CRM 2011 SecurityNegotiationException Error after Publishing a Plugin for an Entity or Using Scribe Publisher.

We recently experienced an issue in our CRM 2011 Partner Hosted environment. Our system is set up according to Microsofts documentation for CRM Service Providers with the CRM web application on a seperate server from the Sandbox service. When we used the Scribe Insight Console to publish a Plugin for the Account entity we recieved an error when trying to save an Account record. When we checked the details of the error the first two lines were:

Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: The following error has occurred in the Scribe Change History plug-in:
System.ServiceModel.Security.SecurityNegotiationException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #B374BE2D

We went to Scribe first without success but the technician thought that it might be a security issue with one of the service accounts. So we opened a case with Microsoft. Here is what we did to fix the problem:

1. Open IIS on the CRM Web Service server and note the account that is running the CRM Application pool.
2. Open a cmd prompt and enter the following (substitute your CRM Web server and CRM Application Service Account) :
C:>setspn -a HTTP/crmserver crmappsrvcacct
3. The system should return something similar to:
Registering ServicePrincipalNames for CN=crmappsrvcacct,OU=ServiceAccounts,OU=MyDomainName,DC=OU=MyDomainName,DC=com
HTTP/crmserver
Updated object
4. Do the same for the FQDN (Fully Qualified Domain Name) :
C:>setspn -a HTTP/crmserver.MyDomainName.com crmappsrvcacct
5. The system should return something similar to:
Registering ServicePrincipalNames for CN=crmappsrvcacct,OU=ServiceAccounts,OU=MyDomainName,DC=OU=MyDomainName,DC=com
HTTP/crmserver.MyDomainName.com
Updated object
6. On the CRM Web Service server browse to (or where ever your windows system files are):
C:windowssystem32inetsrvconfig
7. Make a backup of the applicationhost.config file
8. Open the applicationhost.config file (the original)
9. Search for the following:
<location path=”Microsoft Dynamics CRM”>
10. Once found edit the contents of the windowsAuthentication tag as follows:
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”>
11. The Athentication node should look like:
<security>
<authentication>
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”>
<providers>
<clear />
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled=”true” />
<digestAuthentication enabled=”false” />
<basicAuthentication enabled=”false” />
</authentication>
</security>
12. Run and iisreset on the CRM Web Service server
13. Restart the Microsoft Dynamics CRM Sandbox Processing Service on the server that has the Sandbox role installed.
14. Wait a couple of minutes for the service to fully start