Step 2: Configure Active Directory

Previous Topic

Next Topic

Configure Active Directory by creating an account to run the CRMAppPool service and use a Service Principal Name (SPN). This is required when you run IIS 7.0 in a clustered or a network load-balanced environment. The SPN uniquely identifies an instance of a running service. Active Directory uses the SPN for mutual authentication of a service instance, which enables the service instance to correctly authenticate when a user attempts to access resources that are located on other domain-member computers. For more information, see the MSDN article Service Principal Names.

To create SPNs, you use ADSI Edit that is included with Windows Server. You can use this Microsoft Management Console (MMC) snap-in tool to enter SPN values for a specific computer or user account.


If IIS is configured to use kernel mode authentication, you must configure IIS to use the Web application pool’s identity for internal virtual directories used by Microsoft Dynamics CRM. You can do so by modifying the windowsAuthentication element for the default Web site on the Web site where Microsoft Dynamics CRM is installed. For details about the windowsAuthentication element, see the IIS 7.0: windowsAuthentication Element (IIS Settings Schema) MSDN article.

To configure useAppPoolCredentials using the ApplicationHost.config file open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\.

For all folders under the Default Web Site location path, set the value of the WindowsAuthentication element and the useAppPoolCredentials attribute to true. For example:




<windowsAuthentication enabled="true" useAppPoolCredentials="true" />




To configure the SPN, follow these steps:

  1. Open Active Directory Users and Computers.
  2. Create a user account to run the CRMAppPool application pool in IIS. To do this, we recommend that you use a name that describes what the account will be used for, such as CRMService.


    This user account must be member of the Domain Users group.

  3. Close Active Directory Users and Computers.
  4. Click start, type adsi edit, and then press ENTER.
  5. Expand the domain, expand the node that begins with DC=, and then expand CN=Users.
  6. Right-click the user account that you created in the previous step, such as CRMService, and then click Properties.
  7. In the Attribute list, scroll down, select servicePrincipalName, and then click Edit.
  8. In the Value to add box, type HTTP/CRMNLBName.FQDN and then click Add. Where, CRMNLBName, is the NLB cluster name and FQDN is the fully qualified domain name. For example, the CRMNLBName.FQDN name might be


    Note this NLB cluster name. You must use this name in the following step when you create the NLB cluster and when you update the configuration database.


    Use the setspn command line tool to determine if the SPN is already in use.

  9. In the Value to add box, type HTTP/CRMNLBName and then click Add.
  10. Click OK two times.
  11. Close ADSI Edit.