locked
CRM Will not authincate RRS feed

Answers

  • Hey Erik, That is great news that everything is working!! I understand how big of a headache setting SPN's can be.

    Main things to remember with SPN's:
    - Never create the same SPN under different accounts. We need SPN's to be unique across the environment.
    - The SPN's for IIS will always go under the account thats running the application pool for that specific web site.
    - SPN's are needed anytime you change the application pool to run as a user account instead of network service.
    - SPN's are needed if you want to use a host header instead of the servername to access the web site.

    Have a great weekend!

    Jeremy Morlock

    Friday, October 2, 2009 1:41 PM
  • I have reviewed your current settings given in your screenshots and previous posts. There are a few extra SPN's added that won't be needed. Since you have added a host header you need SPNS set only under the account that is running the Application Pool for CRM.

    1. Can you open the CRMAppPool in IIS and see which identity it is running as? You will want to verify this is Network Service.

    2. We need to remove the following SPN's. We need to make sure the SPN's are just added under the CRMAppPool identity that is used for the CRM website.

    Remove these SPN's from the DB1 server:
            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555
            HTTP/CRM.AFCCINC.COM
            HTTP/CRM
            HOST/CRM.AFCCINC.COM
            HOST/CRM

    Remove these SPN's from the AFCC-INC-WS server:

            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555

    3. I see that you have already added a binding for CRM.AFCCINC.COM on the CRM website. This looks good except I would change this to use all unassigned instead of specifying the IP address. I would also add another binding for the host header CRM on port 5555 also using all unassigned.  This way you can access CRM using http://CRM:5555 and http://crm.afccinc.com:5555.

    Alex has mentioned that you should add an binding for the server. I agree with Alex on this because you should also be able to access CRM by using http://AFCC-INC-WS:5555. So what this means is that a third binding should be added to the CRM website with port 5555, using all unassigned, and without a host header specified. The key thing to remember is that when adding websites and bindings there has to be at least one unique value for each binding. This value could be a unique host header, port or ip address. In this case either the host header or port is unique.

    Once you make these changes you should log off the server and log back on. The logon process will generate the Kerberos ticket which is needed for proper authentication. Let us know if you still experience the prompts after making those changes.
    Thursday, October 1, 2009 8:41 PM

All replies

  • Hi Erik,

    CRM 4 can be a little tricky to install depending on the environment, but it is very stable once installed.

    --Can you browse to http://afcc-inc-ws:5555 ?
    --Make sure to add *.afccinc.com to yoru list of trusted web sites.  crm should not prompt you for uid/pwd via just Internet Exporer.  It should use integrated authentication.
    --when configuring outlook, simply specify http://afcc-inc-ws:5555   (don't add the /mscrmservices).

    Let me know if above items help.


    Alex Fagundes - www.PowerObjects.com
    Thursday, October 1, 2009 2:45 AM
  • I would also suggest adding an additional binding for afcc-inc-ws port 5555 in your IIS settings.  I didn't see it in your screenshots and that will most likely prevent you from accessing the site.
    Thursday, October 1, 2009 11:48 AM
  • I am using a host header, so i have to use my domain in the url just like. http://crm.afccinc.com:5555/ 
    that is the actual url.

    I have just added the *.afccinc.com to the trusted web sites.

    I am now only specifying the following url. http://crm.afccinc.com:5555/    .  Thank you for telling me this because I was wondering about this one.


    Current issue

    I hope I am almost there now... Maybe if I say a little prayer, and hold my breath for 20 seconds.. ;)

    Thank you for the help, and I hope you can help me get this thing done today... 




    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 2:37 PM
  • Is your deployment using multiple serveur (CRM, SQL)? or everything in the same box?

    If multiple computer, you need to add SPN to:

    the user service  account if CRM runs under a user account
    the computer if CRM runs under Network Service

    Then you need to allow the user (or computer) for delegation


    My blog : http://mscrmtools.blogspot.com You will find: Form Javascript Manager (export/import javascript from forms) ISV.Config Manager (graphical ISV.config edition - export/import) View Layout replicator (customize one view and replicate to others) And others (use tool tag on my blog)
    Thursday, October 1, 2009 2:40 PM
    Moderator
  • Hi,

    there is also an SPN needed, if you use hostheaders as in the discussed deployment 
    See http://blogs.msdn.com/crm/archive/2009/08/06/configuring-service-principal-names.aspx
    Thursday, October 1, 2009 2:47 PM
  • I have one machine with AD, and the  CRM Server installed on it.

    One machine has my sql server on it.

    I will check this SPN out now.. 

    Never heard that word before.

