Blog Post: CRM 2011 – SPN for service account not working

I had setup CRM 2011 to run using a service account as good practise recommends (well actually you are meant to have separate accounts to run the different services I think).

I have setup the service account but when I tried to call CRM from another machine other than the CRM server I was getting authentication problems.

This was driving me up the wall, I read this very useful page, which describes some different scenarios and setups and I’m sure I had done everything

http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

The main instructions are this

1. Determine the SPN’s that are registered under the current application pool account. The current account is network service which is the local computer object,CRMAppServer.contoso.com. SPN’s can be found with ADSI Edit or SetSPN. Below are the expected SPN’s under this object that would be related to IIS. There may be additional SPN’s added to the object depending on the installed services.

• HOST/CRMAppServer
• HOST/CRMAppServer.contoso.com
• HTTP/CRM
• HTTP/CRM.contoso.com

2. There are SPNs with two different service classes registered, the default Host SPN’s and the HTTP SPN’s for the host header. The current HTTP SPN’s will need to be removed so they can be added under the new service account. The HOST SPN’s do not get removed as these will not cause duplicates due to the unique service class. The following SPN’s can be removed using ADSI Edit or SetSPN.

• HTTP/CRM
• HTTP/CRM.contoso.com

3. The following SPN’s need to be added to the contoso\CRMService object. These are the SPN’s for the servername and the host header. Additional SPN’s will need to be created if other host headers are used.

• HTTP/CRMAppServer
• HTTP/CRMAppServer.contoso.com
• HTTP/CRM

• HTTP/CRM.contoso.com

so why wasn’t it working.  I was then reading this page about setting up SPN’s for IIS 7+

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

now the IIS I was using was IIS6 so this wasn’t really relevant but what I did notice was something called enable kernal-mode authentication

You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier version i.e. IIS 6.0. But that’s not blindly true. There has been some confusion whether we don’t have to care at all about SPNs or may have to depending upon the settings. Here is a checklist to give more clarity for different scenarios that you may fall under:

SCENARIO 1a

SPNs will be required ONLY for the IIS machine account:

SPNs will be required ONLY for the IIS machine account:

what struck me as odd was that if you had kernal mode on then you would only need to setup an SPN for the machine rather than the service account. This was not a setting I wanted.

I was playing around with the SPN’s and found when I set the SPN http/<CRMServername> for the CRMServer then it worked but if I removed this and set the SPN for the service account I would get authentication errors.

To resolve the problem I went into the Microsoft Dynamics Website in IIS

clicked Authentication

clicked Windows Authentication –> Advanced Settings

and unticked Enable Kernal-Mode Authentication

did and IIS restart

and then CRM could be accessed from outside of the CRM server.

I did have to make sure the Windows authentication providers were NTLM and then negotiate as the second choice, this little gem I found on my own blog from a few years ago

http://crmbusiness.wordpress.com/2011/02/01/crm-2011-repeated-credential-prompts-when-accessing-on-premise-install-of-2011/

This is also very useful for people trying to setup the Dynamic Connector because we had to use the same service account to run the NAV Webservices and CRM Web services/app pool etc.  So to get this working we had to use a service account.