command prompt

    Navigate to %windir%\system32\inetsrv

    Type appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true


    Arpita

    • Marked as answer by DavePa Thursday, February 23, 2012 5:49 PM
    Sunday, February 19, 2012 8:14 PM
  • I removed the duplicate SPNs for http/adfs & http/adfs.missionlinen.com and added the following SPNs:

    setspn -a http/adfs.missionlinen.com adfs$

    setspn -a http/adfs adfs$

    I used the ADFS machine account since the adfs service is running as a network service. I also ran the appcmd.exe above on both the production and dev crm servers.

    Everything seems to be working fine. Thanks.

    Thursday, February 23, 2012 5:53 PM
  • hey i think i have something similar, but i have two crm servers working with the same data base i installed adfs on each of them and configured both of them to work with IFD.

    so i have duplicate spn urls, one for each of them.

     if i will change the account running the crmapppool and the account running the adfs service to a domain account it should work fine ??

    Wednesday, June 26, 2013 6:55 AM