Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
CRM FQDN failing with 401.1 when accessed from the CRM web server RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I have a weird CRM dynamics 4.0 install issue.

    When logged into one or either of the CRM web servers, i am unable to login to the CRM deployment via the FQDN (CRMUAT.contoso.com). i get the lovely username and password prompt followed by the 'HTTP Error 401.1 - Unauthorized: Access is denied'.

    If i try and access the deployment by use of the SERVERNAME or LOCALHOST, then i am able to login without issue. Also , when i try to access the deplyment from a remote windows client, i am able to access the deployment using the FQDN (CRMUAT.contoso.com) without issue. It is only an issue when i am logged into one of the CRM web servers.

    Its causing me an issue as i am installing an application locally on each webserver that reads the FQDN value from the deployment and then tries to connect to it from the web server to configure some settings but fails due to the issue listed above.

    It feels like an SPN issue....but I can't think what i have missed so any help would be appreciated ....

     

    2 webservers with WLBS running CRM under service account

    CRMAPPSERVER1.contoso.com

    CRMAPPSERVER2.contoso.com

    contoso\crmserviceaccount

    2 Windows 2008 SQL servers in failover cluster

    SQLSERVER1.contoso.com

    SQLSERVER2.constoso.com

    1 virtual sql instance

    VIRTUALSQL1.contoso.com\UAT1

    the following A record setup in DNS pointing to WLBS cluster name which is configured on the 2 CRM web servers

    CRMUAT.contoso.com  --> A record --> 10.100.10.20

    the following SPN setup for the service account ( the account is trusted for delegation)

    CONSTOSO\crmserviceaccount

    HTTP/CRMAPPSERVER1.contoso.com
    HTTP/CRMAPPSERVER1
    HTTP/CRMAPPSERVER2
    HTTP/CRMAPPSERVER2.contoso.com
    HTTP/CRMUAT.contoso.com

    the following SPN setup for each of the Web servers (each webserver is trusted for delegation)

    HTTP/CRMUAT.contoso.com
    HOST/CRMAPPSERVER1
    HOST/CRMAPPSERVER1.contoso.com

    HTTP/CRMUAT.contoso.com
    HOST/CRMAPPSERVER2
    HOST/CRMAPPSERVER2.contoso.com

    Regards

    Gavin

    Monday, September 20, 2010 5:28 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    The final fix for me was to add the following backconnection hostnames to the registry. This way i didn't have to disable the loopback.

    http://support.microsoft.com/kb/896861

    Method 1: Specify host names (Preferred method if NTLM authentication is desired)

    To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

    1. Set the
      DisableStrictNameChecking
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308  (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    4. Right-click MSV1_0, point to New, and then click Multi-String Value.
    5. Type BackConnectionHostNames, and then press ENTER.
    6. Right-click BackConnectionHostNames, and then click Modify.
    7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
    8. Quit Registry Editor, and then restart the IISAdmin service.
    • Marked as answer by Gavin Higgins Monday, July 23, 2012 6:58 PM
    Wednesday, November 16, 2011 12:19 PM

All replies

  • Question
    Sign in to vote
    2
    Sign in to vote

    Hi,

    Enable tracing using article
    http://support.microsoft.com/kb/907490/en-us
     

    Try the Diagnostic tools for 4.0:
    http://blogs.msdn.com/benlec/archive/2008/03/04/crmdiagtool4-for-microsoft-crm-4-0-has-been-released.aspx

    Hope this helps.

    Thanks, Ranjitsingh R | http://mscrm-developer.blogspot.com/ | MS CRM Consultant
    • Marked as answer by Jim Glass Jr Wednesday, October 6, 2010 9:26 PM
    • Unmarked as answer by Gavin Higgins Monday, July 23, 2012 6:59 PM
    Wednesday, September 22, 2010 4:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Gavin,

    Even we are facing the same error while accessing with the NLB FQDN name. Trace didn't help.

    We are able to access with the NLB IP Address from the CRM WEB Servers, but with NLB FQDN Name we are not able to.

    Can you please let me know what is the resolution.

    Thanks,

    Manoj.

    Manoj Batchu
    Thursday, October 28, 2010 1:05 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Added registry entry to Disable loopback Check value.

    Refer Method 2 in KB: http://support.microsoft.com/kb/911353
    Manoj Batchu
    • Proposed as answer by Manoj Batchu Saturday, December 4, 2010 5:40 AM
    Saturday, December 4, 2010 5:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Added registry entry to Disable loopback Check value.

    Refer Method 2 in KB: http://support.microsoft.com/kb/911353
    Manoj Batchu

    I had the same problem with a different application (Deltek Vision) and this suggestion fixed it.
    Wednesday, January 5, 2011 10:55 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The final fix for me was to add the following backconnection hostnames to the registry. This way i didn't have to disable the loopback.

    http://support.microsoft.com/kb/896861

    Method 1: Specify host names (Preferred method if NTLM authentication is desired)

    To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

    1. Set the
      DisableStrictNameChecking
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308  (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    4. Right-click MSV1_0, point to New, and then click Multi-String Value.
    5. Type BackConnectionHostNames, and then press ENTER.
    6. Right-click BackConnectionHostNames, and then click Modify.
    7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
    8. Quit Registry Editor, and then restart the IISAdmin service.
    • Marked as answer by Gavin Higgins Monday, July 23, 2012 6:58 PM
    Wednesday, November 16, 2011 12:19 PM