Cannot access CRM 4.0 Discovery services on a CRM 2011 installation

All replies

• 

  

  0

  Sign in to vote

  I have installed CRM 2011 with IFD and have it working more or less.  Browser and Outlook based connections work when accessing the external URL but I am having trouble with add-ins and Windows Mobile clients that use the CRM Discovery Service.  If I understand correctly I should be able to browse to https://<server>:444/MSCRMServices/2007/SPLA/CrmDiscoveryService.asmx and get a dump of XML.  Instead I get an HTTP error 401 - Unauthorized access. 

  To determine whether I messed up the install of IFD and Claims Based Authentication I turned both of them off and then tried to browse http://<server>:5555/MSCRMServices/2007/SPLA/CrmDiscoveryService.asmx

  but I still get a 401 error.  And yes, I did enable anonymous authentication to the SPLA folder as instructed in the Claims Based Authentication install directions.

  Why am I getting a 401 error when accessing SPLA even though anonymous access is enabled?

   

  Matt

  • Merged by Donna EdwardsMVP Wednesday, September 21, 2011 2:50 PM duplicate

  Tuesday, August 9, 2011 7:44 PM
• 

  

  0

  Sign in to vote

  Is there a reason that you are not accessing the CRM 2011 Discovery Service at https://<server>:444/XRMServices/2011/Discovery.svc?

   

  ---

  Brian Bewley

  Wednesday, August 10, 2011 4:31 AM
• 

  

  0

  Sign in to vote

  Yes, I am using a third party application that is still using the older discovery service.  It appears to be an indicator that something is fundamentally wrong.  I will test the access to 2011 Discovery Service and post a reply here.

   

  Matt

  Wednesday, August 10, 2011 5:41 PM
• 

  

  0

  Sign in to vote

  I am still fighting this problem.  I have IFD working OK and can access the 2011 Discovery Service but I still get the 401 error when accessing the 4.0 Discovery Services at https://<server>:444/MSCRMServices/2007/SPLA/CrmDiscoveryService.asmx

  Any clues on how to troubleshoot this problem would be greatly appreciated.

  Matt

  Tuesday, August 23, 2011 8:35 PM
• 

  

  0

  Sign in to vote

  I have CRM 2011 in IFD mode using ADFS 2.0.  IFD is working (after lots of effort) but I can't get my 3rd party apps to connect.  They still use the CRM 4.0 Discovery Service and that is the root of the problem.

  Can you browse to https://servername.domain.com:444/MMSCRMServices/2007/SPLA/CRMDiscoveryService.asmx?

  When I browse to it with a new browser session I get a 401 Unauthorized error.  If I logon to CRM using an internal URL and Windows Security authentication (instead of Claims Based) and then browse to SPLA I get the CRMDiscoverService page with an Execute link.  So this apparently is a security/authentication issue.  And yes, I have set the SPLA location to allow anonymouse authentication and the AD FS AppPool is running under NetworkService.

  Your test and feedback is greatly appreciated.

  Matt

  • Merged by Donna EdwardsMVP Wednesday, September 21, 2011 2:48 PM duplicate

  Friday, August 26, 2011 5:51 PM
• 

  

  2

  Sign in to vote

  I get

  HTTP Error 401.2 - Unauthorized: Access is denied
  

  I think we switched to the 2011 web services to resolve this issue, but it's possible there is a way to make this work.

  ---

  Phil Edry – Altriva Solutions – http://www.altriva.com/AltrivaBlog.aspx

  Friday, August 26, 2011 6:44 PM
• 

  

  0

  Sign in to vote

  Phil - thanks for trying it.  The 2007 Discovery Service obviously is there for backwards compatibility but there is some security/authentication issue that it getting in the way.

  Would really like to hear from more people who have CRM 2011 in IFD mode.  Does this work for anyone?

   

  Matt

  Monday, August 29, 2011 5:14 AM
• 

  

  0

  Sign in to vote

  After installing ADFS apps can no longer access the CRM 2007 Discovery service at https://server.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx. Prior to installation of ADFS apps could access the Discovery Service without a problem. Browsing to the Discovery Service page results in a 401 - Unauthored access error. If I authenticate with ADFS and logon to CRM and then browse to the Discovery Service I can access it OK and I get the [CRMDiscoveryService] page.

