locked
Internal Access to CRM not working after configuring IFD RRS feed

  • Question

  • Hi

    I have configured IFD for CRM 2011 UR 7 using ADFS 2.0 however when I try to access CRM from within the domain, I am propmted to sign in.  After, entering my credentials, I recieve a

    "Not Authorized: HTTP Error 401. The requested resource requires user authentication."

    • This is only affecting internal access as I can sign in using the external URL
    • The cerificate is for *.domain.com however the CRM server is server_name.domain.local so I have created an alias called crmserver.domain.com that points to server_name.domain.local
    • Certificate has the approriate managed keys.
    • I am using ADFS 2.0 UR3 and CRM 2011 UR7
    • ADFS is running under domain account (domain\svcSTS)
    • SPN  has been set for http/sts.domain.com; http/sts; http/crmserver.highnet.com; http/crmserver; host/server_name.domain.local; host/server_name
    • DNS entries have been added to domain.com and not domain.local

    There is also an error in Event Viewer.

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svcSTS. The target name used was HTTP/sts.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.


    Marc Collins www.QGate.co.uk

    Thursday, August 8, 2013 8:28 AM

All replies