Home > Uncategorized > Getting Microsoft Dynamics Customer Relationship Management (CRM) to behave well with Kerberos Authentication

Getting Microsoft Dynamics Customer Relationship Management (CRM) to behave well with Kerberos Authentication

Unlike SharePoint 2010 when you configure a new web application to use Kerberos Mode Authentication SharePoint 2010 knows how to handle these request and updates the applicationHost.config file accordingly to work well with Kerberos authentication, unfortunately CRM does not behave the same way and needs a little work.

Like for SharePoint 2010 web applications,  CRM Web Applications will still need some manual configurations done to get Kerberos to work.  I will not get into details on how this is done, but you can follow the Microsoft Technet Article http://technet.microsoft.com/en-us/library/gg502594%28v=office.14%29.aspx on how this is properly configured.

Since SharePoint 2010 and IIS7 do not play well when Kernel-Mode Authentication is enabled its recommended to not enable this within IIS7 since it will break SharePoint.  However, to get Kerberos to work with CRM this needs to be enabled along with updating the applicationHost.config file.

Below are the steps you need to take to get Kerberos Authentication to work within CRM.  These steps are assuming all SPNs have been created and delegation has been done.

1.  Log into each CRM Web Front End (if load-balanced)
2.  Open up Internet Information Services (IIS) 7
3.  Click on the Microsoft Dynamics CRM Site
4.  Under the IIS section double click the Authentication Icon.
5.  Highlight Windows Authentication and under Actions on the right select Providers…
6.  Make sure Negotiate is one of the Enabled Providers and is listed first.  If not click the drop down for Available Providers select it and add it to the list.
7.  Next select Advanced Settings and check the Enable Kernel-Mode authentication checkbox to enable.
8.  Now time to update the applicationHost.config so that the CRM Web Application knows how to handle the Kerberos tickets.
9.  Browse to C:\Windows\System32\inetserv\config and open up the applicationHost.config file with notepad.
10.  Find the <authentication> section of the applicationHost.config file and look for the <windowsAuthentication> tag.
11.  Next update the tag to include the useAppPoolCredentials=”true”  like this:

<windowsAuthentication enable=”true”  useKernelMode=”true” useAppPoolCredentials=”true”>

12.  Save the applicationHost.config file and do an IISReset

After doing the above steps on all CRM Web Front End servers, Kerberos should be configured properly now for CRM.  Try to browse to your CRM Web instance to make sure you are able to authenticate and there is a Kerberos ticket issued.

Check to see if there are Kerberos Tickets:

Cmd Prompt | type: klist





  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: