We recently experienced an issue in our CRM 2011 Partner Hosted environment. Our system is set up according to Microsofts documentation for CRM Service Providers with the CRM web application on a seperate server from the Sandbox service. When we used the Scribe Insight Console to publish a Plugin for the Account entity we recieved an error when trying to save an Account record. When we checked the details of the error the first two lines were:

Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: The following error has occurred in the Scribe Change History plug-in:
System.ServiceModel.Security.SecurityNegotiationException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #B374BE2D

We went to Scribe first without success but the technician thought that it might be a security issue with one of the service accounts. So we opened a case with Microsoft. Here is what we did to fix the problem:

1. Open IIS on the CRM Web Service server and note the account that is running the CRM Application pool.
2. Open a cmd prompt and enter the following (substitute your CRM Web server and CRM Application Service Account) :
C:>setspn -a HTTP/crmserver crmappsrvcacct
3. The system should return something similar to:
Registering ServicePrincipalNames for CN=crmappsrvcacct,OU=ServiceAccounts,OU=MyDomainName,DC=OU=MyDomainName,DC=com
HTTP/crmserver
Updated object
4. Do the same for the FQDN (Fully Qualified Domain Name) :
C:>setspn -a HTTP/crmserver.MyDomainName.com crmappsrvcacct
5. The system should return something similar to:
Registering ServicePrincipalNames for CN=crmappsrvcacct,OU=ServiceAccounts,OU=MyDomainName,DC=OU=MyDomainName,DC=com
HTTP/crmserver.MyDomainName.com
Updated object
6. On the CRM Web Service server browse to (or where ever your windows system files are):
C:windowssystem32inetsrvconfig
7. Make a backup of the applicationhost.config file
8. Open the applicationhost.config file (the original)
9. Search for the following:
<location path=”Microsoft Dynamics CRM”>
10. Once found edit the contents of the windowsAuthentication tag as follows:
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”>
11. The Athentication node should look like:
<security>
<authentication>
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”>
<providers>
<clear />
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled=”true” />
<digestAuthentication enabled=”false” />
<basicAuthentication enabled=”false” />
</authentication>
</security>
12. Run and iisreset on the CRM Web Service server
13. Restart the Microsoft Dynamics CRM Sandbox Processing Service on the server that has the Sandbox role installed.
14. Wait a couple of minutes for the service to fully start