CRM 2011 Service Principal Names (SPN) generation and usage


When we implement CRM 2011 we always hear or read the term Service Principal Name (SPN) for accurate Kerberos Authentication; however, sometimes understanding Kerberos Authentication is time consuming and needs experience.

Sean has written a detailed blog explaining Kerberos Authentication here.

Identifying the right SPNs can be daunting and it would be really nice if we had a simpler way to identify them.  To make SPN identification easier I have put together an excel workbook which could help us generate a list for different deployment schemes.  The Workbook has different sheets covering most common scenarios like Single Server Deployment and Split Server Deployments. (see attached worksheet below)

Please feel free to post your feedback to improve the workbook so we can accommodate more deployment scenarios.

Thanks
Kaustubh Giri

Microsoft Premier Field Engineer

Setup SPNs.xlsx

Comments (9)

  1. Rocky Sharma says:

    How does the SPN requirement change if Kernel Mode Authentication is used?

    Thanks,

    Rocky.

  2. Rocky:

    Kernel mode authentication can be used along with Kerberos. It is a good idea to use Kernel Mode Authentication as it was designed to help; however, you must make a change in ApplicationHost.config file.

    If you do not have the useAppPoolCredentials="true" entry in your ApplicationHost.config file it may default the Authentication to Network Service. The SPN's registered on the Domain Account to run CRMAppPool may be ignored as Network Service will be used to create the initial connection before impersonating the user. In that case the SPN it will look for is ComputerName$ and it may or may not cause authentication issues.

    It is advised to modify the ApplicationHost.config file with useAppPoolCredentials="true" entry when Kernel Mode Authentication is enabled on the website.

    I hope that answers your question.

  3. Shalabh says:

    Nice article:)

  4. Thomas Lintner says:

    Thank you very much for your SPN-sheet. This is helping us forward for many CRM Setups now. The only SPN missing from the sheet is the HTTP-SPN for the SSRS-SvcAccount pointing to the SSRS-Server. Maybe you want to include this in a further release. 🙂

  5. Betty says:

    Is it Ok if we turn off the Kernel mode authentication and run app pool on domain account. Do we need to set SPNs in that scenario as well?

  6. @Thomas Linter: Thanks. I will work on in the next release.

    @Betty: You may turn it off; however, not recommended. Requirement of SPN depends on the type of a setup you have. If you have your AppPool running as Network service and your URL's are computer name you may not need SPN. I think I have covered most of the scenarios in my SPN spreadsheet.

    Ref: technet.microsoft.com/…/dd573004(v=office.13).aspx

    To all, I recommend enabling KernelMode, modify ApplicationHost config file and add useAppPoolCredentials="true" and setup correct/ necessary SPN's.

    Hope that helps. 🙂

  7. Ali says:

    While installing CRM trial instance in the precheck list page. I am getting the following error have given all the permissions mentioned in the planning guide but still the setup fails.

    In the event vierwer I have seen two audit failures :

    Please advise accordingly:

    14:38:03|  Error| Check AspNetServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

    14:38:03|  Error| Check AsyncServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

  8. KGiri says:

    Ali,

    Sorry for delayed response. Looks like you are running into a non SPN issue. The error states your credentials are not entered correctly or the credentials mentioned do not have required permissions on the Server. Please ensure you provide the Service accounts Local System rights or minimum required permissions by adding it to the required Security Groups on the server.

    Hope that helps.

    Kaustubh Giri

  9. SeanJohn says:

    Remember to update

    SPN missing from the sheet is the HTTP-SPN for the SSRS-SvcAccount pointing to the SSRS-Server