locked
CRM 2011: Connect to CRM Server: The caller was not authenticated by the service. RRS feed

  • Question

  • Hello Forum

    I have the following:

    CRM 2011 onprem, OL 2010, Workgroup (no domain), login is configured in the local users

    I cannot connect to CRM. The following error appears: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

    I tried edit the hosts file, change user of the app pool, but nothing helped.

    Any hint?

    Thanks a lot!

    Tuesday, December 4, 2012 9:10 AM

Answers

  • We solved the issue without Domain Join or IFD.

    The solution is as follows:

    - Local Hosts Entry with Server Name

    - Equal Username and Passwort in AD and Local Users

    - URL Entry in Local Intranet of IE

    Hope it works for you too!

    Cheers

    • Marked as answer by CRMBE Wednesday, January 9, 2013 5:02 PM
    Wednesday, January 9, 2013 5:02 PM

All replies

  • no idea?
    Tuesday, December 4, 2012 6:19 PM
  • really anyone?

    thanks for support
    • Edited by CRMBE Thursday, December 6, 2012 3:56 PM
    Thursday, December 6, 2012 8:05 AM
  • Hi CRMBE,

    you say "no domain" that's the problem, you can't install CRM under a server joined to a workgroup domain, CRM is tightly integrated into Active Directory.


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Thursday, December 6, 2012 5:01 PM
    Answerer
  • thanks for the answer!

    of course are the user in an ad, but the computers haven't joined to the domain. so two users exist and thats solved with a custom user logon on the existing account. that's no problem. I did that several times, so this is not the problem. Must be something with the authentication....

    Thursday, December 6, 2012 8:53 PM
  • you can't install CRM 2011 on a workgroup domain, the server must be a member of an AD domain

    http://msdn.microsoft.com/en-us/library/hh699671.aspx

    The computer on which Microsoft Dynamics CRM 2011 is running must be a domain member in a domain that is running in one of the following Active Directory directory service domain modes:

    • Windows 2000 Mixed
    • Windows 2000 Native
    • Windows Server 2003 Interim
    • Windows Server 2003 Native
    • Windows Server 2008 Interim
    • Windows Server 2008 Native


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    • Proposed as answer by nrodriEditor Thursday, December 6, 2012 10:00 PM
    • Unproposed as answer by nrodriEditor Friday, December 7, 2012 9:25 AM
    Thursday, December 6, 2012 10:00 PM
    Answerer
  • Thanks.

    Of course is the server an active directory server with a domain, but the clients aren't in that domain. CRM works perfectly with the browser but not with Outlook Client.

    Friday, December 7, 2012 7:15 AM
  • Hello Forum

    Unfortunately, the problem is not yet solved. Still the same. I summarize again:

    CRM 2011 onprem (DC) with CRM user (in AD), the clients are just in a workgroup and not joined to the domain (domain credentials have been set locally). The CRM server is hosted externally and the connection has a site to site VPN (no software required on the clients). Webclient works perfectly, but the connect with outlook client cannot connect. Any hints for that?

    Thanks a lot!

    Thursday, December 27, 2012 1:33 PM
  • anyone? no idea or hint?
    • Edited by CRMBE Monday, December 31, 2012 2:05 PM
    Thursday, December 27, 2012 7:29 PM
  • Hi CRMBE,

    If the scenario is :

    you have a CRM 2011 server - joined to an Active directory domain , and you are trying to configure OL client from a client machine not joined to the domain ,

    what you see is expected behavior.

    When the CRM outlook client tries to connect to the server , if accesses the discovery service endpoint over anonymous auth.

    There , it reads a similar information :

     - <wsdl:service name="DiscoveryService">

    - <wsdl:port name="CustomBinding_IDiscoveryService" binding="i0:CustomBinding_IDiscoveryService">

      <soap12:address location="https://xaptcrm.newfrontier.eu/XrmServices/2011/Discovery.svc" />

    - <wsa10:EndpointReference>

      <wsa10:Address>https://xaptcrm.newfrontier.eu/XrmServices/2011/Discovery.svc</wsa10:Address>

    - <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

      <Upn>domain\service</Upn>

      </Identity>

      </wsa10:EndpointReference>

      </wsdl:port>

      </wsdl:service>

      </wsdl:definitions>

    The client is expected to get a Kerberos ticket to the CRM appPool account  , pack it into an XML and send it to the CRM server and authenticate itself , to receive any organization specific data .

    if your client is not joined to the domain , you will never obtain the kerb ticket - causing the failure.

    The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.


    • Edited by Alengeo Friday, January 4, 2013 12:27 PM
    • Marked as answer by CRMBE Wednesday, January 9, 2013 7:20 AM
    • Unmarked as answer by CRMBE Wednesday, January 9, 2013 5:02 PM
    Friday, January 4, 2013 12:26 PM
  • Thanks Alen!

    The error no longer appears after screwing on Windows Authentication (Kerberos).

    Wednesday, January 9, 2013 7:20 AM
  • We solved the issue without Domain Join or IFD.

    The solution is as follows:

    - Local Hosts Entry with Server Name

    - Equal Username and Passwort in AD and Local Users

    - URL Entry in Local Intranet of IE

    Hope it works for you too!

    Cheers

    • Marked as answer by CRMBE Wednesday, January 9, 2013 5:02 PM
    Wednesday, January 9, 2013 5:02 PM