locked
Claims IFD requesting Windows (NTLM/Kerberos) Credentials RRS feed

  • Question

  • We have a Claims IFD deployment set up with multiple load balanced front end servers. Periodically we will get users receiving the windows credentials log in window on the return request to CRM (after authentication has completed on the ADFS server).

    So the flow is like this: User accesses https://orgname.fqdn.com -> redirects to ADFS -> user enters credentials -> ADFS redirects back to CRM -> windows authentication dialog.

    As mentioned this is periodic. Seems to happen without any other cause. A restart of the front-end IIS servers "fixes" it. 

    Unfortunately I can't seem to reproduce the issue on demand, nor am I able to leave the servers in this state long enough to do any substantial troubleshooting (major production system with very high traffic)


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Monday, January 28, 2013 7:43 PM

Answers

  • When I said Service account I should have said Domain Account, Service count is kind of confusing.

    If you have two IIS Servers in an NLB and you have Kernel mode you will need to use the useAppPoolCredentials = True

    Also make sure the SPNS are on the Domain account when you use the useAppPoolCredentials = True
    Tuesday, January 29, 2013 11:53 PM

All replies

  • I would make sure all clients have the CRM and ADFS URl in the Local Intranet Zone.

    Also make sure that you have the Latest Update Rollup applied to the Server. There are quite a few fixes for adfs in the later update rollups

    If the users supply their credentials in the windows dialog boxes does it let them continure or do they end up with a 401 error?

    Tuesday, January 29, 2013 2:36 AM
  • We're on RU11.

    If they enter their credentials they get 401.

    I don't see how adding them to the intranet zone would be beneficial. Their computers are not part of the same domain, so their system credentials would be incorrect. They're also accessing externally with the FQDN.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, January 29, 2013 5:12 PM
  • If they get a 401 when supplying creds, then you are correct, adding the URls to the Local Intranet zone will not help.

    What account is starting the Application Pools? Have you verified that the SPN's are setup correctly? Missing or duplicate SPN's can cause 401's, however in most cases if SPNS are incorrect it will cause the 401s constantly, not randomly like what you are seeing.

    Here are a few things you can check.

    -Since you are using NLB you will need to be using a Service Account for the Application pools.

    -Make sure Kernel mode is enabled in IIS on both nodes.
    http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx 

    -Make sure you have the UseAppool credentials = true set on the NLB nodes

    http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx 

    -You will also want to make sure the URl you have specified in the Deployment Manager is correct.

    Start > All Programs > Microsoft Dynamics CRM> Deployment Manager

    Right Click on Microsoft Dynamics CRM and pick Properties and verify the URl is correct.

    Then Click the Advanced Option and then select the NLB option

    -If you look in the event logs either on the CRM, ADFS or AD servers do you see any KDC errors or anything kerberos related?



    Tuesday, January 29, 2013 8:40 PM
  • Thanks for the response Chris.

    The app pool is running under a domain account, and I don't believe we have much of a choice in this instance due to interactions with some other applications.

    We don't have useAppPoolCredentials set to true. I think I ran into issues with this (can't be 100% sure) but they would have been related to the same interaction issues with the above statement.

    As far as I have seen there haven't been any event log errors related to the situation.

    I find it quite bizarre how sporadic it is. We've gone weeks before without running into it, then it'll happen 2-3 times in a single day. Also the fact that an iisreset fixes is semi perplexing to me.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, January 29, 2013 9:28 PM
  • When I said Service account I should have said Domain Account, Service count is kind of confusing.

    If you have two IIS Servers in an NLB and you have Kernel mode you will need to use the useAppPoolCredentials = True

    Also make sure the SPNS are on the Domain account when you use the useAppPoolCredentials = True
    Tuesday, January 29, 2013 11:53 PM
  • Ok. I'm going to have to shelve this for now then. We don't have any service windows right now where I can test those changes thoroughly.

    I'll mark your last reply as an answer for now as I'm sure it might help someone.

    Thanks again Chris.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Wednesday, January 30, 2013 3:13 PM