locked
The request for security token could not be satisfied because authentication failed RRS feed

  • Question

  • Hello,

    As my title said, I met this error : The caller was not authenticated by the service : The request for security token could not be satisfied because authentication failed.

    This error occur when I try to query (WhoAmIRequest) CRM by code (C# Console App). 
    My code use windows authentication to instatiate CRM Server by using CredentialCache.DefaultNetworkCredentials

    My program work well on a Dev environnment but on TEST Env configured with Kerberos, the program crash with the error mentioned.
    I checked :
    IIS CrmAppPool is a domain account,
    SPN are well seted,
    Delegation is activated for the AppPool account

    An other clue is, when I connect to CRM by IE and navigate, create item, ... there are no problems but when I query by code I have the error.  It seem that the user account itself is not involved but when the CrmAppPool try to impersonate (because I guess that it is the  way CRM work) the CrmAppPool Account have authentication issue. Is it possible ?

    Im stuck now, you're my last chance :)

    Thx in advance for your help

    Kya

    Tuesday, September 23, 2014 3:27 PM

All replies

  • Any ideas plz ?
    Wednesday, September 24, 2014 8:27 AM
  • Are you using the sdk assemblies, or a service reference to the OrganizationService ? If you use a service reference, then the config data in [appname].exe.config will have to be correct for the identity of the CrmAppPool

    Is the server configured for Claims authentication, or AD authentication ? If it is Claims, then you need to pass the username and password, rather than using CredentialCache.DefaultNetworkCredentials


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Wednesday, September 24, 2014 10:12 AM
    Moderator
  • Thank you for your reply !! 

    I use sdk assemblies with this code : 

                    OrganizationServiceProxy _serviceProxy;
                    IOrganizationService _service;
    
                    Uri org = new Uri(ConfigurationManager.AppSettings["CRMURL"]);
                    ClientCredentials credentials = new ClientCredentials();
                    credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
    
                    using (_serviceProxy = new OrganizationServiceProxy(org, null, credentials, null))
                    {
                        _serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());
                        _serviceProxy.Timeout = new TimeSpan(0, 10, 0);
                        _service = (IOrganizationService)_serviceProxy;
                        return _service;
                    }

    And it's just an AD authentication. I allready try to use directly login / password on the clientCredential but a I have the same error... It's realy strange, it seem than the user succeed to connect, the service is well instantiated but when I perform the query the error occur, this is why I thought that the CrmAppPool have problem... 

    I have an other clue, when the error occur, I have a new entry on the event viewer / Security Tab : Audit Failure : With the login on the running user

    Failure Information:
    	Failure Reason:		The NetLogon component is not active.
    	Status:			0xc0000192
    	Sub Status:		0x0
    

    But I checked the netlogon service is well started !


    Wednesday, September 24, 2014 12:41 PM
  • The code and approach does look correct.

    It might be worth checking if you can connect to the DiscoveryService from code. If you also get an error, then this would indicate it is a system problem (maybe with the CrmAppPool, or ActiveDirectory), but if you can connect to the DiscoveryService and retrieve the OrganizationDetail, then the problem is more likely to be with the specific CRM organisation - it would be interesting to compare the OrganizationDetail.Endpoints to the Url you are using in your current code


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, September 25, 2014 6:02 AM
    Moderator
  • Hi David,

    I tested your solution, and in fact, even the DiscoveryService is not accessible; with the same error ! 

    You're right, it's probably an error due to network, ad or something else... but what ? 

    I allready test a lot of stuff, my last clue was a corporate network proxy configurered with a PAC file on IE, but I adapt the app.config file to integrate this proxy and it still won't work... I also tried to use "localhost" on my URI to reach the service, but even locally it dont work ! 

    Im stuck now

    Thanks for your help

    New Clue :

    Crm Trace plateform return an new error (for the same error) : The Security Support Provider Interface (SSPI) negotiation failed CRM

    • Edited by Kyamit Monday, September 29, 2014 9:45 AM
    Monday, September 29, 2014 8:43 AM
  • SSPI errors are typically becuase you can't be authenticated by a domain controller - either because it's inacccessible, or there are other AD issues (e.g. an untrusted computer account). The error you posted about the NetLogon service is probably relevant (as I think it is this service that initiates communication with the domain controlled), but it's not an error I've seen before. Sorry I can't help further, but this looks like it's not purely a CRM issue


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, September 29, 2014 9:40 PM
    Moderator
  • You confirm my doubt comcerning this problem, it is not purely CRM... 
    I continue to investiguate with the AD team and keep you in touch if I find the reason.

    Last question :
    Do you think that this AD issue is compatible with the fact that with IE, CRM authentication have no problem ? (I can CRUD record)... 
    Because its strange that with IE and the same user I can authenticate but with my C# code I have this error... 

    Thanks for your help David

    Tuesday, September 30, 2014 8:10 AM
  • This issue is compatible with being able to use CRM through IE with no problems. I have met several cases where there have been AD (or maybe IIS) issues that cause errors when connecting to CRM with external code, but access via IE works fine

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Tuesday, September 30, 2014 9:48 AM
    Moderator