When we implement CRM 2011 we always hear or read the term Service Principal Name (SPN) for accurate Kerberos Authentication; however, sometimes understanding Kerberos Authentication is time consuming and needs experience.
Sean has written a detailed blog explaining Kerberos Authentication here.
Identifying the right SPNs can be daunting and it would be really nice if we had a simpler way to identify them. To make SPN identification easier I have put together an excel workbook which could help us generate a list for different deployment schemes. The Workbook has different sheets covering most common scenarios like Single Server Deployment and Split Server Deployments. (see attached worksheet below)
Please feel free to post your feedback to improve the workbook so we can accommodate more deployment scenarios.
Thanks Kaustubh Giri
Microsoft Premier Field Engineer
How does the SPN requirement change if Kernel Mode Authentication is used?
Kernel mode authentication can be used along with Kerberos. It is a good idea to use Kernel Mode Authentication as it was designed to help; however, you must make a change in ApplicationHost.config file.
If you do not have the useAppPoolCredentials="true" entry in your ApplicationHost.config file it may default the Authentication to Network Service. The SPN's registered on the Domain Account to run CRMAppPool may be ignored as Network Service will be used to create the initial connection before impersonating the user. In that case the SPN it will look for is ComputerName$ and it may or may not cause authentication issues.
It is advised to modify the ApplicationHost.config file with useAppPoolCredentials="true" entry when Kernel Mode Authentication is enabled on the website.
I hope that answers your question.