Reports created by report wizard fail when executing in Dynamics CRM (not your typical SPN issue)

(3) Share

Report

Posted on by CW-11121959-0

Dynamics 9.1 server on Windows 2022 Server
SQL Server 2022 on Windows 2022 Server

Reports created by report wizard fail when executing in Dynamics CRM
- Report Wizard reports fail with a rsProcessingAborted error.

- All out-of-the-box reports run
- All report builder reports run

This seems to be a classic issue with SPNs but all my SPNs are created and I'm still getting the issue.

SSRS Logs contain this error:

Microsoft.Crm.CrmException: An unexpected error occurred.
System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception.
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception.
System.ComponentModel.Win32Exception: The target principal name is incorrect

All this is configured:

IIS is running with windowsAuthentication and useAppPoolCredentials=True

Pool account: prod\CRMAppPoolAccount

The account running SSRS is a member of:
   PrivReportingGroup
   PrivUserGroup
   ReportingGroup

SPNs for account running IIS CRM Application Pool: prod\CRMAppPoolAccount
http/CRMSERVER.prod1.prv1
http/CRMSERVER

SPNs for account running SSRS: prod\SSRSAccount
http/SQLSERVER.prod1.prv1
http/SQLSERVER

I also tried the a workaround based on https://learn.microsoft.com/en-us/previous-versions/troubleshoot/dynamics/crm/reports-created-by-report-wizard-or-custom-fetchxml-may-fail

SPN for prod\CRMAppPoolAccount
HTTP/CRMfetch(CRMSERVER)

Registry entry on SQL Server server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxClientSpn.CRMSERVER
Value = HTTP/CRMfetch(CRMSERVER)

After I tried the workaround I got the following error in the SQL Server Event log:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server CRMAppPoolAccount. The target name used was HTTP/CRMfetch(CRMSERVER). This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (prod1.prv1) is different from the client domain (prod1.prv1), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

What is bizzaro in the above error message is that it refers to my crm pool service account as the server when it says "error from the server CRMAppPoolAccount."

What could I be missing?

Categories:

Dynamics 365 general

I have the same question (0)

All responses (2)

Answers (1)

Suggested answer

Muhammad Shahzad Sh... 2,373 Most Valuable Professional on at

Like (1)

Report
You’re hitting the classic “double-hop” / SPN delegation issue that the FetchXML-based Report Wizard runs into: wizard reports actually invoke the CRM FetchData web-service from SSRS’s sandbox under your CRMAppPoolAccount identity, and if Kerberos can’t get a proper ticket (because of SPN dupes, wrong names or missing delegation) you get that SSPI “target principal name is incorrect” error.

Unique, fully-qualified SPN for the FetchData endpoint

Remove any duplicates of HTTP/CRMSERVER or HTTP/crmserver.prod1.prv1 on any account.

Register only on your CRM IIS app-pool account (prod\CRMAppPoolAccount) a SPN for the FetchData virtual directory using the FQDN that SSRS will call, e.g.:

setspn –S HTTP/crmfetch.prod1.prv1 prod\CRMAppPoolAccount

(Not HTTP/CRMfetch(CRMSERVER)—use the real DNS name.)

Constrained delegation in Active Directory

On the CRMAppPoolAccount object in AD, enable Trust this account for delegation to specified services only → Use Kerberos only.

Add the two services it needs to delegate to:

HTTP/crmfetch.prod1.prv1 (the CRM FetchData endpoint)

MSSQLSvc/sqlserver.prod1.prv1:1433 (your SQL Server SPN)

Restart services

IIS (or at least recycle the CRM app‐pool)

SSRS Windows service

Once you have exactly one SPN for the FetchData URL on the CRM app‐pool account, and that account is trusted for delegation to both that HTTP SPN and your SQL SPN, the Report Wizard will Kerberos-delegate successfully and your custom FetchXML reports will run.

Was this reply helpful? Yes No
Verified answer

CW-11121959-0 51 on at

Like (1)

Report

Thank you for your reply Muhammad.

I have been able to resolve my issue. The service accounts I was using had not been set to the highest level of encryption but the Windows 2022 server were. Once the accounts were assigned the same level of encryption as the servers the FetchXML reports started working.

Was this reply helpful? Yes No