  The SPLA site is set to allow anonymous authentication, AppPool is running under NetworkService and NetworkService has read access to the private key of the encryption service.

  This appears to be an authentication issue. Prior to installation of ADFS the metadata URL was accessible via anonymous as you would expect. After ADFS was installed you can no longer connect anonymously even though it is set to anonymous. That is proven out by the fact that I can browse to it OK after having been authenticated with a claims based logon.

  Another interesting observation. If you turn anonymous access off you get a 401.2 error returned. Turn anonymous access back on and you get just a 401 error - no suffix.

  Anyone else out there with CRM IFD seeing this problem? Anyone able to succesfully browse to the Discovery Service?

  Matt

  • Moved by Donna EdwardsMVP Wednesday, September 21, 2011 2:41 PM (From:CRM)
  • Merged by Donna EdwardsMVP Wednesday, September 21, 2011 2:56 PM duplicate

  Friday, September 9, 2011 4:15 AM
• 

  

  0

  Sign in to vote

  Looking for other installations of CRM 2011 in IFD mode in a split domain environment where the internal domain is .local and the external domain is .com.  If you have this kind of an installation please post a reply here.

  I am trying to get to the bottom of a Discovery Service issue.

  Can you browse to https://server.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx?

  • Moved by Donna EdwardsMVP Tuesday, September 13, 2011 1:21 PM (From:CRM)
  • Moved by Donna EdwardsMVP Wednesday, September 21, 2011 2:42 PM (From:CRM Development)
  • Merged by Donna EdwardsMVP Wednesday, September 21, 2011 2:49 PM duplicate

  Friday, September 9, 2011 6:34 PM
• 

  

  0

  Sign in to vote

  No one out there has CRM implemented in a split domain environment?

  If you do I would really like to hear from you.

  Monday, September 12, 2011 4:16 AM
• 

  

  0

  Sign in to vote

  Anyone able to browse to the Discovery Service?

  Monday, September 12, 2011 4:24 AM
• 

  

  0

  Sign in to vote

  This is not a permissions or authentication issue with the SPLA page itself. If I add a txt file into that directory I can browse to it and read it in the browser without a problem. The IIS logs show that browsing to the Discovery Service results in a 401.5. A 401.5 error means that authorization failed by an ISAPI/CGI application so it would appear that the Discovery Service is the culprit.

  • Proposed as answer by Hassanz Tuesday, April 16, 2013 2:04 AM

  Monday, September 12, 2011 4:11 PM
• 

  

  1

  Sign in to vote

  You may want to review this KB on configuration:

  http://support.microsoft.com/kb/947423

   

  Tuesday, September 13, 2011 4:11 AM
• 

  

  0

  Sign in to vote

  Thanks for the suggestion.  This is a CRM 2011 installation and the 2007 Discovery Service is the backwards compatibility service.  I don't think that the referenced KB relates to a CRM 2011 installation.

   

  Matt

  Tuesday, September 13, 2011 4:20 AM
• 

  

  1

  Sign in to vote

  Perhpas not Matt, did you confiugre Claims based authentication?

  Are you following the Microsoft Dynamics CRM 2011 Implementation Guide found here:

  http://www.microsoft.com/download/en/details.aspx?id=3621

  The 401.2 error generally means you do not have auth configured.

   

  Tuesday, September 13, 2011 4:43 AM
• 

  

  0

  Sign in to vote

  moving to development and bump

  ---

  Regards, Donna

  

  Tuesday, September 13, 2011 1:20 PM
• 

  

  0

  Sign in to vote

  Yes, the CRM 2011 implementation is running in IFD mode which means that ADFS 2.0 is installed and claims based authentication is implemented.  Yes, I followed the Implementation Guide and it was very helpful.  I am able to logon using claims based authentication and the CRM functionality is working OK.  The only thing that does not work is third party applications that use the CRM4 Discovery Service that is included in CRM 2011 for backwards compatibility purposes.  The new 2011 Discovery Service appears to be working OK.

