CRM 2011 Client for Outlook- problem communicating with server

Submitted by feridun on Fri, 09/24/2010 - 12:40

The installating guide for CRM 2011 strongly recommends that a low privilege domain account is used for the CRM and ASP.NET services.

Having followed this advice I found I was unable to configure the Outlook Client to connect to the CRM server. The error I got was "there is a problem communicating with the server". Examining the log file, Crm50ClientConfig.log, revealed the following error:

Error connecting to URL: http://crmserver/XRMServices/2011/Discovery.svc Exception: System.ServiceModel.Security.MessageSecurityException: The token provider cannot get tokens for target 'http://crmserver/XRMServices/2011/Discovery.svc'. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details. ---> System.IdentityModel.Tokens.SecurityTokenException: Authenticating to a service running under a user account which requires Kerberos multilegs, is not unsupported.

Further research suggested that I needed to set a Service Principal Name for the low-privilege domain account used for the CRM and ASP.NET services. I did this on the AD server by using the attribute editor for the user account (AD on Windows Server 2008 R2) to set servicePrincipalName to http://crmserver. Having done this, Outlook configuration worked.