locked
401 Not Authorized after IFD RRS feed

  • Question

  • I have configure CRM 2011 to work with IFD and I can login form the outside but when I try to login using the internal URL I'm been prompt fot username and password (which shouldn't be happening in the internal url) and after entering the account credentials it's fail to authenticate with HTTP Error 401 Not Authorized.

    the authentication is for the ADFS server (which mean the request for the crm is passed on to the adfs site)
    we have 1 server for the crm and 1 server for the ADFS and 1 server for the domain controler

    Can someone help my with this problem?
    Thanks in advance,
    Jonathan

    Thursday, September 15, 2011 2:03 PM

Answers

  • Hi Jonathan,

     

    Please add following SPNs:-

    HTTP/sts.domain.com SPN on ADFS machine account

    HTTP/crmintURL.domain.com on CRM machine account

    HTTP/CRMSERVERHOSTNAME on servive account running CRM app pool.

    HTTP/CRMSERVERHOSTNAME.domain.com on servive account running CRM app pool.
     

    Once this done,,,as SPNs are set on machine account you need to restart ADFS server

    Do IISRESET on CRM server.

     

    Let me know if that helps


    Arpita
    • Marked as answer by Jonathan Y. _ Monday, September 19, 2011 4:48 AM
    Thursday, September 15, 2011 4:27 PM

All replies

  • Hi Jonathan,

    Please add your internal CRM URL in Local Intranet from your IE Settings and make sure to have automatic login with current username and password.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Thursday, September 15, 2011 2:06 PM
  • I don't think adding your Internal CRM URL to local intranet would help you as when you enter your credentials it gives you 401, but still you need to make sure that your crm internal url is in local intranet and with "automatic login with current username and password."

    If you still get the same issue please following below steps:-

    1) Try accessing you CRM internal URL from a different machine in Domain by adding Internal CRM URL to local intranet in the machine.

    2) If you can access it from that machine and you have problem only while accessing teh URL from CRM server please create followinh registry key on the CRM server:-

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

    Right click->Muliti-String Value->BackConnectionHostNames-> right click modify

    In the value data box , type the hostname for the sites that are on local computer

    IISRESET.

    3) If you still facing the issue, let me know following info:-

    CRM App pool account:-  ?

    ADFS URL :- ?

    CRM internal URl:-?

    make sure you have all A records in you DNS for dev, auth, sts, internal  and external URLs.

    4) Make sure all the SPns are in place , if they are not you will surely have 401 issue.

     


    Arpita
    • Proposed as answer by Khaja Mohiddin Thursday, September 15, 2011 2:34 PM
    Thursday, September 15, 2011 2:32 PM
  • Khaja, thanks for the responsed but i't didn't work

    Arpita - the error is from all the computers not only from the crm\adfs server.
    the CRM App pool account is a user dedicated only for this (not the crm admin and not in the crmusers)
    ADFS URL is https://sts.domain.com
    CRM internal URl is https://intcrm.domain.com
    external URL is: https://orgname.domain.com

    I will check for the spn's  but all the url are in the dns

    Thursday, September 15, 2011 3:19 PM
  • Hi Jonathan,

     

    Please add following SPNs:-

    HTTP/sts.domain.com SPN on ADFS machine account

    HTTP/crmintURL.domain.com on CRM machine account

    HTTP/CRMSERVERHOSTNAME on servive account running CRM app pool.

    HTTP/CRMSERVERHOSTNAME.domain.com on servive account running CRM app pool.
     

    Once this done,,,as SPNs are set on machine account you need to restart ADFS server

    Do IISRESET on CRM server.

     

    Let me know if that helps


    Arpita
    • Marked as answer by Jonathan Y. _ Monday, September 19, 2011 4:48 AM
    Thursday, September 15, 2011 4:27 PM
  • Hi Jonathan,

    Are you able to login to https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx without any issues?

    Check for duplicate SPN records in your server using setspn -x

    If you  you find any duplicate remove those records.

    do IISRESET and try to access the IdpInitiatedSignOn.aspx page.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Thursday, September 15, 2011 4:52 PM
  • Thanks for the replay guys, I will check for the spn and post a replay
    Khaja - I can browse to the url https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx

    and haven't been prompt for username and password

     Thanks,
    Jonathan

    Friday, September 16, 2011 8:11 AM
  • Hello Arpita,
    I added the spn's and it is working on the adfs and crm2011 servers but not on the users computers.
    do you have any ideas?
    from all the computers in the network I can browse to https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx
    and can log to the external url but not to the internal

    Thanks in advance,
    Jonathan

    Sunday, September 18, 2011 10:24 AM
  • Hi Jonathan,

     

    There can be two possibilities, if the user's computer is in domain please add the CRM internal URL in local intranet site. If teh user's computer is in outside ofthe domain which is outside your network you need to have Public DNS entries for following URLs pouinting to your CRM server's external IP address.

     

    dev.domain.com ----CRM ipaddress (external ip that is when you check from external nnetwork what ip address is shows for crm server)

    auth.domain.com ---crm ipaddress

    crmexternalurl.domain.com   -crm ip

    sts.domain.com -adfs ip adress

    be sure if you have aa fire wall in between external and internal network the trafiic shoul dgo to teh crm server according to whatever rules you set on firewall,


    Arpita
    Monday, September 19, 2011 12:03 AM
  • Hi Jonathan,

    Also, if the computer is not in domain you won't be able to access crm intenal url for sure....only from a computer in domain you can access internal and external url both.

    Please next time specify theinto consideration is in domain or an external machine.

    Arpita


    Arpita
    Monday, September 19, 2011 12:06 AM
  • Hey Arpita, it turn out the the SPN's did the trick it just took some really long time

    Thanks a lot for your help

    Jonathan

    Monday, September 19, 2011 4:48 AM