Before I go through the steps, I will not explain Kerberos technical details, because that is long subject, and you can find online many whitepapers covering kerberos authentication in detail, so I will focus only in the configuration requirements and how
Lets assume the below enterprise role-based configuration:
AD Configuration / SPNs
The first thing to do is to configure SPNs, we need to make sure we don't duplicate SPNs for the alias crm.domain.com, if we do kerberos will not work. The following command will show us if any duplicate SPN exists:
ldifde -f c:\spn_out.txt -d "DC=domain,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*/*)" -p subtree
Analyse the spn_out.txt for any duplicate/existing SPNs with the name crm.domain.com
The following SPNs are required for Kerberos to work on our above environment, and these need to be configured under the service account domain\crm.service you add SPNs using setspn command or with ADSI EDIT
We are creating SPNs for the DNS name, and all servers in the CRM farm apart from:
SQL and reporting, because the SQL account will automatically create it's own SPNs and reporting runs under the Network Service account which happens in most deployments and by default does not require SPNs, if you run under a different service account,
then you need to also add corresponding HTTP/ SPN to that service account.
with the SPN in place, we can jump to the next step IIS.IIS
CRMAppPool is running under domain\crm.service account, the first setting to make sure is enabled is the windows authentication Kernel-mode authentication, to get there, highlight the website > click authentication
> highlight Windows authentication > on the right menu click advanced settings. Note: this is normally enabled by default.
Make sure the domain you use for CRM is an
A record this case
crm.domain.com and not a CNAME record.
The second configuration is to enable the useAppPoolCredentials to true, which by default is set to false. Highlight the website and double click configuration Editor located at the Management section, below is a screenshot
of the location of the windowsAuthentication key we need to configure to enable the use of the AppPool Credentials.
double click and change UseAppPoolCredentials to
At this point if you access crm.domain.com you will be prompted for credentials. We need to add crm.domain.com to the Trusted Sites and make sure this zone is configured to to Auto Logon and Windows Authentication is enabled.
Delegation of Authentication
Another crucial step is to delegate authentication in AD, we need to delegate authentication to the service account
domain\crm.service and the CRM servers:
application and platform
With an account with permissions to delegate authentication you right-click the user account
domain\crm.service in AD and click properties, click on the delegation tab, and enable:
Testing / Troubleshooting
We have now all in place to test Kerberos authentication, opening crm.domain.com and not getting prompted for username/password is a good sign authentication is working, if we do get prompted, review the following configuration:
- Trusted Sites zone configuration and check if the domain is listed on the trusted sites list.
- Double check IIS
-Review duplicate SPNs, you just need one duplicate and it will not let you authentication, so make sure there are no duplicates.
If all is correctly configured, and we still getting prompted, I suggest you monitor the traffic between IE and the server with wireshark, capturing all communication packages and on the filter type Kerberos to view packages only related with Kerberos.
If authentication works, it doesn't mean that we are necessarily using kerberos, so I suggest you confirm this with wireshark or with Fiddler. When you run Fiddler, you can capture authentication headers, below is a screenshot illustrating a kerberos tickets
on the headers, a Kerberos ticket always start with Y or oY
Hope this post was useful for you, and if you have any questions please feel free to leave any comments.
SPN Configuration - http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/configurespn.aspx#o45872
Nuno Rodrigues Costa