locked
CRM 4 - AN ISV Web Page is running as NT AUTHORIOTY\ANONYMOUS USER RRS feed

  • Question

  • I have a single ISV web page.  It runs withing the ISV folder of the CRM 4 web site.

    It has a button on it which triggers a database action (gets some data direct from CRM db and exports it as a spreadsheet).

    Everything works on the server using the CRM admin user, however on Client PCs it gives an error (including CRM admin user):

    Login failed for user NT AUTHORITY\ANONYMOUS USER

    ay Sytsem.Data.SqlClient.SqlInteralConnection...

    How do I make the page run as the actual user? 

    Where is it losing its identity (Wont the web pages will be part of CRM and will pass the identity to the SQL database in the same way that CRM would)?

    • It is a client system which I don't have full AD access to but as far as I am aware the System Administrator has set up SPNs for the CRM Admin user.
    • The SQL Connection uses Integrated Security.
    • No changes have been made to file system privileges for the ISV folder and the sub folder containing the application.
    Friday, December 10, 2010 9:27 AM

All replies

  • If the SQL Server is running on a separate server from CRM (which I suspect is the case), then you (or the administrator) will need to enable delegation within AD. The sections on delegation in these articles should help http://msdn.microsoft.com/en-us/library/ms998351.aspx and http://msdn.microsoft.com/en-us/library/ms998355.aspx (the content is still relevant, despite the warning at the top of the articles)
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Friday, December 10, 2010 11:32 AM
    Moderator
  • Yes, t is a seperate SQL server.

    The SPNs and Delegation have been set for the adminuser --> CRM web server.

    Delegation for adminuser set to "Trust the user for delegation to any service".

    Only strange thing is that running "setspn /L crmserver":

    I can see "adminuser/crmserver.domain.com" but not "adminuser/crmserver".

    I have run setspn for both with no error.  May be a red herring to expact the latter line to be there.

    Friday, December 10, 2010 4:25 PM
  • Been at this for a day now.

    We have managed to get something working but it is not ideal.

    When we add SPNs for the URL (say - crm and crm.domain.com), CRM becomes inoperable.  Everything suggests a duplicate SPN of some sort but we have been unable to locate such a duplicate.

    If we use the server name (say - crmserver and crmserver.domain.com) we can make it work.

    The client is happy for now.  Just wish there was a way forward.

    Monday, December 13, 2010 3:06 PM
  • In the end our client has had to contact MS directly for assistance.

    Whenever we add the SPN, CRM stops working.  There is a message relating to a possible duplicate on the network.  We have used various tools to list all the SPNs but have fauld to find a duplicate.

    So either no SPN and out application doesn't work anywhere except the server, or SPN and no CRM.

    If I hear anything back I will post the solution.

    Friday, December 17, 2010 2:15 PM