  Yes, I am aware that a 401.2 error is an authentication error.  I turned anonymous authentication off to cause the 401.2 error to confirm that IIS behaved predictably under that condition.  With anonymous authentication enabled on the SPLA page the error changes to a 401.5 error (I tracked this down in the logs). Getting a 401.5 error on a page set to anonymous authentication is not expected.  A 401.5 error means that authorization failed by an ISAPI/CGI application so it would appear that the Discovery Service is the culprit.

  The CRMDiscoveryService.asmx is a web services file that references Microsoft.Crm.Discovery.dll.  I have hit a dead end there and am not able to troubleshoot the problem further.  My hunch is that the old Discovery Service has a bug in it whereas it does not know how to deal with claims based authentication running in a split domain environment where the internal domain is a .local domain and the external a .com domain. 

  Any feedback from someone more familiar with the CRM4 Discovery Service would be greatly appreciated.

  THX,
  Matt

  Tuesday, September 13, 2011 5:23 PM
• 

  

  1

  Sign in to vote

  Matt,

  You seem to be making some assumptions here. First, you have a problem yet you expect that we know that you have done everything correctly.

  You are providing a more accurate picture bit by bit. The .local DNS record could cause issues if you have not properly configured cname and host headers.

  I will move on and help others. Good luck.

  Tuesday, September 13, 2011 7:37 PM
• 

  

  0

  Sign in to vote

  Jeffrey,

  If you will read my first post I think you will see that I described a situation and simply asked people if they observed the same behavior.  I provided a brief summary of the situation so that I did not overwhelm the reader. Believe me, there is a lot more detail that I could have provided, and would have, if you had asked. 

  With your first post you errroneously assumed that it was a CRM 4.0 implementation.  My fault there as I did not explicitly say that it was CRM 2007.  It was easy to pick up on that oversight since ADFS does not play a role with CRM 4.0.

  With your second post you assumed that I didn't know what I was doing and suggested that I should start with step #1 - read the instructions.  I assure you that I have read that document from front to back and I would not have gotten as far as I have without it. From the question that I was asking, I think that most people would have picked up on that too.

  Thanks for trying anyway though.  I have submitted the problem to MS Tech Support and they have recreated the problem.  I will post a followup here when I hear back from them.

  Matt

  Tuesday, September 13, 2011 9:04 PM
• 

  

  1

  Sign in to vote

  Matt,

  You may want to look at this:

  http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-federation-service-name.aspx

  I beleive you may have an issue related to the fact that you have .local

  Here are some addtional references.

  http://social.microsoft.com/Forums/en-US/crmdeployment/thread/91b3a08e-d6e5-414b-9474-c25c05de4d66

  I did do this successfully with .local however going forward it is better to use publically resolvable and internally resolvable references because it simplifies configuraion.

  Wednesday, September 14, 2011 1:03 AM
• 

  

  0

  Sign in to vote

  Jeffrey,

  Thanks, I did look at those some time back.  They are close but they don't really address the issue.

  Yes, I think that you are right.  I think that the problem is that the CRM4 Discovery Service that is included in CRM 2011 for backwards compatibility purposes does not know how deal with a split domain when running in IFD mode.  MS Tech Support is researching that now.

  Unfortunately, the way that Microsoft's installer for Small Business Server is setup it almost guarantees that most SBS 2011 installations will be setup with .local/.com split domains. As painful as this might be I have to figure out how to make it work.

  Now, back to my original question.  Anyone out there with CRM 2011 in IFD mode seeing 401 authentication errors when browsing to https://server.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx? Anyone able to succesfully browse to the Discovery Service?  Do you have a split domain?

  Thanks,
  Matt

  Wednesday, September 14, 2011 1:37 AM
• 

  

  0

  Sign in to vote

  Anyone out there with CRM 2011 in IFD mode seeing 401 authentication errors when browsing tohttps://server.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx? Anyone able to succesfully browse to the Discovery Service? Do you have a split domain?

  Thanks,
  Matt

  Wednesday, September 14, 2011 1:39 AM
• 

  

  1

  Sign in to vote

  Matt, actually if you use the answer file you can specify any tld you like in SBS.

