Dynamics CRM 2011 SPN and Windows Authentication configuration for running custom reports
May 17, 2011 Leave a comment
In Dynamics CRM 2011 on premises environment, any of the out-of-box Dynaimcis CRM reports can be run smoothly, however, When running customized report, CRM reports the following error in IE: "Reporting Error", "The reoprt cannot be display. (rsProcessingAborted)". Also found the following error: 1. Checking CRM trace file on CRM server, it shows: -<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System. ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </ExceptionType><Message>Authentication failed on the remote side (the stream might still be available for additional authentication attempts).</Message> -Microsoft.Reporting.WebForms.ReportServerException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #888D2128: Microsoft.Reporting.WebForms.ReportServerException: Query execution failed for dataset 'DSMain'. (rsErrorExecutingCommand) ---> Microsoft.Reporting.WebForms. ReportServerException: For more information about this error navigate to the report server on the local server machine, or enable remote errors 2. Checking the Events Viewer on CRM server shows: Report render failure. Error: An error has occurred during report processing. (rsProcessingAborted) from source MSCRMReporting, eventID 19970 This could happened when Dyanmics CRM 2011 both Web and App tier are deployed on one server, where report servicing and database tier are deployed on separate server, most likely you're also using domain account in CRM app pool instead of standard build-in account, at this point, SPN(Service Principal Names) need to be set up for the CRM application user account to avoid Kerberos Double Hop issue. After using setspn tool to setup SPN like this: setspn -a http/your-crm-server-name domain\crm-user setspn -a http/your-crm-server-name(FQDN) domain\crm-user If CRM still reports the error: This time checking Events Viewer on CRM server, one more error showing on System category: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ... from source Security-Kerberos, eventID 4. Or Not Authorized HTTP Error 401. The requested resource requires user authentication. Then two more things still need to be fixed: (update: only one of them is needed, the point is to use domain account defined in AppPool not machine account, iis needs to restart after) 1. Goto IIS manager, and disable kernel mode authentication for this CRM site. 2. Open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\. For all folders under the Default Web Site location path, set the value of the WindowsAuthentication element and the useAppPoolCredentials attribute to true. For example: <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer> Try run any of customized reports again, they should work like other any our-of-box reports.