CRM 2013 Kerberos and SPN Checklist

I created a Curah page for SPN items related to CRM here: http://curah.microsoft.com/73013/dynamics-crm-and-service-principal-names-spn

Update: Link to the page was retweeted by Hosking and Niiranen, some of the brightest heads in the #MSDYNCRM space. Thanks!

Straight from MS support, here is a checklist for Kerberos and SPN:

Compared, Kerberos challenge is faster than NTLM and the ticket/token is cacheable in the client providing a better authentication mechanism for a large distributed application such as CRM. Setting up Kerberos properly can dramatically increase performance if you struggle with network throughput.

In order to have Kerberos authentication running properly, the main guidelines are:

• DNS has to be working and resolving names properly
• Web SPNs must be set on the account running the CRM Application Pool
• Account running the CRM application Pool must be trusted for delegation
• SQL Server SPNs must be set on the account running the SQL Database services
• Web SPNs should be set on the Account running the SQL Reporting Services Application pool
• Duplicated SPNs cannot exist (pro tip: use SETSPN -S instead of SETSPN -A to stop if duplicate)

You need to make sure you have:

• CRM Web SPNs (HTTP SPN)
• SQL Database Service Server SPNs (MSSQLSvc SPN)
• SQL Reporting Services Server SPNs (HTTP SPN)

Also do (source: http://support.microsoft.com/kb/2536453):

• Enable IIS Kernel Mode
• Use application pool credentials

I will follow up with a more detailed guide and troubleshooting tips for Kerberos and CRM in a later article.