web
You’re offline. This is a read only version of the page.
close
Skip to main content
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM and SPN's
Microsoft Dynamics CRM (Archived)

CRM and SPN's

(0) ShareShare
ReportReport
Posted on by tmerer

Hi Folks,

Wondering if someone could shed some light on what SPN's are needed when standing up an On-Prem Environment.

Example Environment:

2 Front End Servers with all application roles installed.

1 Database Server (hosts the CRM and SSRS DB's)

Supported by a Hardware Load Balancer (https://mycrm.contoso.com)

 

Questions:

1. The CRM Application Pool is run under domain account contoso\crmappservice

a. Should I Create the following SPN's:  http\mycrm and http\mycrm.contoso.com

b. If running CRM on a not standard port like 6565, does the port number need to be part of the SPN?

 

2. If the other Services are running under domain accounts, like crmasyncservice, crmsandservice, do those also need the same SPN's created?  Would this not create duplicates?

3. Do SPN's impact performance?

4. If SQL Server is running under a domain account, does it also need SPN's created?

 

Currently working with CRM 2013.

 

Thanks for reading.

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at
    RE: CRM and SPN's

    Hi.

    When you are setting SPNs on the CRM APP Pool service, do take care to set the value of useAppPoolCredentials in both the CRM front end IIS servers to True.

    IIS by default has kernel mode authentication enabled and it will use the machine password key to decrypt Kerberos tickets issued by your domain controllers, even if you have set the SPNs on the service account in AD. You would have to change useAppPoolCredentials to True so that IIS uses the service account's key to decrypt the Kerberos tickets.

    blogs.technet.com/.../useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

    If this is not done, your system will run on the older NTLM protocol and not on Kerberos.

    -Alen

  • Gireeshg Profile Picture
    Gireeshg 55 on at
    RE: CRM and SPN's

    Hi,

    1. The CRM Application Pool is run under domain account contoso\crmappservice

    a. Should I Create the following SPN's:  http\mycrm and http\mycrm.contoso.com

    Yes, you should create SPN's for both the URL's. The command should be as below,

    setspn –a HTTP/mycrm contoso\crmappservice

    setspn –a HTTP/mycrm.contoso.com contoso\crmappservice

    b. If running CRM on a not standard port like 6565, does the port number need to be part of the SPN?

    If you have any other website/ Application running under the same host, you should add port numbers as well to avoid duplicate SPN issue

    2. If the other Services are running under domain accounts, like crmasyncservice, crmsandservice, do those also need the same SPN's created?  Would this not create duplicates?

    No you should not add SPN's for this, this will be cause duplicate SPN's

    3. Do SPN's impact performance?

    No there is no performance Impact from the application side. SPN's have nothing to do with performance

    4. If SQL Server is running under a domain account, does it also need SPN's created?

    No, Normally SQL is smart enough to create SPN's when you change the service accounts.

    To get more Information about SPN's refer blogs.msdn.com/.../configuring-service-principal-names.aspx

  • Suggested answer
    Ragnar Hilmarsson Profile Picture
    Ragnar Hilmarsson 3,427 on at
    RE: CRM and SPN's

    Hi 

    1.  You should create spn for both http/mycrm and http/mycrm.copmpany.com
       b) Yes like http/CRMNLBName.FQDN:6565
      setspn -s http/CRMNLBName.FQDN:6565 CRMAppPoolService
       
    2. You don't need SPN for asyncservice. 
      For sandbox it is possible you need spn (setpsn -A MSCRMSandboxService domainname\crmsandbox service account)
    3. Not sure, but i don't think so.
    4. No 

    Best regards 
    Ragnar Hilmarsson

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Dynamics 365 Community Calls Return
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft
Responsible AI policies for the Community

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Andrés Arias – Community Spotlight

We are honored to recognize Andrés Arias as our Community Spotlight honoree for…

Congratulations to the August Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
Community Member Profile Picture

Community Member 2

#2
Christoph Pock Profile Picture

Christoph Pock 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans