Microsoft Dynamics CRM (Archived)

crm 2011 rollup 7 authentication issue

(0) Share

Report

Posted on by Paul DSM Jones

355

ok summary of setup:

3 x DC all running server 2008r2 (names - S1 / S4 / S6-DC)
S4 is also running ADFS 2.0
Server called S5 runs CRM 2011 workgroup edition
Server called S3 runs SQL 2008r2 and hosts the DB for CRM along with SRS.
Server called S2 runs Exchange 2010 along with CRM email router

All was working fine yesterday with rollup 6 installed (apart from a couple of known script errors with UR6 + activity feeds). I have both claims based auth and IFD setup, along with split DNS for external domain name.

This morning I installed UR7 on all servers (S5 got the server update, S3 got the SRS update and S2 got the router update, along with all outlook clients)

Now I can only login to CRM using the external URL, the internal URL which should (and was before UR7) allow login with windows credentials (uses local DNS name for server) now promts fro username and password and will not accept the username and password given, even though the same username and password work fine using external URL (brings up ADFS forms login).

I can find any errors on the CRM or the ADFS server indicating a problem.

AD is syncronising fine and all DC's are healthy.

Anyone else having issues?

*This post is locked for comments

I have the same question (0)

All responses (6)

Answers (1)

Paul DSM Jones 355 on at

Like (0)

Report

I tell a lie, here is a .ASP .NET error regarding CRMWeb application in event log on S5 (CRM server)

Event code: 3005

Event message: An unhandled exception has occurred.

Event time: 29/03/2012 09:30:38

Event time (UTC): 29/03/2012 08:30:38

Event ID: cc4f2bfdce52479f9726a5c0cc0ce618

Event sequence: 762

Event occurrence: 3

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/1/ROOT-1-1297748236301xxxxxxxx

Trust level: Full

Application Virtual Path: /

Application Path: F:\Program Files\Microsoft Dynamics CRM\CRMWeb\

Machine name: S5

Process information:

Process ID: 3736

Process name: w3wp.exe

Account name: DSM\CRMSERVICE

Exception information:

Exception type: CrmException

Exception message: Could not find a web resource with name Images/refresh.png.

at Microsoft.Crm.Application.Components.Handlers.WebResource.RetrieveWebResource(String webResourceName, String preview)

at Microsoft.Crm.Application.Components.Handlers.WebResource.ProcessRequestInternal(HttpContext context)

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request information:

Request URL: dsm.digitalsolutionxxxxxxxxxxxxxxxx

Request path: /Handlers/WebResource.ashx

User host address: 192.168.xxxxxxxxx

User: DSM\pjones

Is authenticated: True

Authentication Type: Federation

Thread account name: DSM\CRMSERVICE

Thread information:

Thread ID: 6

Thread account name: DSM\CRMSERVICE

Is impersonating: True

Stack trace: at Microsoft.Crm.Application.Components.Handlers.WebResource.RetrieveWebResource(String webResourceName, String preview)

at Microsoft.Crm.Application.Components.Handlers.WebResource.ProcessRequestInternal(HttpContext context)

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Custom event details:

Was this reply helpful? Yes No
Paul DSM Jones 355 on at

Like (0)

Report

Also this errro now:

CrmTrace encountered an error. Additional Info:Error in LoadDeploymentSettings [LocatorService.Instance], Stack Trace : at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)

at System.Environment.get_StackTrace()

at Microsoft.Crm.CrmTraceSettings.Load(String traceDirectory)

at Microsoft.Crm.CrmTrace.get_RefreshTrace()

at Microsoft.Crm.CrmTrace.Write(Guid orgId, TraceCategory traceCategory, TraceLevel traceLevel, Int32 skipFrames, String format, Object[] args)

at Microsoft.Crm.CrmTrace.TraceFormat(Guid orgId, TraceCategory traceCategory, TraceLevel traceLevel, String format, Object[] args)

at Microsoft.Crm.LocatorCache..ctor(LocatorServiceContext locatorServiceContext)

at Microsoft.Crm.ServerLocatorService..ctor(LocatorServiceContext locatorServiceContext)

at Microsoft.Crm.LocatorService..ctor(ILocatorService service, LocatorServiceContext locatorServiceContext)

at Microsoft.Crm.LocatorService..cctor()

at Microsoft.Crm.LocatorService.get_Instance()

at Microsoft.Crm.ConfigurationDatabase.ConfigurationMetadata.GetSiteConfigDBConnection(Guid datacenterId)

at Microsoft.Crm.ConfigurationDatabase.ConfigurationMetadata.GetSiteConfigDBConnection()

at Microsoft.Crm.Tools.Admin.DMSnapInController.IsConfigDBAvailable()

at Microsoft.Crm.Tools.Admin.DMSnapInHelper.DisplayMessageBoxIfConfigDBIsNotAvailable(Console console)

at Microsoft.Crm.Tools.Admin.DMSnapIn.OnInitialize()

at Microsoft.ManagementConsole.SnapInBase.Initialized()

at Microsoft.ManagementConsole.Internal.SnapInClient.Microsoft.ManagementConsole.Internal.ISnapInClient.Initialize(ISnapInPlatform snapInPlatform)

at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)

at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)

at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)

at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)

at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.Microsoft.ManagementConsole.Internal.ISnapInMessagePumpProxy.Run() (Reporting Process:mmc, AppDomain:F:\Program Files\Microsoft Dynamics CRM\Tools)

Was this reply helpful? Yes No
Paul DSM Jones 355 on at

Like (0)

Report

ok, uninstalled UR7 and all is well again.

Will have another crack this when I have more time.

Was this reply helpful? Yes No
Verified answer

Paul DSM Jones 355 on at

Like (0)

Report

Well to anyone interested in this issue, I installed UR7 again today as I had some time to go through things if the issue came up again, sure enough it did.

I noticed the following event in the system log:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server s5$. The target name used was HTTP/crm.dsm.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DSM.LOCAL) is different from the client domain (DSM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Seems that when I setup the SPN correctly (as the SQL server is on another box) I didn't follow through and disable kernel mode authentication (as per the link below) for the CRM IIS site. Once disabled and IIS reset all is fine with UR7.

dynam1cscrm.wordpress.com/.../dynamics-crm-2011-spn-and-windows-authentication-configuration-for-running-custom-reports

I have no idea why UR7 was more fussy with this than UR6 and earlier, but there you have it :)

Was this reply helpful? Yes No
Mark Macrae 20 on at

Like (0)

Report

Hi

Interesting. I received the same symptoms after installing UR7 CRM Server a couple of weeks ago and we were forced to back out.

Can you specify which SPNs you are referring to, along with which services they are mapped to? We have separate service accounts for each CRM service - is there a particular account which is sensitive to this?

Thanks

Mark

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi (this is me - just a different Live ID as I needed to tidy up logins).

Its specificed in the link in my last post, but here is the section covering the SPN's:

"most likely you're also using domain account in CRM app pool instead of standard

build-in account, at this point, SPN(Service Principal Names) need to be set up for

the CRM application user account to avoid Kerberos Double Hop issue.

After using setspn tool to setup SPN like this:

setspn -a http/your-crm-server-name domain\crm-user

setspn -a http/your-crm-server-name(FQDN) domain\crm-user

"

Was this reply helpful? Yes No