Hello,
let me first give you an overview of my environment:
I've setup MS Dynamics CRM 2011 On-premise with separated application and database server. (DOMAIN\APPSRV; DOMAIN\DBSRV).
Port used for access is 55555 (yes, 5x5).
There are three domain accounts:
- DOMAIN\svcCRM: service account for all services on APPSRV
- DOMAIN\svcCRMdb: service account for database engine and reporting services on DBSRV
- DOMAIN\svcCRMadmin: installation and administration account
Only HTTPS is used; the certificate is trusted and does not produce any errors or warnings in browsers.
The IIS application pool uses svcCRM as service account. Kernel mode is activated. useAppPoolCredentials is set to true. Authentication mode is set to "Negotiate" only (no NTLM). Anonymous authentication is allowed (IUSR).
Internet address in CRM deployment manager (4x): APPSRV:55555; bingind type: HTTPS
Firewalls are disabled.
Workstation computers have *.appsrv.domain.tld added in Intranet security zone.
The following SPNs are added to the domain and delegation is set to "Trust all servies (Kerberos only)":
- SetSPN -S HTTP/APPSRV:55555 DOMAIN\svcCRM
- SetSPN -S HTTP/APPSRV.domain.tld DOMAIN\svcCRM
- SetSPN -S MSSqlSvc/DBSRV:51433 DOMAIN\svcCRMdb
- SetSPN -S MSSqlSvc/DBSRV.domain.tld:51433 DOMAIN\svcCRMdb
The whole setup is working fine. I can add additional organisations in the deployment manager, I can connect to the website on "https://APPSRV.domain.tld:55555/organisation" and do stuff (manage users permission, add contacts, etc.).
--
Now I wanted to try out the CRM Outlook client (Outlook 2010).
I added my workstation user (DOMAIN\USER) to CRM (role: system administrator) and he can browse the website, too. I used the latest download version I could find (SetupClient.exe is dated 16th January 2012) and the installation went without errors.
After entering the URL (https://APPSRV.domain.tld:55555/) to the connection dialogue and clicking "Test connection", I get the following error:
There is a problem communicating with the Microsoft Dynamics CRM Server. The server might be unavailable. Try again later. If the problem persists, contact your administrator.
I enabled Kerberos errors for eventvwr.exe and there's the following entry:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SVCCRM. The target name used was host/appsrv.domain.tld. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.TLD) is different from the client domain (DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
(I don't know why the "server" is the account svcCRM and the" target name" isn't an HTTP SPN).
After that, I tried to use "https://appsrv:55555" (NetBIOS name, not FQDN) and the error was similar, but this time, the "server" and "target" looked more logical:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server appsrv$. The target name used was HTTP/appsrv.domain.tld. This indicates [..]
There's also an error in C:\Users\USER\AppData\Local\Microsoft\MSCRM\Logs\Crm50ClientConfig.log:
13:42:15| Error| Error connecting to URL: https://appsrv.domain.tld:55555/XRMServices/2011/Discovery.svc Exception: System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'https://appsrv.domain.tld:55555/XRMServices/2011/Discovery.svc' for target 'https://appsrv.domain.tld:55555/XRMServices/2011/Discovery.svc' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/appsrv.domain.tld'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
(But how do I specify the EndpointAddress?)
--
This was two days ago and I spent three days trying to correct this error. :/
I'd be really happy if someone could give me a hint why everything is working fine in browser, but the Outlook client won't work. I don't understand why the CRM Outlook client requests or gets a ticket with false information (account/SPN don't match the service accounts and SPNs).
Please let me know if you need additional information.
Kind regards,
P.B.