ax2012R2 - IIS on different host from AOS – target principal name is incorrect

Hi,

I have this situation :

Domain : OurDomain

AOS : AOSHost

IIS : IISHost

The AOS is running on AOSHost under the account "OurDomain\AOSAccount"

The Business connector account under which the MicrosoftDynamicsAXAif60 application pool is running is "OurDomain\BusConnAccount"

I installed the "Web Services on IIS" and the ".NET Business Connector" components on IISHost. Actually I tried two scenarios, with the same result: only the "Web Services on IIS" component, or both the "Web Services on IIS" and the ".NET Business Connector" components. During install I gave the "OurDomain\BusConnAccount" when the wizard asked, and also gave the "OurDomain\AOSAccount" name (but no password for this one, the wizard doesn’t ask). This host represents a IIS machine in a DMZ, although I have no firewalls yet. I’m taking it one step at a time.

By enabling anonymous authentication on my test inbound port and in my IIS web site, my test C# program is able to retrieve the service references from the IIS Host. But then, when my test program tries to actually hit the web service, AX throws a "A call to SSPI failed, see Inner Exception" error. Further digging shows that the inner exception is "Target principal name is incorrect".

In the IISHost Event viewer I see "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was host/aoshost. This indicates…".

So I tried setspn.exe commands

setspn –s http/iishost ourdomain\aosaccount

setspn –s http/iishost.ourdomain ourdomain\aosaccount

setspn –s host/aoshost ourdomain\aosaccount

setspn –s host/aoshost.ourdomain ourdomain\aosaccount

For a while this fixed the problem. I mean I could hit the web services hosted on IISHost, and it was the information from the AOS on AOSHost. Everything was good until my AOS service wouldn’t start anymore. I got a 1069 error, "The service did not start due to a logon failure". I tried to reboot the AOSHost, and after reboot couldn’t logon to it with any domain account anymore. "The Security database on the server does not have a computer account for this workstation trust relationship." Removed the above setspn commands, and could logon the AOSHost just fine afterwards.

Now I’m back to the "Target principal name is incorrect" error.

What I’m trying to do is simple : get the IIS running on a remote host. Can anyone help me please?