Applications Server

Microsoft Dynamic CRM 4.0 : Authentication (part 3)

11/26/2011 5:35:40 PM
IIS Settings

The web servers containing the web applications (Dynamics CRM, Reporting Services, and SharePoint) will all need to be set up to enable Kerberos. However, you might find that this is not necessary if the web server is the same machine as the domain controller (such as in a small business deployment).

The IIS Metabase needs to be configured for “enabling editing” to ensure that the Metabase attempts to pass credentials using Kerberos. To enable editing in the IIS v6.0 Metabase, right-click the server name and select Properties. Check the Enable Direct Metabase Edit check box.

This will enable you to configure the Metabase without stopping IIS. This can be done in a few ways.

Before performing either, you need to determine the identifier of the site. This can be found by navigating to IIS and viewing the Identifier column. (If you don’t see the column, select View from the Management Console and be sure that the Identifier column is shown.) Figure 9 shows the identifiers of two websites.

Figure 9. IIS identifier.

The first method is by updating the Metabase using admin scripts:

  1. At the command prompt, navigate to C:\Inetpub\Adminscripts.

  2. Type the following command (Where xx is the identifier of the website you want to change authentication type):

    cscript adsutil.vbs set w3svc/xx/NTAuthenticationProviders "Negotiate,NTLM"

Figure 10 shows the output of the adstuil.

Figure 10. Configure authentication using the command line.

For more advanced users, you can modify Metabase.xml directly, as follows:

  1. Navigate to the Metabase.xml file. This is typically found at the following location: <root drive name>\System32\Inetsrv.

  2. Set all existing instances of NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM".

    Before you can make changes to that file, you will have to enable the changes in the inetmgr, as shown in Figure 11.

    Figure 11. Enable Metabase XML updates.

  3. You can use PowerShell to make changes to the WMI. Use set-wmiobject for IISWebService.


After making these changes, you must restart IIS.

In IIS 6.0, the application pools under which the relevant websites/applications run should be set to run as either a system account (Network Service or Local System) or as a user account configured correctly in Active Directory (as shown in Figure 12).

Figure 12. Application pool setting.

AD Configuration

All SPNs must be defined in Active Directory.

All relevant computers accessing data from a different machine need to be set to Trusted for Delegation. To access this setting, follow these steps:

Open Active Directory Users and Computers.

Search for the relevant account (computer/user) that needs to be trusted for delegation.

Right-click each object, and then check the Trusted for Delegation option on the Properties dialog box (as shown in Figure 13).

Figure 13. Configure Active Directory delegation.

If the Microsoft CRM website is in the application pool that is running under a specific user account (that is, not Network Service/Local System), that account will require an SPN.

To acquire an SPN, perform the following steps:

Download and install the setspn tool on any machine on the domain. For Windows 2003 SP2, you can find this tool at For Windows 2008, this tool is built in to the operating system.

Open a command prompt window. For Windows 2003, navigate to the directory in which this tool has been installed.

Enter the following command for each account on each web server. You must use the name that the users will be using to access the system:

setspn -A HTTP/computer Domain\User
setspn -A HTTP/computer.domain.local Domain\User
setspn -A HTTP/CRMalias Domain\User
setspn -A HTTP/CRMalias.domain.local Domain\User


The Delegation tab will not appear in the Active Directory Computer/User property screen. To enable the Delegation tab, enable the SPN settings as described earlier.

- Microsoft Dynamic CRM 4.0 : Authentication (part 2)
- Microsoft Dynamic CRM 4.0 : Authentication (part 1)
- Implementing with Microsoft Dynamics Sure Step 2010 : Setting up a program for solution rollout
- Implementing with Microsoft Dynamics Sure Step 2010 : Waterfall-based implementation project types
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 2) - Table-Level Patterns
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- BizTalk 2009 : Creating More Complex Pipeline Components (part 4) - Custom Disassemblers
- BizTalk 2009 : Creating More Complex Pipeline Components (part 3) - Validating and Storing Properties in the Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 2) - Schema Selection in VS .NET Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 1) - Dynamically Promoting Properties and Manipulating the Message Context
- Microsoft Dynamics GP 2010 : Tailoring SmartLists by adding Fields
- Microsoft Dynamics GP 2010 : Controlling data with SmartList Record Limits
- Upgrading and Configuring SharePoint 2010 : Configuring a content database
- Upgrading and Configuring SharePoint 2010 : Creating and associating content databases to a specific web application and site collection
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 2) - Saving and Distributing a Custom Console
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 1)
- Microsoft Dynamic CRM 2011 : Canceling and Reopening a Service Request Case
- Microsoft Dynamic CRM 2011 : Resolving a Service Request Case
- Systems Management Server 2003 : Server Modifications After Installation
- Systems Management Server 2003 : Modifying the Installation
Most View
- SQL Server 2012 : Configuration Options (part 11) - Trigger Configuration Properties
- Migrating to Exchange 2013 : Intra-Org Migrations
- Sharepoint 2013 : Welcome to the Central Administration Web Site (part 2) - System Settings, Monitoring
- Windows 8 : Sharing and Securing with User Accounts - Logging In and Out of User Accounts
- SQL Server 2012 : Authorizing Securables - Object Security (part 2) - Managing Roles with Code, Object Security and Management Studio
- Windows 7 : Working with Files - View Your Files
- Windows 7 : Updating Software - How to Remove Updates
- Packaging and Deploying Sharepoint 2013 Apps : Packaging and Publishing an App
- SQL Server 2012 : Enhancing Your Troubleshooting Toolset with Powershell (part 2) - Cmdlets, Variables, Advanced Functions, and Modules
- Active Directory 2008 : Configuring Replication (part 1) - Intersite Replication
Top 10
- Windows 8 : Customizing the Lock Screen - Customizing the Lock Screen Background,Controlling the Apps Displayed on the Lock Screen, Disabling the Lock Screen
- Microsoft Visio 2010 : Cleaning Up Documents - Setting Document Properties,Removing Personal Information , Reducing File Size
- Microsoft Visio 2010 : Working with SharePoint - Working with Files in Document Libraries
- Microsoft Visio 2010 : Exporting Visio Graphics to Other Formats
- Microsoft Visio 2010 : Using Visio Graphics with Other Applications
- Microsoft Visio 2010 : Saving Visio Files in XML Format, Saving Files in Older Visio Formats
- Active Directory 2008 : Managing OUs (part 3) - Delegating Control of OUs
- Active Directory 2008 : Managing OUs (part 2) - Administering Properties of OUs
- Active Directory 2008 : Managing OUs (part 1) - Moving, Deleting, and Renaming OUs
- Windows 8 for Business : Features Exclusive to Windows 8 Enterprise,Windows RT and Business