Share via

How to easily setup your Multiple-Server CRM Deployment for Windows Integrated Authentication

  • Article

First of all, to make sure your client Authentication is working (or not) as Integrated, you should make sure that your CRM URL is placed on an internet zone (IE's Internet Options) that has Windows Integrated Authentication enabled. Local Intranet zone is a good option if you servers lay on the same network as your clients.

Once you have this setting on and you access the CRM URL through Internet Explorer, you should NOT be prompted for credentials and logon directly into CRM.

If you are prompted for credentials, then you should first make sure that IIS has Windows Authentication enabled for the CRM website.

You can check this through IIS Administrator console > Website > Authentication.

 

Then, regarding the delegation settings there are a few rules of thumb to have in mind:

- The SPNs should be unique and placed on the account running the service;

- The middle tier accounts should be trusted for delegation;

- DNS has to resolve the name properly (simple ping servername should get a valid reply);

- If you use Host Headers on your CRM website or you have an NLB setup, the SPN should be configured accordingly;

To check, add and remove SPNs you can use ADSIEdit.msc, DSA.msc (with advanced features on, through the attributes list under the account properties) or the "SETSPN" command.

On Windows 2008, you have an additional switch to help you search for duplicated SPNs on your Active Directory: "SETSPN -X".

 

Practical example of CRM Deployment:

  • CRM Full Server:
  • Machine name: CRM-SRV01
  • Domain name: CONTOSO.COM
  • Apppool Account: CONTOSO\crmservice

 

  • SQL Server with Database and Reporting Services
  • Machine name: CRM-SQL01
  • Domain name: CONTOSO.COM
  • SQL Services Account: CONTOSO\sqlservice
  • SQL Instance Name: SQLINST1

 

Having this setup, the SPNs and delegation settings should be:

 

  • On service account "CONTOSO\crmservice":
  • Account trusted for delegation (All Kerberos Services or Constrained to SQL services on machine CRM-SQL01 with account CONTOSO\sqlservice)

SPNs on this account should be:

    • HTTP/mycrm
    • HTTP/mycrm.contoso.com

 

  • On service account "CONTOSO\sqlservice":
  • Account trusted for delegation (All Kerberos Services or Constrained to SQL services on machine CRM-SQL01 with account CONTOSO\sqlservice)
  • SPNs on this account should be:

                          [for SQL Reporting services]

    • HTTP/CRM-SQL01
    • HTTP/CRM-SQL01.contoso.com

                          [for SQL Database services]

    • MSSQLSvc/CRM-SQL01:SQLINST1
    • MSSQLSvc/CRM-SQL01:SQLINST1.contoso.com

 

This simple practical example that you can use and adapt to your CRM Deployment and is presented "as is". Depending on your architecture, you might need to do the changes according to your accounts and servers setup. Different setups as NLB or separate SQL machines should be setup accordingly based on the same rules explained above.

For further troubleshooting these type of authentications issues you should refer to your SQL and IIS logs and setup a Network Monitor Capture.

  • Reference:

https://support.microsoft.com/kb/148942/en-us

 

Regards

Gonçalo Antunes