Trust for Delegation in List Web Part for Microsoft Dynamics CRM 4.0


This article pertains to Trust for Delegation issues encountered in on-premise installations of Microsoft Dynamics CRM 4.0 (MS CRM) when CRM server and SharePoint Server exist on different physical machines. If you have List Web Part (LWP) deployed for IFD version of MS CRM, or both Microsoft Dynamics CRM and SharePoint Server are on same machine then your deployment is not affected by the trust for delegations issue.


In scenarios, where MS CRM on-premise and SharePoint are setup on separate machines, Microsoft Dynamics users of LWP face issues during authentication. If the SharePoint Server is not setup for Trust for Delegation then the user's Active Directory credentials are not passed to the MS CRM server. The LWP deployed on SharePoint does not receive the CRM authentication ticket from SharePoint and displays the sign on form used with an IFD installation. The screen below shows the configuration pane of LWP and sign on form. This form appears when a Trust For Delegation ( also known as Double-Hop impersonation ) is not present.


clip_image002


Figure 1 : IFD login from configuration pane


What is Double Hop issue?


In situations where SharePoint Server and MS CRM server are on different machines, the first hop is from the LWP user’s IE browser to the SharePoint server, and then from the SharePoint server to the MS CRM Server. This is the second hop. Windows credentials cannot be passed in second hop, due to security issues. To enable the SharePoint Server to pass the user credentials, the SharePoint server must be configured for Trust for Delegation.


Setting up 'Trust for Delegation'


To make it easier to understand the configuration settings, consider the following topology:



  • Machine #1 Active Directory

  • Machine #2 SQL Server

  • Machine #3 Microsoft Dynamics CRM 4.0 Server

  • Machine #4 Windows SharePoint Services 3.0/Microsoft Office SharePoint Server 2007

  • Machine #5 User accessing SP using IE

clip_image004


Figure 2: Independent CRM and SharePoint Server topology


1. First, configure IIS and IE for delegation using the steps in following KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;810572


Note: To perform remaining steps , the user must be a member of the Domain Adminstrators group or the Enterprise Adminstrators group in Active Directory, or user must have been delegated the appropriate authority.


As a security best practice, consider using Run as to perform this procedure.


2. Click Start >> Control Panel >> Administrative Tools >> Active Directory Users and Computers.


3. In the console tree, click Computers.


4. In the details pane, right-click the computer you want to trust for delegation and then click Properties. In our case its Windows SharePoint Services 3.0 server or MOSS 2007 server (machine # 4 in figure 2) .


5. On the Delegation tab, click Trust this computer for delegation to specified services only.


clip_image005


Figure 3 : Trust for delegation to specific service


6. Depending upon the IIS authentication type in WSS/MOSS Web application, do one of the following:



  • If IIS authentication type is NTLM , Click Use any authentication protocol .

OR



  • If IIS authentication Setting is Integrated Windows authentication with Negotiate (Kerberos), click Use Kerberos only ( see figure 7 ).

7. Click Add and, in Add Services, click Users and Computers.


8. In Enter the object names to select (examples), type the name of the computer that the computer will be trusted to delegate for example, Dynamics CRM 4.0 computer (Server no 3 in figure 2) , and then click OK.


clip_image007


Figure 4 : Select User and Computers



If the machine name does not resolve, Click Advanced





      • After opening Select Users or Computer dialog , click Find Now

      • Select CRM server computer from list and then click OK. In Select Users or Computer dialog , CRM server machine name will appear, Click OK.

clip_image009



Figure 5 : Select User and Computers using advanced dialog


9. In Add Services, click the Http service that will be trusted for delegation and click OK.


clip_image010



Figure 6 : Set trust for specified service


Notes



  • If you cannot see the Delegation tab as shown in Figure 3, do one or both of the following:



    • Register a Service Principal Name (SPN) for the computer account using the Setspn utility in the support tools that are on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.

    • Raise the functional level of your domain to Windows Server 2003 .


  • Constrained delegation, delegation of authentication for only specified services, can only be enabled on a member of the Windows Server 2003 family.


The following steps are necessary if you want to use Kerberos in WSS/MOSS.


