2008. február 29. 7:24
Can we change the account that is used for LDAP requests that CRM does?
We've got a problem with adding users from a trusted domain.
We've narrowed it down to a LDAP problem, but don't really know the sollution. Hoping to get it here!
Domain A, 1-way trusts Domain B.
Domain A contains CRM server.
When trying to add a user in Windows, it works correct.
When trying to add a user in CRM, it fails.
When we monitor the traffic, we see that it fails on a LDAP request to retreive AD properties from Domain B.
The problem is that CRM uses the computeraccount from the CRM Server (CRMSRV$), this account isn't trusted in Domain B. Thus the LDAP request fails with an authentication failure.
Can we change the account that is used for the LDAP requests?
Az összes válasz
2008. február 29. 9:46ModerátorThe account used is the identity of the IIS Application Pool CrmAppPool. This could be changed, but will affect all of CRM. I'm not sure if you could make it an account from Domain B; it may well work, but I'm not convinced it'd be supported. If you try changing the identity of the application pool, the new account will need to be a member of the AD groups SqlAccessGroup, PrivUserGroup and probably PrivReportingGroup. The safest way to change the identity would be to uninstall CRM, then reinstall and connect to the existing databases, and set the identity during the install
2008. február 29. 9:54Moderátor
I dont think its supported for second domain B.. but for cluster environment you can define mulitiple users for different domain but have access of AD.
For more see CRMAppPool.. where you can change name but it will effect whole CRM. I suggest repair can work for this.
2008. február 29. 16:05
Thank you for your reply.
I solved it with you hint and google:
At this point we were able to see the users detail, but not add the users.
Had to change the group types to 'Domain Local' , was Universal. Universal cannot contain users from the trusted domain.
Thanks, my problem is solved!