Kerberos in Load Balanced (MSCRM) Environments

A topic very near and dear to my heart, after years of writing about Kerb (Kerbie Goes Bananas), tips, troubleshooting of Kerb deployments, and general pleas for sanity.

Sean over at the Dynamics CRM In The Field blog runs through a “how it should look” scenario with CRM 2011 and IIS 7/7.5 here

Rather than documenting a complex flowchart that covers every possible scenario, I am going to draft up a fairly common environment and document the various steps required to make sure Kerberos is working for that environment. Kerberos only works properly when everything is setup correctly, and troubleshooting issues can be very frustrating and time consuming.

Later sections deal with SPN registration (Sean wins a little piece of my heart for recommending SetSPN -S instead of -A), troubleshooting with traces, kernel-mode authentication, delegation settings, and more!

It’s a big post, but well worth a read if you have to set one up. Most concepts will apply to n-tier apps other than CRM, as well.

Source: Kerberos in Load Balanced Environments.


Posted by Tristan Kington , MSPFE Editor and Kerberos kennel operator