Kerberos Double Hop for Sharepoint/CRM

Posted by (JavaScript must be enabled to view this email address) on Wed 11 Mar 2009

On our Windows 2008 infrastructure we had a major issue trying to get CRM and SharePoint 2007 to work as we expected.  The main issue was down to the Kerberos double hop issue which is ever present in Windows 2008 (Microsoft love to make things difficult for us); after some errorlog tracing we were able to find that there were several duplicate SPN’s:

1.    0x29 KRB_AP_ERR_MODIFIED
2.    0x19 KDC_ERR_PREAUTH_REQUIRED
3.    0xd KDC_ERR_BADOPTION

I started by deleting the duplicate SPNs using the following commands

setspn -d http/AD-SRV.domain.com domain\crmadmin
setspn -d http/AD-SRV.domain.com domain\svcmosscontent
setspn -d http/AD-SRV.domain.com domain\svcmossssp
setspn -d http/CRM-SRV.domain.com domain\crmadmin
setspn -d http/MOSS-SRV.domain.com domain\svcmossssp

Next we found that some of the machine accounts weren’t functioning correctly for kerberos, it appeared that the SPNs for these had gone AWOL too, so I recreated them with the following commands:

setspn -R CRM-SRV
setspn -R MOSS-SRV

MOSS and CRM still werent working but we were getting much more useful errors now, which led me to re-create the correct SPNs:

setspn -A http/CRM-SRV domain\crmadmin
setspn -A http/CRM-SRV.domain.com domain\crmadmin
setspn -A http/MOSS-SRV domain\svcmossssp
setspn -A http/MOSS-SRV.domain.com domain\svcmossssp
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\crmadmin
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\CRM-SRV$
setspn -A MSSQLSvc/AD-SRV.domain.com:1433 domain\MOSS-SRV$
setspn -A MSSQLSvc/CRM-SRV.domain.com:1433 domain\crmadmin
setspn -A MSSQLSvc/MOSS-SRV.domain.com:1433 domain\svcmossssp
setspn -A MSSQLSvc/MOSS-SRV:1433 domain\svcmossssp

A quick server reset later and we were ready to go!  MOSS and CRM functioning as they should be!



SQL: Access Denied even for Admins

Posted by (JavaScript must be enabled to view this email address) on Mon 09 Mar 2009

Occasionally you will find that your user account doesn’t have a default database associated with it, this will stop you logging into SQL using Windows Authentication regardless of being a local administrator.

To be able to log in do the following:

1. Create a local user (as you have administrative access this is fine)
2. Add the user to local administrators and to the SQL Server Users group something like this (SQLServer2005MSSQLUser$MACHINENAME$INSTANCENAME)
3. Restart the SQL Server
4. Log into the laptop as the new local user
5. Run SQL Server
6. Go to security and right click on the user account which does not have access to SQL Server and select properties
7. Set the default database as master
8. Set the user role as required
9. Ensure that the user has access to the correct databases
10. Click ok
11. Log out of the pc
12. Log in as the original user.

You will now have access to log into the SQL Server.



Page 2 of 2 pages  <  1 2

About our Blog

Brantas Limited specialise in Dynamics CRM, SharePoint and System Integration using the Microsoft Platform. We are all experienced developers in various fields with our own specialities complementing those of our team.

We have been working with SharePoint since 2003, including Installation and Administration, Migration, Development and Support.

Blog Categories

Blog Archives

RSS Feed