Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / OrganizationService co...
Customer experience | Sales, Customer Insights,...
Answered

OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

(0) ShareShare
ReportReport
Posted on by stevey2019 22

Have been reading some posts about this error but not able to pin point a solution to fix this from a developer's standpoint. 

Background

We have Dynamics CRM on-premise but the codes that access the OrganizationService (via Microsoft.Xrm.Client.Services) are from Azure. I do not know how the initial user was configured from IT side (on-premise, via Active Directory user mapping) but the app has been working with that user credential, from on-premise (development) or from Azure (deployed) for years.

What's Changed?

Recently we switched out that user and replaced it with a different user with exact same permissions. Again, I don't get involved in configuration of the user; all I know is that the app still works if it runs inside the corporate network (same domain as the on-premise CRM) but got this exception "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" when I ran the same app outside the premise (from Azure and from dev machine outside the corporate network).

Another Fact:

I have no problem using this new AD user to login to Dynamics CRM app from a web browser. 

Where should I ask our IT and CRM Admin to look?

My guts told me that IIS is where they should go. Will an IISRest be enoguh? Should there be a user profile mapping to this new AD user and grant proper permission to the resources the OrganizationService nee to use? 

As a developer, I can't access the IIS nor the Admin modules of the Dynamics CRM App.

Thanks in advance for your help

  • stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    How can I mark my answer to my own question as Verified? I could mark yours.

  • Verified answer
    Bipin D365 Profile Picture
    Bipin D365 28,981 Moderator on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Hi,

    Glad that you resolved your issue. Please mark this thread verified so that it will be helpful for other community members.

    If found helpful, Please mark my answer verified.

  • Suggested answer
    stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Well, I found the culprit - it was the Domain attribute in the connection string:

    • For connecting from outside the domain, it does not like to have a Domain in the connection string: 
      1. connection string format 1: "Authentication Type=Passport;Server=">devcrm.myco.com;Username=devuser@myco.com;Password=pwd" - this works both inside and outside the domain "myco.com"
      2. connection string format 2: "Authentication Type=Passport;Server=https://devcrm.myco.com;Domain=myco;Username=devuser@myco.com;Password=pwd" - this only works inside the domain myco.com but NOT outside (exception: The authentication endpoint Kerberos was not found on the configured Secure Token Service!)

    The key is in the Xrm.Client.CrmConnection.ClientCredential:

    • If Domain is NOT specified in the connection string, when connecting from outside domain, Xrm.Client.CrmConnection.ClientCredentials.UserName is populated whereas the ClientCredentials.Windows.ClientCredentials.UserName is empty.
    • But if the Domain is specified, Xrm.Client.CrmConnection.ClientCredentials.UserName becomes null and Xrm.Client.CrmConnection.ClientCredentials.Windows.ClientCredentials.UserName populated, which led to the service trying to authenticate user as a Windows AD user so of course it would fail when running app from outside Windows domain. And it explains why the same app works inside the domain even with Domain specified in the connection string.

  • stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    This blog seems to have very relevant tips. I have relayed it to our IT admin and would let you know if they fix it or not. Thank you very much!

  • stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Some more detail from stack trace:

    System.AggregateException: One or more errors occurred. ---> System.NotSupportedException: The authentication endpoint Kerberos was not found on the configured Secure Token Service!

     Stack Trace:

       IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)

       AuthenticationCredentials.get_IssuerEndpoint()

       ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)

       ServiceConfiguration`1.Authenticate(ClientCredentials clientCredentials)

       OrganizationServiceConfiguration.Authenticate(ClientCredentials clientCredentials)

       OrganizationService.CreateUserTokenResponse(CrmConnection connection, IServiceConfiguration`1 config)

       OrganizationService.GetUserTokenResponse(CrmConnection connection, IServiceConfiguration`1 config)

       OrganizationService.ToOrganizationServiceProxy(CrmConnection connection)

       OrganizationService.ToOrganizationService(CrmConnection connection)

    I might not able to send you trace log from IT due to our policy. Really appreciate your time.

  • stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    I tried that too and got same error:

    username: username

    username: username@myco.com

  • Suggested answer
    Abarao Bhople Profile Picture
    Abarao Bhople 445 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    in connection string you have used the username make sure it should be as below format

    username@myco.com

    instead of

    myco\username

    check and let me know accordingly.

    Thank you

    Abarao Bhople

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Please share the logs on below email id

    abaraobhople@hotmail.com

    will try to help..

  • stevey2019 Profile Picture
    stevey2019 22 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Our admin informed me that they did not use CRM App Pool nor run the CRM Services (what other option could be they did not elaborate) . They reset the IIS but I still got the same error. I will ask them to send me a log file and get back to you later.

    Thanks so much for your help!

    Updated: Our IT Admin captured some logs for me when I ran my app to the point the error was thrown. But the log is too large to post here. Can I email you the log in zip or can you tell me some keywords that I should search for in the log and maybe just extract those relevant info for you.

    I really appreciate your help. 

    FYI, here is the connection string I used to connect to OrganizationService: "Authentication Type=Passport; Server=https://devcrm.myco.com; Username=username; Password=password;Domain=myco"

  • Suggested answer
    Abarao Bhople Profile Picture
    Abarao Bhople 445 on at
    RE: OrganizationService connect error "The authentication endpoint Kerberos was not found on the configured Secure Token Service!" from developer viewpoint

    Hello stevey2019 ,

    could you please let us know about earlier user account which was working fine.

    is this account used for CRM App pool , or to run the CRM services.

    If so you need to the mapping for new user as well.

    try below work arounds as well..

    Ask your Admin to Recycle the CRM App pool.

    if possible Reset IIS.

    enable trace to find out the error.

    try to dowload the logs .

    Thank you.

    Abarao Bhople

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

🌸 Community Spring Festival 2025 Challenge Winners! 🌸

Congratulations to all our community participants!

Adis Hodzic – Community Spotlight

We are honored to recognize Adis Hodzic as our May 2025 Community…

Kudos to the April Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Daivat Vartak (v-9davar) Profile Picture

Daivat Vartak (v-9d... 225 Super User 2025 Season 1

#2
Vahid Ghafarpour Profile Picture

Vahid Ghafarpour 78 Super User 2025 Season 1

#3
Muhammad Shahzad Shafique Profile Picture

Muhammad Shahzad Sh... 72

Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans