Wednesday, January 28, 2015

'Security Negotiation Exception' during plug-in execution in CRM2013

A few months ago, we experienced an issue during a plugin execution in the dev. environment. We were using Scribe Insight for integration. We were using the “Microsoft Dynamics CRM publisher” for scribe that registered a plugin on the contact entity. Everything was working perfectly until we received the following error:

Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: The following error has occurred in the Scribe Change History plug-in: System.ServiceModel.Security.SecurityNegotiationException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #0CCC3255  


During troubleshooting we found the following entry in the event viewer of the backend server. 

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server serviceaccountname. The target name used was HTTP/CRMFrontEndServer. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DomainName) is different from the client domain (DomainName), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server 

The “EventSourceName” was Kerberos.

Looking at the error we hypothesised that there was an SPN issue for the CRMFrontEndServer server.

You can receive this error for any plugin published in the sandbox. It will only happen if the sandbox service is not installed on the same server as CRM web site and kerberos authentication is enabled for the website.


We used the following account to list all the SPNs registered for the serviceaccountname.
setspn –l domain\serviceaccountname

The command displays only the SPN registered on the HTTP/  (Fully Qualified domain name of the CRM front end server).

We added a new SPN on the servername using the following command setspn –a http/CRMFrontEndServer domain\serviceaccountname That was it. We restarted the sandbox service and the error was gone.

For more information on SPNs and their configuration you can check out this KB article from Microsoft.