  Did you also look at this video? I know it can be done because I have done it myself.

  http://www.youtube.com/watch?v=T9jZIxDTsBw&feature=player_embedded

  I wonder if you got the certificates right... it is a tricky little part. What DNS settings did you create to support your install?

   

  Wednesday, September 14, 2011 5:02 AM
• 

  

  1

  Sign in to vote

  Here is a link on how to use the answer file

  http://blogs.technet.com/b/sbs/archive/2009/01/02/introducing-the-windows-sbs-2008-answer-file.aspx

  Although the link exists, it doesn't really help you unless you are going to re-install. However the process does work for migrations as well. SBS MVPs will suggest to you that you should only install using the answer file. Hindsight is 20/20.

   

   

  Wednesday, September 14, 2011 5:12 AM
• 

  

  1

  Sign in to vote

  I have been giving more thought to this issue.

  You should specify a different port for ADFS. 444 in SBS is used for companyweb.

  I am going to look for internal resources to assist you here. I beleive more information could be available. I will post back.

  Wednesday, September 14, 2011 11:24 AM
• 

  

  0

  Sign in to vote

  Jeffery,

  Yes, I am aware of the answer file installation process.  I agree, installing a new server with a split brain DNS using an answer file is a cleaner way to go.  However, if you come across an existing installation that is already installed as a split domain you still have to deal with installing CRM in that environment.  

  My CRM server is not installed on the SBS domain controller.  ADFS is installed on the default site with port 443 and CRM is installed on a second site with port 444.

  Thanks,
  Matt

  Wednesday, September 14, 2011 6:20 PM
• 

  

  1

  Sign in to vote

  Hi Matt,

  Yes, very understandable about the situation with SBS.

  As far as the DNS records go, you are configuring them on the SBS server with the IP of the other server?

  Please confirm the following assumptions: Your are using the IP of the Secondary server both for the local and external and you are specify the ports. You have set up the auth and dev tags correctly. You are attempting to connect from internal when you receive the above described problem?

  IN the video referenced above you can verify that the discovery service resolves correctly by browsing to it. Have you tried that?

  Wednesday, September 14, 2011 11:43 PM
• 

  

  0

  Sign in to vote

  Yes, I have a fully functional CRM 2011 installation.  Everything is working as far as I can tell except for the CRM4 Discovery Service provided for backwards compatibility with older apps.  After putting the installation into IFD mode I can no longer browse to https://server.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx 

  Can you browse to that URL with your IFD installation?

  Matt

  Thursday, September 15, 2011 4:42 AM
• 

  

  0

  Sign in to vote

  I have confirmation from MS Support that my CRM installation is working as designed. With a CRM 2011 IFD installation, browsing to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx will result in a 401 unauthorized error. The connection must authenticate with ADFS even though the SPLA page is set to allow anonymous authentication.

  Applications that connect to the CRM4 Discovery Service on a CRM 2011 installation must logon using a forms based authentication conversation before they can get results back from the Discovery Service. It appears that the 3rd party app that I was having problems with does not logon correctly.  Thier Tech Support also errroneously stated that you have to be able to logon anonymously to the Discovery Service.          

  • Marked as answer by VirtualMIS Tuesday, September 20, 2011 6:22 PM

  Tuesday, September 20, 2011 6:13 PM
• 

  

  0

  Sign in to vote

  I have confirmation from MS Support that my CRM installation is working as designed. With a CRM 2011 IFD installation, browsing to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx will result in a 401 unauthorized error. The connection must authenticate with ADFS even though the SPLA page is set to allow anonymous authentication.

  Applications that connect to the CRM4 Discovery Service on a CRM 2011 installation must logon using a forms based authentication conversation before they can get results back from the Discovery Service. It appears that the 3rd party app that I was having problems with does not logon correctly. Their Tech Support also errroneously stated that you have to be able to logon anonymously to the Discovery Service.         

