Answered by:
CRM 2011: Connect to CRM Server: The caller was not authenticated by the service.

Question
-
Hello Forum
I have the following:
CRM 2011 onprem, OL 2010, Workgroup (no domain), login is configured in the local users
I cannot connect to CRM. The following error appears: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
I tried edit the hosts file, change user of the app pool, but nothing helped.
Any hint?
Thanks a lot!
Tuesday, December 4, 2012 9:10 AM
Answers
-
We solved the issue without Domain Join or IFD.
The solution is as follows:
- Local Hosts Entry with Server Name
- Equal Username and Passwort in AD and Local Users
- URL Entry in Local Intranet of IE
Hope it works for you too!
Cheers
- Marked as answer by CRMBE Wednesday, January 9, 2013 5:02 PM
Wednesday, January 9, 2013 5:02 PM
All replies
-
no idea?Tuesday, December 4, 2012 6:19 PM
-
really anyone?
thanks for support- Edited by CRMBE Thursday, December 6, 2012 3:56 PM
Thursday, December 6, 2012 8:05 AM -
Hi CRMBE,
you say "no domain" that's the problem, you can't install CRM under a server joined to a workgroup domain, CRM is tightly integrated into Active Directory.
Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
Thursday, December 6, 2012 5:01 PMAnswerer -
thanks for the answer!
of course are the user in an ad, but the computers haven't joined to the domain. so two users exist and thats solved with a custom user logon on the existing account. that's no problem. I did that several times, so this is not the problem. Must be something with the authentication....
Thursday, December 6, 2012 8:53 PM -
you can't install CRM 2011 on a workgroup domain, the server must be a member of an AD domain
http://msdn.microsoft.com/en-us/library/hh699671.aspx
The computer on which Microsoft Dynamics CRM 2011 is running must be a domain member in a domain that is running in one of the following Active Directory directory service domain modes:
- Windows 2000 Mixed
- Windows 2000 Native
- Windows Server 2003 Interim
- Windows Server 2003 Native
- Windows Server 2008 Interim
- Windows Server 2008 Native
Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
- Proposed as answer by nrodriEditor Thursday, December 6, 2012 10:00 PM
- Unproposed as answer by nrodriEditor Friday, December 7, 2012 9:25 AM
Thursday, December 6, 2012 10:00 PMAnswerer -
Thanks.
Of course is the server an active directory server with a domain, but the clients aren't in that domain. CRM works perfectly with the browser but not with Outlook Client.
Friday, December 7, 2012 7:15 AM -
Hello Forum
Unfortunately, the problem is not yet solved. Still the same. I summarize again:
CRM 2011 onprem (DC) with CRM user (in AD), the clients are just in a workgroup and not joined to the domain (domain credentials have been set locally). The CRM server is hosted externally and the connection has a site to site VPN (no software required on the clients). Webclient works perfectly, but the connect with outlook client cannot connect. Any hints for that?
Thanks a lot!
Thursday, December 27, 2012 1:33 PM -
anyone? no idea or hint?
- Edited by CRMBE Monday, December 31, 2012 2:05 PM
Thursday, December 27, 2012 7:29 PM -
Hi CRMBE,
If the scenario is :
you have a CRM 2011 server - joined to an Active directory domain , and you are trying to configure OL client from a client machine not joined to the domain ,
what you see is expected behavior.
When the CRM outlook client tries to connect to the server , if accesses the discovery service endpoint over anonymous auth.
There , it reads a similar information :
- <wsdl:service name="DiscoveryService">
- <wsdl:port name="CustomBinding_IDiscoveryService" binding="i0:CustomBinding_IDiscoveryService">
<soap12:address location="https://xaptcrm.newfrontier.eu/XrmServices/2011/Discovery.svc" />
- <wsa10:EndpointReference>
<wsa10:Address>https://xaptcrm.newfrontier.eu/XrmServices/2011/Discovery.svc</wsa10:Address>
- <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Upn>domain\service</Upn>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
The client is expected to get a Kerberos ticket to the CRM appPool account , pack it into an XML and send it to the CRM server and authenticate itself , to receive any organization specific data .
if your client is not joined to the domain , you will never obtain the kerb ticket - causing the failure.
The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
Friday, January 4, 2013 12:26 PM -
Thanks Alen!
The error no longer appears after screwing on Windows Authentication (Kerberos).
Wednesday, January 9, 2013 7:20 AM -
We solved the issue without Domain Join or IFD.
The solution is as follows:
- Local Hosts Entry with Server Name
- Equal Username and Passwort in AD and Local Users
- URL Entry in Local Intranet of IE
Hope it works for you too!
Cheers
- Marked as answer by CRMBE Wednesday, January 9, 2013 5:02 PM
Wednesday, January 9, 2013 5:02 PM