web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / OrganizationService co...
Customer experience | Sales, Customer Insights,...
Answered

OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

(0) ShareShare
ReportReport
Posted on by stevey2019 22

Have been reading some posts about this error but not able to pin point a solution to fix this from a developer's standpoint. 

Background

We have Dynamics CRM on-premise but the codes that access the OrganizationService (via Microsoft.Xrm.Client.Services) are from Azure. I do not know how the initial user was configured from IT side (on-premise, via Active Directory user mapping) but the app has been working with that user credential, from on-premise (development) or from Azure (deployed) for years.

What's Changed?

Recently we switched out that user and replaced it with a different user with exact same permissions. Again, I don't get involved in configuration of the user; all I know is that the app still works if it runs inside the corporate network (same domain as the on-premise CRM) but got this exception "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" when I ran the same app outside the premise (from Azure and from dev machine outside the corporate network).

Another Fact:

I have no problem using this new AD user to login to Dynamics CRM app from a web browser. 

Where should I ask our IT and CRM Admin to look?

My guts told me that IIS is where they should go. Will an IISRest be enoguh? Should there be a user profile mapping to this new AD user and grant proper permission to the resources the OrganizationService nee to use? 

As a developer, I can't access the IIS nor the Admin modules of the Dynamics CRM App.

Thanks in advance for your help

I have the same question (0)
  • Bipin D365 Profile Picture
    Bipin D365 28,983 Moderator on at

    Hi,

    Please look at below article. This might be helpful.

    www.magnetismsolutions.com/.../the-authentication-endpoint-kerberos-was-not-found-on-the-configured-secure-token-service

    If found helpful, Please mark my answer verified.

  • stevey2019 Profile Picture
    stevey2019 22 on at

    Thanks for your reply. Strange that I was able to click on the link the other day but now it gave me 404 error

  • Suggested answer
    Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello stevey2019 ,

    could you please let us know about earlier user account which was working fine.

    is this account used for CRM App pool , or to run the CRM services.

    If so you need to the mapping for new user as well.

    try below work arounds as well..

    Ask your Admin to Recycle the CRM App pool.

    if possible Reset IIS.

    enable trace to find out the error.

    try to dowload the logs .

    Thank you.

    Abarao Bhople

  • stevey2019 Profile Picture
    stevey2019 22 on at

    Our admin informed me that they did not use CRM App Pool nor run the CRM Services (what other option could be they did not elaborate) . They reset the IIS but I still got the same error. I will ask them to send me a log file and get back to you later.

    Thanks so much for your help!

    Updated: Our IT Admin captured some logs for me when I ran my app to the point the error was thrown. But the log is too large to post here. Can I email you the log in zip or can you tell me some keywords that I should search for in the log and maybe just extract those relevant info for you.

    I really appreciate your help. 

    FYI, here is the connection string I used to connect to OrganizationService: "Authentication Type=Passport; Server=https://devcrm.myco.com; Username=username; Password=password;Domain=myco"

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Please share the logs on below email id

    abaraobhople@hotmail.com

    will try to help..

  • Suggested answer
    Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    in connection string you have used the username make sure it should be as below format

    username@myco.com

    instead of

    myco\username

    check and let me know accordingly.

    Thank you

    Abarao Bhople

  • stevey2019 Profile Picture
    stevey2019 22 on at

    I tried that too and got same error:

    username: username

    username: username@myco.com

  • stevey2019 Profile Picture
    stevey2019 22 on at

    Some more detail from stack trace:

    System.AggregateException: One or more errors occurred. ---> System.NotSupportedException: The authentication endpoint Kerberos was not found on the configured Secure Token Service!

     Stack Trace:

       IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)

       AuthenticationCredentials.get_IssuerEndpoint()

       ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.Authenticate(ClientCredentials clientCredentials)

       OrganizationServiceConfiguration.Authenticate(ClientCredentials clientCredentials)

       OrganizationService.CreateUserTokenResponse(CrmConnection connection, IServiceConfiguration`1 config)

       OrganizationService.GetUserTokenResponse(CrmConnection connection, IServiceConfiguration`1 config)

       OrganizationService.ToOrganizationServiceProxy(CrmConnection connection)

       OrganizationService.ToOrganizationService(CrmConnection connection)

    I might not able to send you trace log from IT due to our policy. Really appreciate your time.

  • stevey2019 Profile Picture
    stevey2019 22 on at

    This blog seems to have very relevant tips. I have relayed it to our IT admin and would let you know if they fix it or not. Thank you very much!

  • Suggested answer
    stevey2019 Profile Picture
    stevey2019 22 on at

    Well, I found the culprit - it was the Domain attribute in the connection string:

    • For connecting from outside the domain, it does not like to have a Domain in the connection string: 
      1. connection string format 1: "Authentication Type=Passport;Server=">devcrm.myco.com;Username=devuser@myco.com;Password=pwd" - this works both inside and outside the domain "myco.com"
      2. connection string format 2: "Authentication Type=Passport;Server=https://devcrm.myco.com;Domain=myco;Username=devuser@myco.com;Password=pwd" - this only works inside the domain myco.com but NOT outside (exception: The authentication endpoint Kerberos was not found on the configured Secure Token Service!)

    The key is in the Xrm.Client.CrmConnection.ClientCredential:

    • If Domain is NOT specified in the connection string, when connecting from outside domain, Xrm.Client.CrmConnection.ClientCredentials.UserName is populated whereas the ClientCredentials.Windows.ClientCredentials.UserName is empty.
    • But if the Domain is specified, Xrm.Client.CrmConnection.ClientCredentials.UserName becomes null and Xrm.Client.CrmConnection.ClientCredentials.Windows.ClientCredentials.UserName populated, which led to the service trying to authenticate user as a Windows AD user so of course it would fail when running app from outside Windows domain. And it explains why the same app works inside the domain even with Domain specified in the connection string.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 170 Super User 2025 Season 2

#2
#ManoVerse Profile Picture

#ManoVerse 61

#3
Gerardo Rentería García Profile Picture

Gerardo Rentería Ga... 52 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans