Kerberos Double Hop for Sharepoint/CRM

Posted by (JavaScript must be enabled to view this email address) on Wed 11 Mar 2009

On our Windows 2008 infrastructure we had a major issue trying to get CRM and SharePoint 2007 to work as we expected.  The main issue was down to the Kerberos double hop issue which is ever present in Windows 2008 (Microsoft love to make things difficult for us); after some errorlog tracing we were able to find that there were several duplicate SPN’s:

1.    0x29 KRB_AP_ERR_MODIFIED
2.    0x19 KDC_ERR_PREAUTH_REQUIRED
3.    0xd KDC_ERR_BADOPTION

I started by deleting the duplicate SPNs using the following commands

setspn -d http/AD-SRV.domain.com domain\crmadmin
setspn -d http/AD-SRV.domain.com domain\svcmosscontent
setspn -d http/AD-SRV.domain.com domain\svcmossssp
setspn -d http/CRM-SRV.domain.com domain\crmadmin
setspn -d http/MOSS-SRV.domain.com domain\svcmossssp

Next we found that some of the machine accounts weren’t functioning correctly for kerberos, it appeared that the SPNs for these had gone AWOL too, so I recreated them with the following commands:

setspn -R CRM-SRV
setspn -R MOSS-SRV

MOSS and CRM still werent working but we were getting much more useful errors now, which led me to re-create the correct SPNs:

setspn -A http/CRM-SRV domain\crmadmin
setspn -A http/CRM-SRV.domain.com domain\crmadmin
setspn -A http/MOSS-SRV domain\svcmossssp
setspn -A http/MOSS-SRV.domain.com domain\svcmossssp
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\crmadmin
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\CRM-SRV$
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\MOSS-SRV$
setspn -A MSSQLSvc/CRM-SRV.domain.com:1433 domain\crmadmin
setspn -A MSSQLSvc/MOSS-SRV.domain.com:1433 domain\svcmossssp
setspn -A MSSQLSvc/MOSS-SRV:1433 domain\svcmossssp

A quick server reset later and we were ready to go!  MOSS and CRM functioning as they should be!



DoHash Helper using MS Enterprise libraries

Posted by (JavaScript must be enabled to view this email address) on Tue 10 Mar 2009

Here is some example/helper code to create a hash function using the Microsoft Enterprise Library.


  1.  
  2. namespace YourApplication.Helper.Cryptography
  3. {
  4.     public static class CryptographyHelper
  5.     {
  6.  
  7.         public static string DoHash(string Value)
  8.         {
  9.             MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
  10.             byte[] input;
  11.             byte[] output;
  12.  
  13.             string _salt = ConfigurationManager.AppSettings["salt"];
  14.  
  15.             //encrypt the password by hashing with the salt
  16.             input = System.Text.ASCIIEncoding.ASCII.GetBytes(_salt + Value);
  17.             output = md5.ComputeHash(input);
  18.             string hash = Convert.ToBase64String(output);
  19.             return hash;
  20.         }
  21.     }
  22. }



WSE 2.0 in Visual Studio 2008

Posted by (JavaScript must be enabled to view this email address) on Tue 10 Mar 2009

I am working on a project where a service application needs to interface with a webservice that implements a WS-Security authentication model.

WSE 2.0 provides the functionality for message level authentication, however WSE 2.0 does not integrate with Visual Studio 2008.

In order to get this to work I created the proxies using the WSDL command line utility and changed the base class from System.Web.Services.Protocols.SoapHttpClientProtocol to Microsoft.Web.Services2.WebServicesClientProtocol.
Here is an example of the code to set the username and password for the request object.


  1. namespace YourApplication.Helper
  2. {
  3.     public static class RequestHelper
  4.     {
  5.  
  6.         public static void PrepRequest(WebServicesClientProtocol si)
  7.         {
  8.             //get username and password for service request from config file
  9.             string _password = ConfigurationManager.AppSettings["password"];
  10.             string _username = ConfigurationManager.AppSettings["username"];
  11.  
  12.             //create the user token
  13.             UsernameToken token = new UsernameToken(_username, YourApplication.Helper.Cryptography.CryptographyHelper.DoHash(_password), PasswordOption.SendHashed);
  14.  
  15.             //carry out the request
  16.             SoapContext requestContext = si.RequestSoapContext;
  17.             requestContext.Security.Tokens.Add(token);
  18.  
  19.         }
  20.     }
  21. }



Page 2 of 3 pages  <  1 2 3 >

About our Blog

Brantas Limited specialise in Dynamics CRM, SharePoint and System Integration using the Microsoft Platform. We are all experienced developers in various fields with our own specialities complementing those of our team.

We have been working with SharePoint since 2003, including Installation and Administration, Migration, Development and Support.

Blog Categories

Blog Archives

RSS Feed