When setting up Microsoft Dynamics CRM it is likely that you will have to configure Service Principal Names (SPN).
What is an SPN?
An SPN is a mapping that associates a service with the account responsible for the service and supports mutual Kerberos authentication.
I like the explanation provided by Brian Murphy-Booth. He describes an SPN as a name that identifies a program that deals with credentials.
An SPN can consist of up to 3 parts:
service type, host name, port
Consider a process running in IIS that is accessed using the DNS name server1.contoso.local and the application pool for the process is running under the user account, domainausera. The SPN for the process is:
Note that HTTP in the SPN is not the same as the protocol type in a browser. If the service ran on port 999 then the SPN is:
The SPN must be registered on the usera account. You can do this with setspn.exe:
setspn -S HTTP/server1.contoso.local domainausera
If the account used for the service is Network Service, Local Service or Local System then the SPN must be registered against the computer account:
setspn -S HTTP/server1.contoso.local domainaserver1$
SPNs required for CRM
If CRM and the SQL Server that hosts the CRM databases are running on the same computer then you might be able to get away with not setting SPNs. But as soon as more than one server is involved (including NLB clusters) then you must set SPNs.
|Item||To set the SPN||Notes|
|AD FS Server (when using Claims-based authentication||setspn -s HTTP/adfsURL Domainadfsserver$||
Where adfsURL is the URL for the AD FS 2.0 service and adfsserver is the internal name of the server running AD FS 2.
Of course if the service account is Network Service, then the SPN is created for the server.
|CRM Server||setspn -s HTTP/CRMServerName DomainCRMAppPoolAccountName||
Where CRMServerName is the DNS (fully qualified domain name) name of the server where CRM is installed and CRMAppPoolAccountName is the name of the account use for the CRMAppPool application pool (this can be determined in IIS).
NOTE: If IIS is running in Kernel Authentication Mode (which is the default and recommended mode) then it should not be necessary to register SPNs for CRM because in Kernel Authentication Mode IIS run as the computer account.
However, the HTTP SPN is needed for Report Wizard reports to run as per Microsoft KB article 2590774.
Note that Microsoft KB article 2590774 suggests adding an SPN for both the server name and fully qualified domain name for the CRM server. I have had a situation where registering SPNs for both the server name and FQDN did not work and I had to register an SPN for just the server name.
This article describes the required SPNs for CRM in much more detail and includes an Excel workbook that describes the SPNs required for several CRM deployment types and this link described Kerberos in Load Balanced Environments.