    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 3:05 PM
  • ---------This is on my CRM, ACTIVE DIRECT server machine
    C:\Users\Administrator>SETSPN -L CORP\AFCC-INC-WS
    Registered ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=cor
    p,DC=afccinc,DC=com:
            ldap/AFCC-INC-WS.corp.afccinc.com/ForestDnsZones.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/DomainDnsZones.corp.afccinc.com
            Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/AFCC-INC-WS.corp.afccinc.com
            DNS/AFCC-INC-WS.corp.afccinc.com
            GC/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com
            HOST/AFCC-INC-WS.corp.afccinc.com/CORP
            HOST/AFCC-INC-WS
            HOST/AFCC-INC-WS.corp.afccinc.com
            HOST/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com
            E3514235-4B06-11D1-AB04-00C04FC2DCD2/8cd1839d-eecd-4c32-9ada-e5104967151
    3/corp.afccinc.com
            ldap/8cd1839d-eecd-4c32-9ada-e51049671513._msdcs.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/CORP
            ldap/AFCC-INC-WS
            ldap/AFCC-INC-WS.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com


    ---------This is on my sql server machine
    C:\Users\Administrator>SETSPN -L CORP\AFCC-INC-DB1
    Registered ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=afc
    cinc,DC=com:
            MSSQLSvc/AFCC-INC-DB1.corp.afccinc.com:1433
            MSSQLSvc/AFCC-INC-DB1.corp.afccinc.com
            TERMSRV/AFCC-INC-DB1
            TERMSRV/AFCC-INC-DB1.corp.afccinc.com
            HOST/AFCC-INC-DB1
            HOST/AFCC-INC-DB1.corp.afccinc.com

    C:\Users\Administrator>
    ------------------------------------------------------------------------------------

    I can see that my domain name is not there, which is crm.afccinc.com


    I have my domian name on a dns server machine that is NOT part of my DC , or company domain. I ran into issues while trying to add it to my domain with the rest of my servers. It would not resolve A records for request for public IP's.


    I can see that the DNS server on my AD machine has a way to add security context, which is new to me... 

    I read the blog, and it is great for an advanced person in that area. I have an idea of what needs to be done; however, on the blog it is not in depth enough.

    I can do this, I just need a little more info. 

    Do I need to add that crm.afccinc.com to my DC, CRM machine ? and remove it from my DNS server that is not on my DOMAIN\user.?

    Thank you guys for helping..







    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 3:46 PM
  • help...
    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 5:34 PM
  • Hi Erik,

    Have you verified that *.afccinc.com is listed in your list of trusted sites? 

    And if you are testing from the server itself, via add/remove programs, remove the 'enhanced internet explorer security' addon as it often inteferes with web applications such as ms crm.


    Alex Fagundes - www.PowerObjects.com
    Thursday, October 1, 2009 5:41 PM
  • I will try this now..

    Below is what that blog asked me to do.

    C:\Users\Administrator>setspn -A HOST/CRM CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HOST/CRM
    Updated object

    C:\Users\Administrator>setspn -A HOST/CRM CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HOST/CRM
    Updated object

    C:\Users\Administrator>setspn -A HOST/CRM.AFCCINC.COM CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HOST/CRM.AFCCINC.COM
    Updated object

    C:\Users\Administrator>setspn -A HOST/CRM.AFCCINC.COM CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HOST/CRM.AFCCINC.COM
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HTTP/CRM
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HTTP/CRM
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM.AFCCINC.COM CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HTTP/CRM.AFCCINC.COM
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM.AFCCINC.COM CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HTTP/CRM.AFCCINC.COM
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM:5555 CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HTTP/CRM:5555
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM:5555 CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HTTP/CRM:5555
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM.AFCCINC.COM:5555 CORP\AFCC-INC-DB1
    Registering ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=af
    ccinc,DC=com
            HTTP/CRM.AFCCINC.COM:5555
    Updated object

    C:\Users\Administrator>setspn -A HTTP/CRM.AFCCINC.COM:5555 CORP\AFCC-INC-WS
    Registering ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=co
    rp,DC=afccinc,DC=com
            HTTP/CRM.AFCCINC.COM:5555
    Updated object
    ---------------------------------------------------------------------------------------

    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 6:05 PM
  • Here is what I have set from what the blog offers.
    ---------------------------------------------------------------------------------------------

    C:\Users\Administrator>SETSPN -L AFCC-INC-WS
    Registered ServicePrincipalNames for CN=AFCC-INC-WS,OU=Domain Controllers,DC=cor
    p,DC=afccinc,DC=com:
            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555
            HTTP/CRM.AFCCINC.COM
            HTTP/CRM
            ldap/AFCC-INC-WS.corp.afccinc.com/ForestDnsZones.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/DomainDnsZones.corp.afccinc.com
            Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/AFCC-INC-WS.corp.afccinc.com
            DNS/AFCC-INC-WS.corp.afccinc.com
            GC/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com
            HOST/AFCC-INC-WS.corp.afccinc.com/CORP
            HOST/AFCC-INC-WS
            HOST/AFCC-INC-WS.corp.afccinc.com
            HOST/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com
            E3514235-4B06-11D1-AB04-00C04FC2DCD2/8cd1839d-eecd-4c32-9ada-e5104967151
    3/corp.afccinc.com
            ldap/8cd1839d-eecd-4c32-9ada-e51049671513._msdcs.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/CORP
            ldap/AFCC-INC-WS
            ldap/AFCC-INC-WS.corp.afccinc.com
            ldap/AFCC-INC-WS.corp.afccinc.com/corp.afccinc.com