  • Marked as answer by Donna EdwardsMVP Tuesday, September 20, 2011 6:17 PM

  Tuesday, September 20, 2011 6:14 PM
• 

  

  1

  Sign in to vote

  I have confirmation from MS Support that my CRM installation is working as designed. With a CRM 2011 IFD installation, browsing to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx will result in a 401 unauthorized error. The connection must authenticate with ADFS even though the SPLA page is set to allow anonymous authentication.

  Applications that connect to the CRM4 Discovery Service on a CRM 2011 installation must logon using a forms based authentication conversation before they can get results back from the Discovery Service. It appears that the 3rd party app that I was having problems with does not logon correctly. Their Tech Support also errroneously stated that you have to be able to logon anonymously to the Discovery Service.

  • Marked as answer by VirtualMIS Tuesday, September 20, 2011 6:22 PM

  Tuesday, September 20, 2011 6:14 PM
• 

  

  0

  Sign in to vote

  I have confirmation from MS Support that my CRM installation is working as designed. With a CRM 2011 IFD installation, browsing to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx will result in a 401 unauthorized error. The connection must authenticate with ADFS even though the SPLA page is set to allow anonymous authentication.

  Applications that connect to the CRM4 Discovery Service on a CRM 2011 installation must logon using a forms based authentication conversation before they can get results back from the Discovery Service. It appears that the 3rd party app that I was having problems with does not logon correctly. Thier Tech Support also errroneously stated that you have to be able to logon anonymously to the Discovery Service.

  • Marked as answer by VirtualMIS Tuesday, September 20, 2011 6:22 PM

  Tuesday, September 20, 2011 6:15 PM
• 

  

  0

  Sign in to vote

  I have confirmation from MS Support that my CRM installation is working as designed. With a CRM 2011 IFD installation, browsing to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx will result in a 401 unauthorized error. The connection must authenticate with ADFS even though the SPLA page is set to allow anonymous authentication.

  Applications that connect to the CRM4 Discovery Service on a CRM 2011 installation must logon using a forms based authentication conversation before they can get results back from the Discovery Service. It appears that the 3rd party app that I was having problems with does not logon correctly. Thier Tech Support also errroneously stated that you have to be able to logon anonymously to the Discovery Service.

  • Marked as answer by VirtualMIS Tuesday, September 20, 2011 6:26 PM

  Tuesday, September 20, 2011 6:26 PM
• 

  

  0

  Sign in to vote

  Can you point us in the right direction on how do to a "forms based autehentication conversation" with the ADFS server, before calling the discovery service.

  Cheers

   

  Thursday, December 8, 2011 12:07 PM
• 

  

  0

  Sign in to vote

  Sorry, I am not a developer so I can't answer your question.  I would suggest that you search TechNet for an answer.

   

  Matt

  Thursday, December 8, 2011 5:20 PM
• 

  

  0

  Sign in to vote

  Hi,

  Did you ever find a solution for this?

  I can get to https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx but only after I've logged onto CRM first ( whcih is giving me my login window) once I've logged in I can then visit that service.

  My problem is that I'm trying to access this service from my c# code and I don't have the opportunity to log in. I guess the solution cannot present the login window to the user somehow.

  Thursday, April 26, 2012 10:27 AM
• 

  

  0

  Sign in to vote

  Hi,

  We finally found a solution to this problem.

  http://pietersveenstra.wordpress.com/2012/05/02/adfs-blocks-acces-to-crm-services/

  • Proposed as answer by Pieter_Veenstra, MVPMVP Wednesday, May 2, 2012 8:51 AM

  Wednesday, May 2, 2012 8:51 AM
• 

  

  0

  Sign in to vote

  Can you point us in the right direction on how do to a "forms based autehentication conversation" with the ADFS server, before calling the discovery service.

  Cheers

   

  Hi,

  Did you get solution for this issue? i am facing the same problem.I am trying to connect to the CRM 2011 IFD  and getting "HTTP Error 401 - Unauthorized: Access is denied" when using Discovery service.(https://orgname.domain.com:444/MSCRMServices/2007/SPLA/CRMDiscoveryService.asmx )

  I enabled anonymous authentication for SPLA folder on IIS.

  Wednesday, October 10, 2012 10:36 AM