Frequently I see customers trying to verify if their Kerberos settings (http://bit.ly/QOEvLF) are truly working or not. In the past we’ve used tools such as NetMon, Kerbtray, Klist, and others to verify this however, recently I found a very simple way to test if Kerberos auth is working or not using Fiddler – a very common utility that many admins already have loaded on their client machines. Here are the steps:
- Download and install fiddler on the client machine: http://www.fiddlertool.com/
- This test process only applies to machines external to the servers hosting the services. In the case of CRM, you would run fiddler from a client machine and not from a CRM or SQL Server.
- If you have SSL enabled (HTTPS) on the website your testing make sure to enable Fiddler to Decrypt SSL, this can be done by clicking the Tools Menu, then Fiddler Options, then click the HTTPS tab, then select the “Decrypt HTTPS Traffic” checkbox.
- Kerberos working: Image may be NSFW.
Clik here to view.
- Kerberos not working: Image may be NSFW.
Clik here to view.
If you were expecting to see YII and see TlR instead, please take a look at my other blog posting (http://bit.ly/QOEvLF) covering the setup and configuration of SPN’s and Active Directory properties to allow for proper Kerberos authentication. Also, once Kerberos is functioning I recommend taking advantage of IIS’s AuthPersistNonNTLM setting to reduce the number of 401 challenges – this is also covered in the Kerberos blog posting under section 3.1.
If you want to keep in touch with our team you can follow us here (http://blogs.msdn.com/CRMInTheField) as well as on Twitter, if you have a Microsoft Premier support contract and wish to work with a member of our team ask your TAM about the PFE offerings we have for Dynamics CRM, and if you want to connect with us at conferences we can be found speaking and attending Dynamics Convergence. We’ll keep any other events or opportunities to connect up to date here and on Twitter.
Thanks!
Sean McNellis
