The installating guide for CRM 2011 strongly recommends that a low privilege domain account is used for the CRM and ASP.NET services.
Having followed this advice I found I was unable to configure the Outlook Client to connect to the CRM server. The error I got was “there is a problem communicating with the server”. Examining the log file, Crm50ClientConfig.log, revealed the following error:
Error connecting to URL: http://crmserver/XRMServices/2011/Discovery.svc Exception: System.ServiceModel.Security.MessageSecurityException: The token provider cannot get tokens for target ‘http://crmserver/XRMServices/2011/Discovery.svc’. —> System.IdentityModel.Tokens.SecurityTokenValidationException: The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details. —> System.IdentityModel.Tokens.SecurityTokenException: Authenticating to a service running under a user account which requires Kerberos multilegs, is not unsupported.
Further research suggested that I needed to set a Service Principal Name for the low-privilege domain account used for the CRM and ASP.NET services. I did this on the AD server by using the attribute editor for the user account (AD on Windows Server 2008 R2) to set servicePrincipalName to http://crmserver. Having done this, Outlook configuration worked.