locked
CRM 2011 won't switch to Kerberos RRS feed

  • General discussion

  • Hi,

    So i've got a CRM 2011 RU11 non IFD On Premise installation with only one frontend server.

    A corporate firewall redirects all https traffic on the url to our internal crm server.

    Internally the external url works, also configured like that in deployment manager.

    Telnet to port 443 is working from the outside.

    IIS windows authentification is configured with Negotiate only, Extended Protection Off, Kernel Mode on.

    The application pool is using the domain service account, spn's have been added.

    IIS Settings

    Yet opening crm via internet does not work. He asks for credentials and then times out.

    Doesn't matter if the pc is part of the domain or not. Don't see any logon attempts in security eventviewer.

    If I open the VPN to the customer, the CRM site does work but I only see ntlm logon's.

    Only port 443 is forwarded, is that enough or not? Any other tools to check those pesky kerberos issues?

    Regards,

    Sven Peeters

    Thursday, February 14, 2013 8:19 PM

All replies

  • Some further investigation shows these replies, all are 401 replies ( fiddler )

    REPLY 1

    No Proxy-Authenticate Header is present.

    WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
    A1 15 30 13 A0 03 0A 01 03 A1 0C 06 0A 2B 06 01  ¡.0. ....¡...+..
    04 01 82 37 02 02 0A                             ..‚7...   

    REPLY 2

    No Proxy-Authenticate Header is present.

    WWW-Authenticate Header is present: Negotiate

    REPLY 3

    No Proxy-Authenticate Header is present.

    WWW-Authenticate Header is present: Negotiate
    4E 54 4C 4D 53 53 50 00 02 00 00 00 10 00 10 00  NTLMSSP.........
    38 00 00 00 15 82 89 E2 7D 8C B1 4D FA C6 30 FA  8....‚‰â}Œ±MúÆ0ú
    00 00 00 00 00 00 00 00 B6 00 B6 00 48 00 00 00  ........¶.¶.H...
    06 01 B1 1D 00 00 00 0F 41 00 44 00 4A 00 43 00  ..±.....A.D.J.C.
    44 00 42 00 45 00 4C 00 02 00 10 00 41 00 44 00  D.B.E.L.....A.D.
    4A 00 43 00 44 00 42 00 45 00 4C 00 01 00 16 00  J.C.D.B.E.L.....
    42 00 52 00 55 00 30 00 30 00 31 00 4E 00 53 00  B.R.U.0.0.1.N.S.
    30 00 31 00 37 00 04 00 1E 00 62 00 65 00 2E 00  0.1.7.....b.e...
    6A 00 63 00 64 00 65 00 63 00 61 00 75 00 78 00  j.c.d.e.c.a.u.x.
    2E 00 6F 00 72 00 67 00 03 00 36 00 42 00 52 00  ..o.r.g...6.B.R.
    55 00 30 00 30 00 31 00 4E 00 53 00 30 00 31 00  U.0.0.1.N.S.0.1.
    37 00 2E 00 62 00 65 00 2E 00 6A 00 63 00 64 00  7...b.e...j.c.d.
    65 00 63 00 61 00 75 00 78 00 2E 00 6F 00 72 00  e.c.a.u.x...o.r.
    67 00 05 00 18 00 6A 00 63 00 64 00 65 00 63 00  g.....j.c.d.e.c.
    61 00 75 00 78 00 2E 00 6F 00 72 00 67 00 07 00  a.u.x...o.r.g...
    08 00 1C 06 90 92 46 0B CE 01 00 00 00 00        ....’F.Î.....  


    -[NTLM Type2: Challenge]------------------------------
    Provider: NTLMSSP
    Type: 2
    OS Version: 6.1:7601
    Flags: 0xe2898215
    Unicode supported in security buffer.
    Request server's authentication realm included in Type2 reply.
    Sign (integrity)
    NTLM authentication.
    Negotiate Always Sign.
    Negotiate NTLM2 Key.
    Target Information block provided for use in calculation of the NTLMv2 response.
    Supports 56-bit encryption.
    Supports 128-bit encryption.
    Client will provide master key in Type 3 Session Key field.
    Challenge: 7D 8C B1 4D FA C6 30 FA
    ------------------------------------

    Friday, February 15, 2013 6:37 AM
  • Whats you goal here? are you trying to get CRM accessible over the internet or trying to figure out why Windows Authentication isnt working while connected over VPN?

    If your goal is to access CRM over the internet you will want to setup ADFS and IFD.

    You can use either Netmon, Wireshark or fiddler to troubleshoot but instead of using time troubleshooting I would go the supported route with setting up IFD


    Friday, February 15, 2013 9:41 PM
  • Hi Chris,

    Sorry for the long delay, I was on holiday last week.

    The goal is to expose CRM via internet without the use of a vpn connection.

    We proposed the IFD solution, but the customer's IT Department refused that because it was too complex for them.

    So they want to stick with the easy way.

    If I'm not mistaken, when you only use the CRM Website (and not the outlook addin), you don't need an IFD setup, am I correct?

    We did finally found out that the customer is not using simple port forwarding, but a type of Reverse Proxy to open the connection to the internal server.

    We found numerous articles with Kerberos problems combined with CRM 2011 and Reverse Proxy systems.

    They all reverted to IFD because a setup with Reverse Proxies is only supported if you use IFD.

    So we are waiting on feedback from the customer if they switch to port forwarding or implement IFD.

    Regards,

    Sven Peeters

    Monday, February 25, 2013 5:53 AM