Wednesday, May 30, 2007

Kerberos / Trust Delegation

As some of you might have experienced the easiest way to deploy MS CRM 3 is to have SQL Server and SQL RS on the same machine, this will let you duck from a lot of problems, so if you don't know better and have no reason not to, choose this setup.

However, this is not always what is best. The most common scenario when this is not the case is when a company has a large SQL Cluster (or just a dedicated SQL Server) and for several reasons (mainly licensing and maintance) want to have the CRM database and CRM reports on the central SQL server. Now, I am not an expert at this, but I have tried to dive in to it a bit and I have found the following:

If you are running the application pool of CRM, application pool of SQL RS and the main SQL server as Network Service, you will usually be fine, it will probably work more or less out of the box.

However, if not, you will get a warning in the installation of CRM saying something like "SPN not set correctly" for SQL RS. You can, if you like, install CRM anyway, but reports will only work when running them directly using Report Manager/Report Server or when running IE from the CRM server. Since it is not best practice to have the CRM server double as a terminal server, this is not often very nice.

So, what's wrong? The problem lies in that all requests from SQL RS to the SQL database, are done using the technique "impersonation" which means that all requests in the database are run as the "current user"/the user that is running IE. This is a very good feature since it among other things enables the Filtered Views in the SQL database the only returns the items that the current user has access to. The problem is that CRM is acting HTTP proxy for the SQL RS and as such cannot send the current users credentials to the Report Server.

What needs to be done? Well, the CRM server user must be set up to enable trust delegation (i.e. forwarding of credentials) and the service users running the CRM apppool, SQL RS app pool and SQL must have the correct SPN:s set for them.

There are several documents and blogs describing how this can be set up, Sonoma Partner has one and the document with the short title: Additional Tasks When Microsoft SQL Reporting Services is installed on a separate server from Microsoft CRM or Microsoft SQL Server by Microsoft is also a good help.

The biggest problem usually is that you will have to run the "setspn" tool on the service account that is running the SQL Cluster/dedicated SQL machine and even though that shouldn't cause any problems, if it does, and you are running x number of business critical applications on the SQL server, you might be in for a long night...

My suggestion is that you first try to set this up in a demo environment and when you got it working, then redo it on the live environment on a late friday afternoon, and make sure you havn't got anything planned for the weekend...

Gustaf Westerlund
CRM and SharePoint Consultant

Humandata AB
www.humandata.se

No comments:

Post a Comment