Before I go through
the steps, I will not explain keberos technical details, because
that is long subject, and you can find online many whitepapers covering
kerberos authentication in detail, so I will focus only in the
configuration requirements and how to troubleshoot.
Lets assume the below enterprise role-based configuration:
AD Configuration / SPNs
first thing to do is to configure SPNs, we need to make sure we don't
duplicate SPNs for the alias crm.domain.com, if we do kerberos will not
work. The following command will show us if any duplicate SPN exists:
ldifde -f c:\spn_out.txt -d "DC=domain,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*/*)" -p subtree
Analyse the spn_out.txt for any duplicate/existing SPNs with the name crm.domain.com
following SPNs are required for Kerberos to work on our above
environment, and these need to be configured under the service account domain\crm.service you add SPNs using setspn command or with ADSI EDIT
We are creating SPNs for the DNS name, and all servers in the CRM farm apart from:
and reporting, because the SQL account will automatically create it's
own SPNs and reporing runs under the Network Service account which
happens in most deployments and by default does not require SPNs, if you
run under a different service account, then you need to also add
corresponding HTTP/ SPN to that service account.
with the SPN in place, we can jump to the next step IIS.IIS CRMAppPool is running under domain\crm.service
account, the first setting to make sure is enabled is the windows
authentication Kernel-mode authentication, to get there, highlight the
website > click authentication > highlight Windows authentication
> on the right menu click advanced settings. Note: this is normally
enabled by default.
Make sure the domain you use for CRM is an A record this case crm.domain.com and not a CNAME record.
The second configuration is to enable the useAppPoolCredentials
to true, which by default is set to false. Highlight the website and
double click configuration Editor located at the Management section,
below is a screenshot of the location of the windowsAuthentication key we need to configure to enable the use of the AppPool Credentials.
double click and change UseAppPoolCredentials to True
this point if you access crm.domain.com you will be prompted for
credentials. We need to add crm.domain.com to the Trusted Sites and make
sure this zone is configured to to Auto Logon and Windows
Authentication is enabled.
Delegation of Authentication
Another crucial step is to delegate authentication in AD, we need to delegate authentication to the service account domain\crm.service and the CRM servers: application and platform
With an account with permissions to delegate authentication you right-click the user account domain\crm.service in AD and click properties, click on the delegation tab, and enable:
Testing / Troubleshooting
have now all in place to test Kerberos authentication, opening
crm.domain.com and not getting prompted for username/password is a good
sign authentication is working, if we do get prompted, review the
- Trusted Sites zone configuration and check if the domain is listed on the trusted sites list.
- Double check IIS
duplicate SPNs, you just need one duplicate and it will not let you
authentication, so make sure there are no duplicates.
all is correctly configured, and we still getting prompted, I suggest
you monitor the traffic between IE and the server with wireshark,
capturing all communication packages and on the filter type kerberos to
view packages only related with Kerberos.
authentication works, it doesn't mean that we are necessarily using
kerberos, so I suggest you confirm this with wireshark or with Fiddler.
When you run Fiddler, you can capture authentication headers, below is a
screenshot illustrating a kerberos tickets on the headers, a kerberos
ticket always start with Y or oY
Hope this post was useful for you, and if you have any questions please feel free to leave any comments.
SPN Configuration - http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/configurespn.aspx#o45872
Nuno Rodrigues Costa