Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / SSPI negotiation faile...
Customer experience | Sales, Customer Insights,...
Unanswered

SSPI negotiation failed when trying to call the SDK after changing a password

(0) ShareShare
ReportReport
Posted on by Christian Betrisey 30

Hi,

We are encountering a security issue when trying to call the SDK (onPremise 8.2) from a web service. This worked fine until we changed to password of the CRM user USER_A which is used as 'Identity' of the appPool under which the  web service is running.

After changing the password, we re-entered the identity as user USER_A + new password and restarted the appPool.Now we are getting the following exception when calling the SDK

SOAP security negotiation with 'http://crm.xxxx.xxx/org1/XRMServices/2011/Organization.svc' for target 'http://crm.xxxxxx.xxx/org1/XRMServices/2011/Organization.svc' failed. See inner exception for more details.
InnerException = {"The Security Support Provider Interface (SSPI) negotiation failed."}

 

We thought it might be an SPN issue for accessing the SDK service which runs under SVCUSER

>setspn -q http/crm.xxxx.xx
Checking domain DC=xxxxx,DC=org
CN=SVCUSER,OU=Service Accounts,DC=xxxxx,DC=org
        HTTP/crm.xxxx.xxx

We thought we could add USER_A, but this fails (duplicate SPN found) because it already has SVCUSER under which it is running

Any idea why a simple password change would cause this error?
Thanks for your help

Christian

  • Christian Betrisey Profile Picture
    Christian Betrisey 30 on at
    RE: SSPI negotiation failed when trying to call the SDK after changing a password

    Hi Gustavo,

    Many thanks for answering to my question.

    I just found out what the issue was and could fix it.

    This service was an old service that was not using the credentials from the appPool to access CRM. I needed to update the credentials stored in another vault temporarily. I will fix the service to use the appPool identity like the other services instead.

    Thanks

    Christian

  • Gustavo Longo Profile Picture
    Gustavo Longo on at
    RE: SSPI negotiation failed when trying to call the SDK after changing a password

    Hello Christian,

    Hope you are well.

    Would say to check out if the same service account is configured on another nodes (frontend and backend servers).

    Regards,

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,280 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,235 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans