locked
NLB on CRM 4.0 RRS feed

  • Question

  • Hi all,

    I'm currently having a big problem with our Dynamic CRM 4.0 setup with Windows 2008 NLB.  Let me describe our setup first.  The CRM setup consist of one database server (DB1 with server 2008 and Sql 2008) and two application server (App1 & App2 both Server 2008).  Both application servers have two NIC.  App1 have IP 192.168.1.101 and cluster IP 192.168.1.102.  App2 have IP 192.168.1.103 and cluster IP 192.168.1.104 (these are just example IPs :P).  The NLB cluster IP is 192.168.1.105 with an Internet name CRMNLB.ABC.COM (example name).  NLB is in unicast mode.

    The problem: After setting up NLB, I type the URL CRM.ABC.COM in Internet Explorer and the webpage does not load.  I have to constantly click on Refresh until the page load.  I thought the problem might be with my NLB setup.  But if use Windows Remote Desktop, typing in CRM for computer name, NLB will direct me to one of the application server.  If i stop NLB server on App1, NLB will direct Remote desktop to App2.  If i stop NLB server on App2, NLB will direct Remote desktop App1.  So, I conclude that NLB is working but not with CRM.  Why do I have to constantly click on Refresh for CRM to load in Explorer?  Even after it loaded for the first time, it still goes out and I have to click Refresh over and over until CRM load again.  I tried NLB in multicast mode and I still have the same problem.

    Anyone have any idea to this problem??

    Thanks in advance.

    Thursday, October 28, 2010 8:37 PM

Answers

  • Ahhh, finally my NLB problem have been solved.  Turn out that my company's web filter was casing the problem.  After I made a exclusion for the NLB internet name on the web filter, NLB is working fine with CRM.  I would never thought the web filter would cause so much problem because CRM traffic isn't going out to the Web.

    Thank you greatly for your help ITonit.com.  You're the smartest!!!!

    • Marked as answer by FriskyFrisko Friday, November 5, 2010 4:44 PM
    Friday, November 5, 2010 4:44 PM

All replies

  •  

    have you configured SPN's to work with your NLB address ?

     

    have a look here:

    http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/configurespn.aspx#o45872

    Monday, November 1, 2010 3:01 PM
    Answerer
  • Monday, November 1, 2010 3:25 PM
    Moderator
  • To Nrodri, yes I have configured SPN.

    To Rhettclinton, I have read through those instruction numerous time thinking I might have miss something but I did everything on there and CRM with NLB still not working for me.

    If I access CRM by typing the server name, CRM works fine but not with NLB internet name.  NLB works fine with Windows Remote Desktop, but not with CRM.  I'm using IIS 7.  Could the problem be there?

    Monday, November 1, 2010 5:28 PM
  • Hi FriskyFrisko,

    When you mentioned here that RDP works fine, it clearly states your NLB configuration is good, else you would have never hit the server.

    My guess here is the IIS7. You might want to try installing fiddler (http://fiddlertool.com) and check what URL it is hitting when you try the NLB URL. Fiddler will tell you where your response is really goign to and coming from.

    Also you might want to check if Kernel mode in IIS7 is causing this. Thought you have SPN's set right it will try to ignore the SPN's at times. Please check Kernel mode's settings and it's behavior.

    Also check if Firewall is blocking the HTTP requests while using the NLB URL as you mentioned you can directly access using http://servername

    Hope the pointers help you progress.
    Let us know.

     


    Regards, ITonit Support Http://ITonit.com
    Tuesday, November 2, 2010 12:48 AM
  • To ITonit.com, with Fiddler installed, the two error i'm getting is "ReadResponse() failed: The server did not return a response for this request." or "ReadResponse() failed: An existing connection was forcibly closed by the remote host."  I want to add that our CRM servers are in the same subnet as the clients who's trying to access them.  So we're not going through a router to access the CRM server.

    I'm not sure how to check Kernel mode settings.  In IIS 7, for authentication, i have enable Windows Authentication and ASP.NET Impersonation.  Everything else is disabled.  When I was troubleshooting, I disabled Windows Authentication and use Digest Authentication with ASP.Net Impersonation.

    I wanted to add that before, I can't use Windows Authentication.  When I enabled Windows Authentication and try to access CRM with cluster internet name, it constantly pop-up for username and password.  No matter what I typed.  After I added <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">  to C:\Windows\System32\inetsrv\config\ApplicationHost.config that solved our Windows Authentication problem.

    I have diabled Windows Firewall on both CRM app server.

    Anymore ideas?  Thanks a lot for the help ITonit.com.