    C:\Users\Administrator>SETSPN -L AFCC-INC-DB1
    Registered ServicePrincipalNames for CN=AFCC-INC-DB1,CN=Computers,DC=corp,DC=afc
    cinc,DC=com:
            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555
            HTTP/CRM.AFCCINC.COM
            HTTP/CRM
            HOST/CRM.AFCCINC.COM
            HOST/CRM
            MSSQLSvc/AFCC-INC-DB1.corp.afccinc.com:1433
            MSSQLSvc/AFCC-INC-DB1.corp.afccinc.com
            TERMSRV/AFCC-INC-DB1
            TERMSRV/AFCC-INC-DB1.corp.afccinc.com
            HOST/AFCC-INC-DB1
            HOST/AFCC-INC-DB1.corp.afccinc.com

    C:\Users\Administrator>


    ***Still get authentication box..... I have also disabled the internet security from IE


    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 6:31 PM
  • Just curious, what version of IE are you using?
    CRM Community Guru and Saxophonist
    Thursday, October 1, 2009 7:05 PM
  • Version 8 on server 2008 service pack 2

    I am banging my head against the wall over here.

    Thank you..

    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 7:07 PM
  • I am totally confused as to what in the ____ I am suppose to be authenticating to.


    Check this out....

    When I use Google Chrome to open crm it ask me for the username and password; however, this time it does not ask me again.. I get a message telling me that this browser version does not work with CRM.

    So I feel like I just authenticated !

    So is the an IE thing ? 




    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 8:20 PM
  • I have reviewed your current settings given in your screenshots and previous posts. There are a few extra SPN's added that won't be needed. Since you have added a host header you need SPNS set only under the account that is running the Application Pool for CRM.

    1. Can you open the CRMAppPool in IIS and see which identity it is running as? You will want to verify this is Network Service.

    2. We need to remove the following SPN's. We need to make sure the SPN's are just added under the CRMAppPool identity that is used for the CRM website.

    Remove these SPN's from the DB1 server:
            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555
            HTTP/CRM.AFCCINC.COM
            HTTP/CRM
            HOST/CRM.AFCCINC.COM
            HOST/CRM

    Remove these SPN's from the AFCC-INC-WS server:

            HOST/CRM:5555
            HOST/CRM.AFCCINC.COM:5555
            HTTP/CRM.AFCCINC.COM:5555
            HTTP/CRM:5555

    3. I see that you have already added a binding for CRM.AFCCINC.COM on the CRM website. This looks good except I would change this to use all unassigned instead of specifying the IP address. I would also add another binding for the host header CRM on port 5555 also using all unassigned.  This way you can access CRM using http://CRM:5555 and http://crm.afccinc.com:5555.

    Alex has mentioned that you should add an binding for the server. I agree with Alex on this because you should also be able to access CRM by using http://AFCC-INC-WS:5555. So what this means is that a third binding should be added to the CRM website with port 5555, using all unassigned, and without a host header specified. The key thing to remember is that when adding websites and bindings there has to be at least one unique value for each binding. This value could be a unique host header, port or ip address. In this case either the host header or port is unique.

    Once you make these changes you should log off the server and log back on. The logon process will generate the Kerberos ticket which is needed for proper authentication. Let us know if you still experience the prompts after making those changes.
    Thursday, October 1, 2009 8:41 PM
  • Wish me luck  ;)
    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 9:51 PM
  • I got rid of the items you suggested and IT WORKS !!!!

    THANK YOU VERY MUCH!!!!!!

    thanks, thanks thanks !!!!

    http://afccinc.com?siteref=msdn
    Thursday, October 1, 2009 10:04 PM
  • Hey Erik, That is great news that everything is working!! I understand how big of a headache setting SPN's can be.

    Main things to remember with SPN's:
    - Never create the same SPN under different accounts. We need SPN's to be unique across the environment.
    - The SPN's for IIS will always go under the account thats running the application pool for that specific web site.
    - SPN's are needed anytime you change the application pool to run as a user account instead of network service.
    - SPN's are needed if you want to use a host header instead of the servername to access the web site.

    Have a great weekend!

    Jeremy Morlock

    Friday, October 2, 2009 1:41 PM
  • I have book marked this site, so I can get back to this page to review your postings.

    That CRM is very impressive...

    It worked great yesterday, and I shut down my work station yesterday evening. Since I am still getting familiar with the CRM.

    After a computer cut on this morning, I am trying to open the crm back up via my url. And it does not give me any type of error it just sits there with a white screen spinning the wheels. Not connecting, not erroring, nothing. Just a blank screen ?

    Do i need to turn a service on, or somethings?

    thanks.

    http://afccinc.com?siteref=msdn
    Friday, October 2, 2009 2:03 PM
  • Since the initial question was resolved, it will be helpful for others if I mark this as answered.  Please create a new post for the new issue.  You can also check your event viewer on the server to see if you have an error that might help you troubleshoot the issue.  
    Best Regards, Donna
    Monday, October 5, 2009 12:55 PM