CRM 2011 Kerberos Troubleshooting - Report Wizard FetchXml Related Issue
Hi all,
Recently one of our clients had issue when running reports created through the report wizard. After some investigations, it turned out that the FetchXMLDataSource is having some connection issue with an error log recorded something like: A call to SSPI failed, see inner exception.
This is surely a kerberos authentication issue. After a few good hours reading documentations on how to set up proper kerberos for CRM 2011, I managed to get all working nicely. I summarised all what I've done so that it may help you down the track:
Recently one of our clients had issue when running reports created through the report wizard. After some investigations, it turned out that the FetchXMLDataSource is having some connection issue with an error log recorded something like: A call to SSPI failed, see inner exception.
This is surely a kerberos authentication issue. After a few good hours reading documentations on how to set up proper kerberos for CRM 2011, I managed to get all working nicely. I summarised all what I've done so that it may help you down the track:
- Check the CRMAppPool service account whether you are using NetworkService or a domain account. The best practice is to use custom domain account (separate from your CRM admin account as well). In my case I have something like domain\CRM2011APP. If you set this up during installation it should at least be in the PrivUserGroup and PrivSqlServerGroup as well.
- Open your AD manager and check if that account has kerberos delegation enabled (On delegation tab).
- On your IIS Manager (IIS 7/7.5), click your Microsoft Dynamics CRM website -> Authentication -> Windows Authentication -> Advanced settings. Make sure Kernel mode is ticked. Also check the Providers and make sure you have Negotiate and NTLM (in this order).
- Set the SPN to enable token delegation for the account to the CRM server. Let's say your CRM application server url is http://mycrm.domain.com:5555, then open your command prompt and enter in:
- setspn -a http/mycrm domain\CRM2011APP
- setspn -a http/mycrm.domain.com domain\CRM2011APP
- (From Microsoft KB2590774) Open IIS Manager. Expand the server and then select Sites. Then select the Microsoft CRM website. Under Management, select Configuration Editor. In the From: section above the properties select "ApplicationHost.config For the "Section:" location, select system.webServer > security > authentication > windowsAuthentication. In the properties page, set useAppPoolCredentials to True, then select Apply.
Do iisreset afterwards and try opening CRM, Outlook for CRM and the reports. It should work fine now.
P.S: Only the system.webserver windows authentication should have the useAppPoolCredentials to True. Leave the Microsoft Dynamics CRM windows authentication alone.
HTH,
Andreas
Thanks for sharing all this info on CRM. Very helpfull!
ReplyDelete