Retrieve Global OptionSet meta data and value →

Dynamics CRM 2011 SPN and Windows Authentication configuration for running custom reports

May 17, 2011 Leave a comment

In Dynamics CRM 2011 on premises environment, any of the out-of-box Dynaimcis CRM 
reports can be run smoothly, however, When running customized report, CRM reports 
the following error in IE: "Reporting Error", "The reoprt cannot be display.
(rsProcessingAborted)".

Also found the following error:
1. Checking CRM trace file on CRM server, it shows:
-<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.
ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
</ExceptionType><Message>Authentication failed on the remote side (the stream might
 still be available for additional authentication attempts).</Message>
-Microsoft.Reporting.WebForms.ReportServerException: Microsoft Dynamics CRM has 
experienced an error. Reference number for administrators or support: #888D2128: 
Microsoft.Reporting.WebForms.ReportServerException: Query execution failed for 
dataset 'DSMain'. (rsErrorExecutingCommand) ---> Microsoft.Reporting.WebForms.
ReportServerException: For more information about this error navigate to the report
 server on the local server machine, or enable remote errors

2. Checking the Events Viewer on CRM server shows:
Report render failure. Error: An error has occurred during report processing. 
(rsProcessingAborted) from source MSCRMReporting, eventID 19970

This could happened when Dyanmics CRM 2011 both Web and App tier are deployed on one
server, where report servicing and database tier are deployed on separate server, 
most likely you're also using domain account in CRM app pool instead of standard 
build-in account, at this point, SPN(Service Principal Names) need to be set up for 
the CRM application user account to avoid Kerberos Double Hop issue.

After using setspn tool to setup SPN like this:
setspn -a http/your-crm-server-name domain\crm-user 
setspn -a http/your-crm-server-name(FQDN) domain\crm-user

If CRM still reports the error:
This time checking Events Viewer on CRM server, one more error showing on System 
category: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
... from source Security-Kerberos, eventID 4.
Or
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Then two more things still need to be fixed:
(update: only one of them is needed, the point is to use domain account defined in
AppPool not machine account, iis needs to restart after)
1. Goto IIS manager, and disable kernel mode authentication for this CRM site.
2. Open the ApplicationHost.config file in a text editor. By default, this file is 
located at %windir%\system32\inetsrv\config\.
For all folders under the Default Web Site location path, set the value of the 
WindowsAuthentication element and the useAppPoolCredentials attribute to true. 
For example:
 <system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>
Try run any of customized reports again, they should work like other any our-of-box 
reports.

Filed under Dynamics CRM Tagged with CRM, dynamics, kerberos, report, SPN

Leave a comment Cancel reply