CRM 2011 – SPN for service account not working

I had setup CRM 2011 to run using a service account as good practise recommends (well actually you are meant to have separate accounts to run the different services I think).

I have setup the service account but when I tried to call CRM from another machine other than the CRM server I was getting authentication problems.

This was driving me up the wall, I read this very useful page, which describes some different scenarios and setups and I’m sure I had done everything

The main instructions are this

1. Determine the SPN’s that are registered under the current application pool account. The current account is network service which is the local computer object, SPN’s can be found with ADSI Edit or SetSPN. Below are the expected SPN’s under this object that would be related to IIS. There may be additional SPN’s added to the object depending on the installed services.

  • HOST/CRMAppServer
  • HOST/
  • HTTP/

2. There are SPNs with two different service classes registered, the default Host SPN’s and the HTTP SPN’s for the host header. The current HTTP SPN’s will need to be removed so they can be added under the new service account. The HOST SPN’s do not get removed as these will not cause duplicates due to the unique service class. The following SPN’s can be removed using ADSI Edit or SetSPN.

  • HTTP/

3. The following SPN’s need to be added to the contoso\CRMService object. These are the SPN’s for the servername and the host header. Additional SPN’s will need to be created if other host headers are used.

  • HTTP/CRMAppServer
  • HTTP/
  • HTTP/

so why wasn’t it working.  I was then reading this page about setting up SPN’s for IIS 7+

now the IIS I was using was IIS6 so this wasn’t really relevant but what I did notice was something called enable kernal-mode authentication



You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier version i.e. IIS 6.0. But that’s not blindly true. There has been some confusion whether we don’t have to care at all about SPNs or may have to depending upon the settings. Here is a checklist to give more clarity for different scenarios that you may fall under:


IIS 7.0 Web Site/Application
Authentication Integrated Windows authentication
Application Pool Identity NETWORK SERVICE
Kernel-Mode authentication Enabled (<attribute name=”useKernelMode” type=”bool” defaultValue=”true” /> in the ApplicationHost.config file)
Site URL Accessed with the NetBIOS name, like http://<myIISserver-NetBIOS-name>/Default.aspx

SPNs will be required ONLY for the IIS machine account:

SPNs will be required ONLY for the IIS machine account:

HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/

what struck me as odd was that if you had kernal mode on then you would only need to setup an SPN for the machine rather than the service account. This was not a setting I wanted.

I was playing around with the SPN’s and found when I set the SPN http/<CRMServername> for the CRMServer then it worked but if I removed this and set the SPN for the service account I would get authentication errors.

To resolve the problem I went into the Microsoft Dynamics Website in IIS

clicked Authentication

clicked Windows Authentication –> Advanced Settings

and unticked Enable Kernal-Mode Authentication

did and IIS restart

and then CRM could be accessed from outside of the CRM server.

I did have to make sure the Windows authentication providers were NTLM and then negotiate as the second choice, this little gem I found on my own blog from a few years ago

This is also very useful for people trying to setup the Dynamic Connector because we had to use the same service account to run the NAV Webservices and CRM Web services/app pool etc.  So to get this working we had to use a service account.


5 thoughts on “CRM 2011 – SPN for service account not working

  1. David Berry December 12, 2012 / 6:23 am

    Hey Ben. I found that if you leave “kernel mode” checked, but remove the SPN entirely, then a custom FQDN/IP pair for the CRM site works just well. I’ve even been able to remove NTLM from the authentication providers list and leave it with strictly “Negotiate”.


    • Hosk December 13, 2012 / 12:06 am

      Unfortunately I needed to leave the SPN’s there because they were being used for Dynamcis NAV, which was the main cause of the headache.


  2. CJ December 12, 2012 / 2:00 pm

    CRM 2011 doesn’t support IIS6 and all your screenshots are of IIS7. I think you’re just seeing the IIS6 manager in the menus which is there for backwards compatability.


    • Hosk December 13, 2012 / 12:05 am

      I did an about and it came back 6.01. The screenshots are II6 because they are from an article about IIS7 and CRM 2011


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.