Installing a 2-server CRM 2011 with Service Accounts and Minimum Permissions

Recently for a proof of concept I needed to supply a CRM installation installed to Microsoft’s best practices – i.e. a 2 server environment, SSL (HTTPS) and each service running under a separate service account.   Here are some notes on what was required to make this work.

If you miss some of these steps the common symptoms are:

  • Can only access CRM directly on the CRM server
  • CRM Reports don’t work
  • Outlook Client does not Configure
  • Authentication prompts appear as you try and access CRM

Environment: VirtualBox

  • Machine 1 = Domain Controller and SQL Server,
  • Machine 2 = CRM Server

Steps:

  1. Install Windows Server 2008 R2 64-bit on both Machines, create C and D drive partitions (install all application software on the D drive)
  2. Promote Machine 1 to be a Domain Controller
  3. Create service accounts for SQL Server and SSRS
  4. Install SQL and SSRS on Machine 1
  5. Add Machine 2 to the domain
  6. Create an installer account:  crmadmin
  7. Create service accounts:  crmservice, crmdeploy, crmemail, crmasync, crmsandbox
  8. Grant minimum permissions per the CRM Implementation Guide’s instructions
  9. Logon as the installer account and install CRM Server on Machine 2
  10.   Test CRM access over HTTP via Internet Explorer on Machine 2
  11.   Install CRM SSRS Data Connector on Machine 1
  12.   Install latest rollup packs for CRM Server and SSRS Data Connector
  13.   Create a self signed certificate on Machine 2 (in IIS)
  14.   Go into CRM Deployment Manager, go to Servers, disable the CRM Server
  15.   Go to IIS and edit the Bindings for the CRM Web Site, enable HTTPS, disable HTTP
  16.   Back in CRM Deployment Manager, right-click on “Microsoft Dynamics CRM” and select Properties, then on the Web Address tab select HTTPS and enter the URLs
  17.   Re-enable the CRM server in Deployment Manager
  18.   Test CRM access over HTTPS via Internet Explorer on Machine 2
  19.   Create an SPN for the CRM service account (the identity running the CRM app pool)     (e.g. setspn –A HTTP/VBOXCRM gtdomain\crmservice) (command should always be HTTP even when HTTPS is enabled)
  20.   In Active Directory Users & Computer grant the Trust for Delegation permission to the CRM service account and the CRM server Computer Name (you need to do a Run As Administrator in order for the Delegation tab to appear when editing the properties of the Computer account)
  21.   Shutdown Machine 2, reboot Machine 1, restart Machine 2
  22.   Test CRM access over HTTPS via Internet Explorer on Machines 1 and 2
  23.   Test CRM Reports on Machines 1 and 2
  24.   Test the CRM Async Service by creating and triggering a simple workflow
  25.   Test the Deployment Service by creating a second CRM Organisation
  26.   Install the CRM Email Router and its Rollup Pack, configure and test
  27.   Machine 1, install Outlook, configure an email profile (perhaps connect to a Hotmail account) and then install the CRM Outlook Client and its Rollup Pack, configure and test

Done Smile

 

UPDATE 1: The configuration of the Outlook Client in the above HTTPS environment failed for us (“Could not establish trust relationship for the SSL/TLS secure channel“)  we think due to the use of the Self Signed Certificate.  Installing an Enterprise Certificate Authority and creating both a Root Certificate and a Certificate for the CRM Web site along with an additional SPN solved that problem for us (setspn –A HOST/VBOXCRM gtdomain\crmservice)

UPDATE 2: If you are not able to run Fetch XML reports or Report Wizard reports (which are Fetch XML reports) then you are likely suffering a firewall issue as described here.  Thanks to my colleague Farooq for finding this post and thanks Jim for writing it!

Advertisements

2 thoughts on “Installing a 2-server CRM 2011 with Service Accounts and Minimum Permissions

  1. Juan Solares

    I add more setspns
    o setspn –A HTTP/crm dominio\crmappiss
    o setspn –A HTTP/crm.contoso.com dominio\crmappiss
    o setspn –A HTTP/sql dominio\SQLCRM
    o setspn –A HTTP/sql.contoso.com dominio\SQLCRM
    o setspn –A mssqlsvc/sql dominio\SQLCRM
    o setspn –A mssqlsvc/sql.contoso.com dominio\SQLCRM
    o setspn –A mscrmmssandboxserce/crm dominio\sandboxcrm
    and work with no firewall and no https.

    thanks

    Reply
  2. Brijesh

    Hi Gareth,
    Thanks for this informative article. I am planning to do an installation similar to yours. In this blog, I am not able to understand the purpose of steps 19 and 20. Why these 2 steps are necessary and what will happen if I skip them.

    Thanks

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s