Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Kerberos Configuration and Dynamics CRM 2011 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I am working on a Kerberos Enabled Dynamics CRM 2011 Deployment. Dynamics CRM is deployed on Server A, and the Asynchronous and the Sandbox Service are deployed on Server B. While SQL Server is deployed on Server C.

    I've added the following SPN's for Dynamics CRM 2011 WFE:

    Servername: ServerA.fqdn

    http/crm <domain>\<service account>
    http/crm.fqdn <domain>\<service account>

    MSCRMDeployment/crm <domain>\<XRM Deployment Service Account>
    MSCRMDeployment/crm.fqdn <domain>\<XRM Deployment Service Account>

    http/crm has delegated permissions to MSSQLSvc/<sql server> <domain>\<sql server service account>

    For the Back-End the following SPN's has been set.

    Servername: ServerB

    MSCRMSandbox\<server b> <domain>\<Sandbox Service Account>
    MSCRMSandbox\<server b>.fqdn <domain>\<Sandbox Service Account>

    MSCRMAsync\<server b> <domain>\<Async Service Account>
    MSCRMAsync\<server b>.fqdn <domain>\<Async Service Account>

    In IIS, Dynamics and the ServerUrl are being set to the FQDN in IIS.

    Everything is working fine, but we've got problems with Plugins and Solutions. For some reason, all solutions are running in the Sandbox are having the following error:

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.ServiceModel.Security.SecurityNegotiationException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #2989A31DDetail:

    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">

      <ErrorCode>-2147220970</ErrorCode>

      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

      <Message>System.ServiceModel.Security.SecurityNegotiationException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #2989A31D</Message>

      <Timestamp>2013-01-06T11:38:12.9282171Z</Timestamp>

      <InnerFault i:nil="true" />

      <TraceText>

     

    [Xbitz.Crm.AdvancedCRMAutoNumber: Xbitz.Crm.AdvancedCRMAutoNumber.GenerateAutoNumber]

    [14eb4ee7-c99d-e111-b463-1cc1de6e2b2d: Xbitz.Crm.AdvancedCRMAutoNumber.GenerateAutoNumber: Create of  any Entity]

    Does anyone have a clue, or do I miss a configuration here?


    • Edited by André Krijnen Monday, February 4, 2013 2:17 PM Additional Info
    Monday, February 4, 2013 1:04 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Either move your http spns to the CRM Server account instead of the Service Account or make sure you are using  the UseAppool credentials = true setting 

    http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

    Monday, February 4, 2013 5:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Chris,

    In my ApplicationHost.config I allready have set the useAppPoolCredentials="true" and KernelMode="true"

    I won't use a Server Account, because it is less secure...

    Regards

    Monday, February 4, 2013 6:36 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andre,

    What makes you think it's Kerberos? the error is pointing at Xbitz.Crm.AdvancedCRMAutoNumber: Xbitz.Crm.AdvancedCRMAutoNumber.GenerateAutoNumber]

    To eliminate the kerberos side of things, enable Kerberos verbose logging on the server and you could also run wireshark from the server to analyse the packets.

    Is this a new deployment or an upgraded? any restores of the database?


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Tuesday, February 5, 2013 9:39 AM
    Answerer
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    Thanks for your reply... I've validated the code, and I've checked every parameter. Captured all traffic with Kerberos, and the Kerberos ticket is invalidated. The SandBox Process is being initiated and when the IOrganizationService it will get the Servername instead of the A-Record being used in Dynamics. And it is not only this solution, but all solutions which are being used in the Sandbox Process.

    When we changed the configuration from A-Record (CRM) back to the Servername with the above configuration for that Servername it runs perfectly. So it seems that the processes of Dynamics can't work with a different HOST record (Servername) and for the HOST record (CRM). This seems a bug inside Dynamics, because both should being used, but somehow Dynamics can't work with two different A-Records (Servername / Friendly Url).

    Regards 

    Tuesday, February 5, 2013 9:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    It sounds like it's the database that holds that information

    Can you check the MSCRM_CONFIG, deploymentProperties table and look for:

    ADDeploymentSdkRootDomain
    ADDiscoveryRootDomain
    ADSdkRootDomain
    ADWebApplicationRootDomain

    these should have your A record DNS name, and not the servers, if it has the servers replace this with the correct A record.

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Tuesday, February 5, 2013 9:58 AM
    Answerer
  • Question
    Sign in to vote
    0
    Sign in to vote

    It sounds like it's the database that holds that information

    Can you check the MSCRM_CONFIG, deploymentProperties table and look for:

    ADDeploymentSdkRootDomain
    ADDiscoveryRootDomain
    ADSdkRootDomain
    ADWebApplicationRootDomain

    these should have your A record DNS name, and not the servers, if it has the servers replace this with the correct A record.

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com


    This is done... validated and also the ServerUrl in the Registry is changed.
    Tuesday, February 5, 2013 10:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Can you add the SPN's

    HTTP/servername
    HTTP/servername.fqdn

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Tuesday, February 5, 2013 11:06 AM
    Answerer
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andre,

    How did you get on? I think you were missing the above SPN's?

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Thursday, February 7, 2013 3:44 PM
    Answerer
  • Question
    Sign in to vote
    0
    Sign in to vote

    Following this post:  We had authentication issues when IPv6 was enabled on the SQL servers in a international dWAN.  I noticed that IPV6 A records were created in the forward lookup zones and that created failures for code within third party CRM apps.  I set all the A records back to IPV4 and the failures worked .

    In the end, it was not the fault of IPV6 but the drivers on Virtual NICs in the dataCenter at the hoster.

    Curtis J Spanburgh

    Thursday, February 7, 2013 8:42 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    This sounds related to the problem that I am having.  I have a separate Front End server that is hosting my Org service and fails if it runs any Sandboxed plugins.  I remember reading that CRM 2011 only supports one binding for the WCF services that is hosts.  There seems to be a bug in that the Front End server doesn't check to see what the current WCF binding is set to...it just assumes Servername.
    Friday, February 8, 2013 1:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    This sounds related to the problem that I am having.  I have a separate Front End server that is hosting my Org service and fails if it runs any Sandboxed plugins.  I remember reading that CRM 2011 only supports one binding for the WCF services that is hosts.  There seems to be a bug in that the Front End server doesn't check to see what the current WCF binding is set to...it just assumes Servername.

    @Chris,

    I am at the moment busy with Premium Support to solve this issue. Microsoft UK and Microsoft France are involved in this process. When I got an update I will post in this section

    @Curt: Sorry, good suggestion, but that didn't work out.

    @nrodri: This didn't work either. It seems to be that the SandBox Service has issues. But we're still finding it out. We tried at multiple domains, and all have the same issue.

    Tuesday, February 12, 2013 11:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Well, we are really set to find out how this works out.

    Curtis J Spanburgh

    Wednesday, February 13, 2013 2:45 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Andre maintain all the server timezone and time, and date format must be same try this...

    ms crm

    Thursday, February 14, 2013 8:08 AM