    Tuesday, November 2, 2010 10:40 PM
  • FriskyFrisko,

    1. If Fiddler shows "An existing connection was forcibly closed by the remote host"
    - It means something is blocking your connection to the CRM URL. It could be possible that the Load Balancer URL is somehow being blocked (HTTP requests)
    - You have mentioned that CRM server's are in the same subnet and FireWall is disabled, which means we need to concerntrate on the HTTP requests going to the load balancer.
    - Are the HTTP requests blocked to Load Balancer?
    - To identify the blocking and isolate the issue try creating a DNS entry to APP1 (Example: CRM - "A" Record and point to the APP1)
    - Stop NLB on APP1 and try hitting http://crm
    - If it hits the box or prompts for credentials you are communicating with the box (use fiddler as well)
    NOTE: You may not successfully authenticate due to SPN issues; however, getting a credentials pop-up with Windows Auth is a good news.
    - If you cannot communicate with using http://crm then something is blocking the communication (firewall or something)

    2. You mentioned Windows Auth cannot be used as it keeps asking for credentials
    - Ensure NLB url is working and you get the credentials pop-up
    - Now enable Win Auth on the website and disable Digest Auth
    - Try Authenticating till it throws an error
    - You may see 401.1 Unauthorized
    - If the above error is true then you are at least hitting the right URl; however, your SPN's aren't set as expected
    - What is the CRMAppPool Identity? (Network Service or a Domain Account?)
    - Ensure you have the following SPN's set on the Account used for the AppPool Identity

    ========
    SPN's
    ========
    HTTP/CRMNLB
    HTTP/CRMNLB.ABC.COM
    HTTP/APP1
    HTTP/APP1.ABC.COM
    HTTP/APP2
    HTTP/APP2.ABC.COM


    - You might want to run the following command on a windows 2008 server to find duplicate SPN's if SPN's are set right:

    SETSPN -X

    Let me know the status.


    Regards,

    ITonit Support

    Support@itonit.com

    Http://ITonit.com

    MSCRM Consultants
    Tuesday, November 2, 2010 11:30 PM
  • ITonit.com

    Here's the result of what you suggested.

    1.    Again, my App1 have 2 NICs (192.168.1.101 for network traffic 192.168.1.102 for NLB cluster traffic) in unicast mode for NLB.  I stopped NLB on both servers.  When I changed the DNS name to point to App1 NIC1 (192.168.1.101), CRM works fine.  No problem.  But when I change the DNS name to point to NIC2 192.168.1.102, I'm having the refreshing problem, the exact problem as if I have NLB turned on.  I don’t think it’s a defected NIC but just in case, I switch NIC2 out and use another NIC for 192.168.1.102.  Before I set NLB cluster onto the new NIC, I tried and see if CRM will load with the new NIC.  CRM loaded fine.  Once I set NLB cluster onto the new NIC, I’m having the refreshing problem again when I use IP 192.168.1.102 in the URL address.  My understanding is after I set NLB on a NIC (unicast mode), NLB does doesn’t use the physical MAC of the NIC but it use the software MAC of the NLB cluster.  Something in there is causing NLB not to work with CRM.  Again, remote desktop works fine with NLB. I’m able to remote to CRMNLB (NLB internet name).  Stop NLB on App1 and NLB automatically switch Remote Desktop to App2.  Why doesn’t CRM work like Remote Desktop. Gets me so frustrated :*(.

    2.    For my CRMAppPool, I’m using a Domain account (MSCRMService).  Before I edited the Applicationhost.config file, I would get the prompt for username and password.  No matter what I put in, it wouldn’t take.  After a couple of attempts, I get the 401.1 error you mentioned.  After I edit the Applicationhost.config file by adding <…useAppPoolCredentials=”true”>, that solved my credential pop-up problem.  I ran the command “setspn –x” on both server, and it return 0 duplicate SPNs.  I’m guessing that’s the right answer.

    Again, thanks a lot for your help ITonit.com

    Wednesday, November 3, 2010 11:22 PM
  • FriskyFrisko,

    I understand this is frustrating and time consuming; however, we will find a resolution..

    Coming back to your Point 1.
    - You mentioned DNS entry when pointed to NIC2 (192.168.1.102) we start experiencing access issues.
    - So, what do you have set in you IIS Website bindings? You should have port 80 and IP as "All Unassigned" (The port 80 is an example)

    - If the IIS settinsg are correctly set to show "All Unassigned" then are NIC 1 and 2 using IPv6?
    - Do you Have Internet Facing Deployment Configured (IFD) ?
    - Also check whether IIS is setup for both NTLM and Kerberos
    Ref: http://support.microsoft.com/kb/215383
    NOTE: The KB has information only upto IIS 6, use the same steps for IIS7. Good info.

    The command you should run is :

    cscript adsutil.vbs get w3svc/<var>WebSite</var>/root/NTAuthenticationProviders


    NOTE: In this command, WebSite is your CRM Website Identifier (ID). You will see that in IIS when you click the WebSite folder to see all the websites.
    This is how the result should look: http://img248.imageshack.us/img248/7127/iiskerb.jpg
    If not then run the following command

    cscript adsutil.vbs set w3svc/<var>WebSite</var>/root/NTAuthenticationProviders "Negotiate,NTLM"

    Point 2:
    - The Setspn -x showing 0 is a good result.
    - UseApplPoolCredential='true' sounds good!

    Let me know.


