locked
CRM 2011 on premises email router error: Secure channel cannot be opened because security negotiation with the remote endpoint has failed RRS feed

  • Question

  • Hello,

    I am currently building a CRM 2011 test environment that replicates the production environment. I have configured a deployment in the Email Router Configuation Manager as follows:

    • Deployment: My company
    • Microsoft Dynamics CRM Server: http://nlb-url/org
    • Access Credentials: Other Specified
    • Username: domain\crm_email_srvc_tst
    • Incoming configuration profile: <none selected>
    • Outgoing configuration profile: SMTP Outgoing

    Configurations have been mirrored to the letter, so it is often the case I simply change paths and urls to reflect test environment resources rather than production. In this case you can see that for the server url I am pointing to a network load balancing cluster. This is a hardware-based load balancing solution and it is working as expected (just like production when I try to browse the nlb url.

    NOTE 1: Like the production environment, the load-balancing constitutes two full-CRM servers (with all roles).

    However when I try to load data from this deployment, I get the following error:

    "Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpintIdentity in the endpoointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the endpointaddress correctly identifies the remote endpoint.

    NOTE 2: We are not using claims-based authentication neither in the production environment, nor in the test environment.

    If i try to change the CRM url so it points directly to one of the crm servers, I get the following error instead:

    "The caller was not authenticated by the service".

    any ideas of what the problem might be? Any help is appreciated.

    Kind Regards,
    P.


    • Edited by pmdci Friday, November 7, 2014 10:54 AM
    Friday, November 7, 2014 10:54 AM

Answers

  • Given that the job of the email router will be to create records in CRM, yes, a CRM user is required, unless you use the Local System account and add the email router computername to the PrivUser group in AD.

    Check what user account is being used in live, and see if that is a CRM user, and what security roles it has (often an admin role). You did say configurations had been mirrored to the letter...


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    UK CRM Guru Blog

    • Marked as answer by pmdci Friday, November 7, 2014 1:56 PM
    Friday, November 7, 2014 1:53 PM

All replies

  • Things to check / try:

    - try username in user@domain format

    - check time is synched across all servers (set to synch from domain time, or set by hand and ideally use same time zone to avoid any confusion). If it is an issue with Kerberos and the time not being in step I would expect more explicit errors, but would not be too surprised at a web service giving some other kind of generic "access denied".


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    UK CRM Guru Blog

    Friday, November 7, 2014 1:13 PM
  • Hi Adam,

    Thanks for the suggestions.

    I tried the user@domain format and I get even worse errors than before. As for the time, things seem to be alright between machines.

    Could this error be because I need to give the account some sort of access in CRM?

    Regards,
    P.

    Friday, November 7, 2014 1:44 PM
  • Given that the job of the email router will be to create records in CRM, yes, a CRM user is required, unless you use the Local System account and add the email router computername to the PrivUser group in AD.

    Check what user account is being used in live, and see if that is a CRM user, and what security roles it has (often an admin role). You did say configurations had been mirrored to the letter...


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    UK CRM Guru Blog

    • Marked as answer by pmdci Friday, November 7, 2014 1:56 PM
    Friday, November 7, 2014 1:53 PM
  • Here is what the problem was, which is twofold:

    1. The account created had a long name CRM_email_service_tst. Which trunates the last T (so it spells _ts rather than _tst). I am not the person that created that account, as I despise service account with long names :)

    2. since I migrated the organisation from the production environment, I had to go to the user lists in the test CRm andupdate the CRM Email Router account so it points to the email router account for the test environment (_ts one) rather than the crm email router account for production.

    Unfortunately now I have a new error:

    "An unsecured or incorrectly secured fault was received from the other party. See the inner Faultexeption for the fault code and detail"

    Any ideas? I started a new topic about this new error here: https://social.microsoft.com/Forums/en-US/634ca5a0-8039-4ea6-8a71-4fd0f154cf2d/

    Regards,
    P.


    • Edited by pmdci Friday, November 7, 2014 2:48 PM
    Friday, November 7, 2014 2:02 PM