10. In SharePoint Central administrator site, In Application Management, Select Authentication Providers


11. In Authentication Provider select Window Membership Provider from default zone and Check IIS Authentication Settings.



a. Integrated Windows authentication check box should be selected


b. Select Negotiate (Kerberos) option


clip_image012


Figure 7 : SharePoint Central Admin - Edit Authentication


You should now be able to login to List Web Part and view the configuration page.


clip_image014


Figure 8 : Successful Login in List Web Part


Cheers,


Suraj Supekar

Comments (12)

  1. Thank you for the useful information. I have been looking for this solution. I think wide availability of networked infrastructure presents many scnarios where the two tend to be on different machines.

  2. Mads Nissen says:

    Javista recently announced the release of the Sharepoint 2007 List Web Part for Microsoft Dynamics CRM

  3. marco says:

    Hi there, i have one question to this issue? We have authentication problems from our crm server to the sql reporting server (http status 401) when we try to start a report. Should we enable this "trust of delegation"-option on our sql reporting server, too? Maybe someone has a clue? Thanks.

  4. Sander says:

    Hi

    We’re trying to get the SharePoint List Web Part for MS CRM 4.0 to work in a multi-server environment with NTLM authentication.

    Our scenario is that WSS 3.0, WSS’s database, CRM 4.0 and CRM’s database are on four different servers so we’d need to establish a trust. Following the

    instructions of this post we’ve set up this trust between the WSS 3.0 server and the CRM 4.0 server but it still somehow won’t let us connect to the server…

    Has anyone else got it to work using NTLM authentication?

    Thanks

    Sander

  5. Sander says:

    Hi

    We’re trying to get the SharePoint List Web Part for MS CRM 4.0 to work in a

    multi server environment with NTLM authentication.

    Our scenario is that WSS 3.0, WSS’s database, CRM 4.0 and CRM’s database are on four different servers so we’d need to establish a trust. Following the

    instructions of this post we’ve set up this trust between the WSS 3.0 server and the CRM 4.0 server but it still somehow won’t let us connect to the server…

    Has anyone else got it to work using NTLM authentication?

    Thanks

    Sander

  6. Sander says:

    Hi

    It appears that you have to use (some part of) Kerberos for it to work… However the documentation does NOT specify this!

    We finally got it to work using a mix of NTLM and Kerberos by doing the following:

    • Create Netbios SPN’s for all servers in the farm

    • Create FQDN SPN’s for all servers in the farm

    • Create CNAME SPN for intranet site (if you have MOSS you’re likely to have mysites etc as well)

    • Set up trust for delegation (Kerberos, trust any) on each server in the farm

    • Set up trust for delegation (Kerberos, trust any) on each service account in the farm (inclusing the SQL service account)

    • Switching authentication methods using a script to use both NTLM and Kerberos

    • Switching authentication methods in the SP central admin GUI/site using Kerberos (only).

    Websites that I found useful are the following:

    Setup mistakes   http://bobfox%2Esecurespsite%2Ecom/Blog%20Posts/Kerberos.docx

    SPN, Trust etc.   http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

    Authentication    http://support.microsoft.com/?id=832769

    Thanks

    Sander

  7. Henrik Hedegaard says:

    We try to use the above in a hosted environment. We have our own SharePoint Services server inside the house, but our CRM is hosted by an ISV partner. How should it be configured.

  8. jt says:

    You are describing right clicking on the computer account a going to the delegation tab, but if you are running MOSS 2007 with a web app using a service account, wouldnt you have to go to the actual service account of the web app and select the OTHER service so it can impersonate or delegate to the CRM box?

  9. vijay says:

    i am geeting the error: your credentials are not valid or no such user exist on the crm. use the correct credentail or contact the :while i am connected  to the crm using the correct url.i am exist at the crm as a admin and the user, ma i missing something while installing the list web part, please guide

  10. bittoo22 says:

    i have reached til the fig 1 shows: but when i put in my correct credntials it says : your cresential are not valid or no such your exist on the crm. may be i am nissing some point while installing the list web part.

    if i use the basic authentication it took me staight to the crm without putting the credentails, but i have to use the NTLM authentication: is there ant such intelligenet person how can userstand my delima and can guide me to through my problem

    Thansk in advance:

  11. jclan says:

    It should be noted that when you have the SharePoint Central Administration site and SharePoint Web Application on the same server, and using different port, you will have to use a domain user account for one of the sites, and also apply register changes according this article: http://blogs.technet.com/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx

  12. Richard says:

    Great start of an article – had me fooled it was going to be all I needed to help get this working – but it is missing a good deal of the necessary information to actually get the double-hop issues resolved and authentication of the web part working properly.

Skip to main content