    Regards,

    ITonit Support

    Support@itonit.com

    Http://ITonit.com

    MSCRM Consultants
    Thursday, November 4, 2010 12:04 AM
  • Itonit.com,

    Here's the result of what you recommended:

    -Microsoft Dynamic CRM is set to use prt 80 and IP binding is set to all unassigned.
    -Both Nic1 and Nic2 are set to use IPv4.  I have unchecked IPv6 on both local area connection properties.
    -We are not using Internet Facing Deployment (IFD).  CRM is only for internal user.  Outside users have to VPN into the network before they can use CRM.
    -I did the cscript command and the result is "NTauthenticationproviders  : (STRING) "Negotiate, NTLM".  Same as your screenshot. (BTW, thanks for the screenshot, it helped A LOT).

    As always, thanks a lot for helping.

    Thursday, November 4, 2010 5:50 PM
  • FriskyFrisko,

    My pleasure :-)

    Are we still experiencing the issue?


    Regards,

    ITonit Support

    Support@itonit.com

    Http://ITonit.com

    MSCRM Consultants
    Thursday, November 4, 2010 6:37 PM
  • Sorry, yes I'm still having this refreshing problem.  Anymore ideas?  Man, I sure hope I'm not the only one that's having this problem.  
    Thursday, November 4, 2010 8:29 PM
  • I would suggest getting a Simultaneous Netmon trace enabled on the App1 and the Client used to access App1.

    NOTE: Disable NLB on APP2 while you are capturing Netmon. By this we can ensure only one server is being contacted. Also try disabling the NIC which works fine on APP1 to make it very specific to that NIC or IP.

    Contact me on the e-mail with the netmon trace for a review.


    Regards,

    ITonit Support

    Support@itonit.com

    Http://ITonit.com

    MSCRM Consultants
    Friday, November 5, 2010 12:11 AM
  • Ahhh, finally my NLB problem have been solved.  Turn out that my company's web filter was casing the problem.  After I made a exclusion for the NLB internet name on the web filter, NLB is working fine with CRM.  I would never thought the web filter would cause so much problem because CRM traffic isn't going out to the Web.

    Thank you greatly for your help ITonit.com.  You're the smartest!!!!

    • Marked as answer by FriskyFrisko Friday, November 5, 2010 4:44 PM
    Friday, November 5, 2010 4:44 PM
  • hello

     

    Are you able to share a step-by-step guideline on how you configured the E-mail router on the NLB environment?

    Current state of my deployment...

    I have two nodes on the NLB (Windows 2008 R2 SP1), with each containing two NICs. NLB works fine. CRM 4.0 can be accessed from the NLB address.

    Do I install E-Mail Router on both these nodes? and configure them separately with their unique hostnames?

    I have tried that and not having much success.

    Have also attempted to install the mail router with the NLB address - no success.

     

    this is the message that is returned on both the configuration instances...

    The E-mail router Configuration Manager was unable to retrieve the user and que information from the Microsoft Dynamics CRM server.
    this may indicate that the Microsoft Dynamics CRM Server is busy.
    Verify that the URL 'http://crmnlbclustername:5555/orgname/' is correct.
    Adittionally, this problem can occur if specified access credentials are insufficient.
    To try again, click Load Data. (The request failed with and HTTP status 401:Unauthorized.)

     

    The E-mail router Configuration Manager was unable to retrieve the user and que information from the Microsoft Dynamics CRM server.
    this may indicate that the Microsoft Dynamics CRM Server is busy.
    Verify that the URL 'http://crmnlbnode01:5555/orgname/' is correct.
    Adittionally, this problem can occur if specified access credentials are insufficient.
    To try again, click Load Data. (The request failed with and HTTP status 401:Unauthorized.)

     

    Every help will be appreciated

    thanks

    Thursday, March 10, 2011 9:41 AM
  • Hi CSamuel,

    Here is what I would like to say:

    1. E-mail router can be installed on any server in the domain.
    2. You do NOT need to install e-mail router on both CRM servers just because your have CRM NLB. One e-mail router is good enough to take all the load and work efficiently.
    3. Ideally you need to use the NLB url on the Deployments tab; however, you may use the http://HostName:5555/OrgName
    4. The error you received is pointing towards the credentials used.: Error is HTTP status 401:Unauthorized

    You might want to use the same url "'http://crmnlbnode01:5555/orgname" and on the Deployments configuration specify the User Credentials that of a CRM Admin account and try Load Data again.

    NOTE:
    1. You must Publish => Close e-mail router configuration and test again as e-mail router caches the information
    2. In the url 'http://crmnlbnode01:5555/orgname the ORG Name is case sensitive so be careful. I would simply copy and paste the URL from the address bar once CRM loads in IE to avoide any issues.

    Let me know if this still doesn't help.

    P.S: You may be missing some SPN's. Whatch out for them ;-)


    Regards,

    ITonit Support

    Support@itonit.com

    Http://ITonit.com

    MSCRM Consultants
    Thursday, March 10, 2011 11:24 AM