Asked by:
Problem with authentication between servers

Question
-
Hi,
I have the following problem with my CRM 4 deployment.
I have two servers (CRM1, CRM2) i NLB. Both of them are hosting CRM and custom pages. Those pages are connecting to CRM web service using load-balanced URL. It is working fine.
Now I have 3 new servers (NewCRM1, NewCRM2, NewCRM3) that will replace the old ones. New servers are already connected to the same CRM deployment but they are not part of NLB and they cannot be added. SErvers are also hosting the same custom pages and then are connecting to CRM over load-balanced URL so connecting to CRM1 or CRM2
Web sites hosted on new servers are giving '401 Unauthorized' error when they are opened from another client.
They are working fine on the servers. I am getting the same error when using hostname and IP.
I thought that it is a problem with SPN and 'trust for delegation' but SPNs are configured (HTTP/new servers) and also trust for delegation for service account used to run AppPools and all (old and new ones) servers is configured.
When I reconfigure custom page to connect to web service hosted on the same server, it is working fine. When it is configured to use web service on any other server, it throws the same error.
Do you have any idea what can be wrong/missing?
Dawid Kolodziejczyk
Saturday, January 5, 2013 8:05 PM
All replies
-
Does the IE security zone that a new CRM server hostname shows up in have 'Automatcailly Log in with current username and password' set. If not update that setting or add the hostname to the same zone that the NLB url shows up in when being accessed as this is probably already set there.
If you still worried about SPN's then review these blogs
http://blogs.msdn.com/b/crminthefield/archive/2012/10/03/kerberos-in-load-balanced-environments.aspx
http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx
MS CRM Bing'd - http://bingsoft.wordpress.com Dynamics XRM Tools CRM 4 to CRM 2011 JavaScript Converter Tool CRM 2011 OData Query Designer CRM 2011 Metadata Browser CRM Forum Guidance Monday, January 7, 2013 10:45 AMModerator -
What operating system is hosting the three new servers? Windows 2008 with IIS 7 is different then Windows 2003 when it comes to SPN's if you have kernel mode enable in IIS 7.
If you are using Windows 2008 here is what you would want to do.
- Create a new AD service account or use existing one if you already have one setup
- Add the account to the following groups in AD
- PrivUserGroup
- SQLAccessGroup
- Make the account a Local Administrator on the Microsoft Dynamics CRM server(s)
- Add the account to the CRM_WPG group on the Microsoft Dynamics CRM server(s)
- Change the CRMAppPool on all nodes to use the new account.
- Make sure Kernel mode is enabled in IIS on all nodes.
- Make sure you have the UseAppool credentials = true set
8. Then you will need to make sure that you have the correct SPN’s setup on the new service account.
http/node1
http/node1.domain.com
http/node2
http/node2.domain.com
http/node3
http/node3.domain.com
http/crmalias
http/crmalias.domain.com
The UseAppool ceredentials = True is the step that most people miss
- Edited by ChrisDodgson1 Monday, January 7, 2013 3:24 PM
Monday, January 7, 2013 3:20 PM -
We use Win 2003 R2.
Dawid Kolodziejczyk
Monday, January 7, 2013 5:47 PM