locked
2 Servers in Load Balancing, One Won't Authenticate RRS feed

  • Question

  •  

    Hello,

     

    I have two servers running CRM 4.0 Pro, and both are pointing to the same database. The app servers are setup in a load balancing setup, with the SPN being set to host/appslb.rdvs.com:9999. The account with the SPN running the Async service on both app servers, but it seems to stop every now and then.

     

    I can access CRM from the first server, apps01:9999, and the load-balancing address, appslb:9999, at all times. However, most of the time the second app server, apps02:9999, will ask for authentication, and even after entering correct credentials, I still get 401.1 - Unauthorized error. Everything appears to be setup the same in IIS on both machines. Does anyone have any idea what needs to be done on the second app server to get rid of these authentication issues?

     

    Thank you.

    Tuesday, January 20, 2009 2:44 PM

Answers

  • Hi,

    There can be many reasons for your Problem,

    There might be Async Service getting stopped at one of the node always.Try to start async service at both the nodes.

    There can be the problem of the NLB Clustering the way it got configured,check that you can see both the nodes for both the server at Load balancing point.

    There can be the IPSec issues also which normally runs into the same problem what you are facing.

    Try to check the eventlog and security log to indentify exact problem for your servers.

    But i m sure prob one of the above could be reason for your server not to perform properly.

    Thanks

    Arif.
    Mohammed Arif
    • Marked as answer by Jim Glass Jr Monday, March 16, 2009 6:20 PM
    Saturday, February 21, 2009 1:16 AM

All replies

  • Some additional information.

    I noticed in IIS on apps01, in the CRMAppPool's Identity tab, it will allow the identity to be set as the crmsupport user account that has the SPN configured. However, on apps02 I cannot set the same user account to be the identity. Wasn't the point of setting up the SPN so that the same user can be set as the CRMAppPool identity on both servers? Am I missing another step perhaps? The current band-aid is that both servers are just using the network service account as the identity.

    Hopefully this updated post can generate some communication.

    Thank you.
    Monday, February 2, 2009 2:47 PM
  • Hi,

    There can be many reasons for your Problem,

    There might be Async Service getting stopped at one of the node always.Try to start async service at both the nodes.

    There can be the problem of the NLB Clustering the way it got configured,check that you can see both the nodes for both the server at Load balancing point.

    There can be the IPSec issues also which normally runs into the same problem what you are facing.

    Try to check the eventlog and security log to indentify exact problem for your servers.

    But i m sure prob one of the above could be reason for your server not to perform properly.

    Thanks

    Arif.
    Mohammed Arif
    • Marked as answer by Jim Glass Jr Monday, March 16, 2009 6:20 PM
    Saturday, February 21, 2009 1:16 AM
  • Maybe a stupid question, but is the second servers machine account member og the PrivUserGroup in AD?
    Monday, February 23, 2009 12:37 PM
  •   Hello,

    The Async service would stop every now and then, and then start up again, but even when the service was running on both servers, I couldn't access the second server.

    I don't believe NLB is configured improperly. All IPs can be pinged and accessed by UNC path.

    Event logs don't say anything that can easily point me in the right direction, and searching for their tips brings back results that have already been verified to be in place.

    The second server's machine name is a member of the PrivUserGroup in AD.

    I noticed on that in IIS in the CRMAppPool, I could set the Identity on one server to the domain account that I wanted the Async service to run on, but not the other. If I set the Identity on both servers to the local network service account, there's no problem. I thought that setting the SPN to the NLB name would have taken care of this?
    Monday, February 23, 2009 2:13 PM