Register the AD FS server as a service principal name (SPN)

Applies To: CRM 2015 on-prem

A service principal name, also known as an SPN, is a name that uniquely identifies an instance of a service. Ensuring that the correct SPNs are set becomes important when applications such as Microsoft Dynamics CRM, Microsoft SQL Server Reporting Services, and Microsoft SQL Server are split onto multiple servers. When these applications are split across servers, the users' credentials must be passed from one server to another. This process, known as Kerberos delegation, allows a service to impersonate your credentials to another server.

For more information on SPNs, see: Configuring service principal names (SPNs)

Register the AD FS server as a service principal name (SPN)

  1. Rerun the Configure Claims-Based Authentication Wizard and advance to the Specify the security token service page. Note the AD FS server in the Federation metadata URL (for example, sts1.contoso.com).

  2. Open a command prompt.

  3. Type the following commands: (replace your data in the example command below)

    • c:\>setspn -s http/sts1.contoso.com contoso\crmserver$

      Important

      If you’ve deployed AD FS on a second server, replace crmserver$ with adfsserver$ in the above sample command. Adfsserver is the name of the server running AD FS.

    • c:\>iisreset

See Also

Concepts

Implement claims-based authentication: internal access

Send comments about this article to Microsoft.

© 2015 Microsoft. All rights reserved.