Hello all-- We have 1 CRM 4 server in our existing environment with a separate SQL 2005 server. We use host headers for CRM even though it's the only thing on that box. Our AD domain is domain.com, but all our MOSS portals and CRM use domain.net.
I've installed CRM to another server and added the host header to IIS. I've also installed and cofigured configured NLB with a cluster name of crmnlb.domain.com.
I changed the DNS record (crm.domain.net) to point to the cluster IP address and added a host header to both servers using the cluster IP and the crm.domain.net header.
I removed the old headers from IIS so that the cluster IP header was the only one there.
When I try to go to crm.domain.net I get a page cannot be displayed error...
Any ideas? If I put things back the way they were everything works.
If you step back and look at what account is being used to authenticate the Application pool on the application .
So you ask yourself , how does the local machine account authenticate to the SQL server and the SRS server.
Well, you created an OU in AD when you installed CRM. What was created within the OU. One of the groups that is created with the install is the PrivReportingGroup.
You should see the CRM application server in there.
In the PrivUserGroup you should see more than one server. For instance, I have lab where I have CRM installed on the SQL server. With this configuration you will see the DC and the App server /SQL in there as members.
These machines are in there to authenticate the "Machine Account" to AD and the Service Principle Names attributes on the accounts. Thus you don't have to add a User account to authenticate the app pool on the application server.
That account would have to have delegation to authenticate for that server to read the SPNs in the LDAP database. Thus Microsoft setup these security groups within the OU for authentication purposes.
It's really hard to troubleshoot a kerberos environment through a forum. But using tools like SETSPN will be of some troubleshooting help.
/:>
Marked as answer byJim Glass JrThursday, July 9, 2009 8:03 PM
If you step back and look at what account is being used to authenticate the Application pool on the application .
So you ask yourself , how does the local machine account authenticate to the SQL server and the SRS server.
Well, you created an OU in AD when you installed CRM. What was created within the OU. One of the groups that is created with the install is the PrivReportingGroup.
You should see the CRM application server in there.
In the PrivUserGroup you should see more than one server. For instance, I have lab where I have CRM installed on the SQL server. With this configuration you will see the DC and the App server /SQL in there as members.
These machines are in there to authenticate the "Machine Account" to AD and the Service Principle Names attributes on the accounts. Thus you don't have to add a User account to authenticate the app pool on the application server.
That account would have to have delegation to authenticate for that server to read the SPNs in the LDAP database. Thus Microsoft setup these security groups within the OU for authentication purposes.
It's really hard to troubleshoot a kerberos environment through a forum. But using tools like SETSPN will be of some troubleshooting help.
/:>
Marked as answer byJim Glass JrThursday, July 9, 2009 8:03 PM
