We had an error back during installation about not being able to properly set SPNs (see http://community.spiceworks.com/topic/734916-ms-dynamics-crm-2015-install-issue-mscrmsandboxservice) and this has now come back to bite us a couple of times. First was the reporting issue seen in that thread, and now it's with the Service Endpoints.
Basically, the site and the reporting was working fine. However, if we tried to go to any of the Service Endpoint links we got the message "The service '/XRMServices/2011/Discovery.svc' cannot be activated due to an exception during compilation. The exception message is: The authentication schemes configured on the host ('Ntlm, Anonymous') do not allow those configured on the binding 'BasicHttpBinding' ('Negotiate')."
I was able to get these links to work by adding Negotiate as a Windows Auth provider for the site. However, now the entire site does not work in Chrome. And reading threads on the Chrome error message, everyone is saying "remove Negotiate and just use NTLM". Which is of course the setup we had when the endpoints didn't work. :-(
I figure either 1. I need to find the binding it's talking about and set it to NTLM, instead of the reverse (setting the site to Negotiate), or 2. there's still something messed up in the SPNs.
Has anyone experienced this? Could someone with a fully functional site+custom reporting+endpoints post what their SPNs look like, perhaps, and I could see if I'm missing anything else?
Thanks!
ETA: I removed Negotiate from the site again, and from the XRM Deployment app again, and now magically it works. Despite having done those same things yesterday. :-( So it's seemingly okay for now, but would still like some input onto whether there's a better/more secure way to do things, or if this is fine.
