You’re offline. This is a read only version of the page.
539
We are in the process of migrating our existing Dynamics CRM from on Premise servers to AWS severs.
We spin up new CRM(V 8.2)instance (Intranet application)
Issue:
-----
1. When we try to access using machine FQDN(Full qualified domain name), it reads from the smart card and works without any issue.
However when we try to access it through the DNS name, we keeop getting prompted for credentials. We know the DNS name ( my-crm.division.company.com/CRM01 ) is resolved as we can see the home screen and when we click on any functionality we get prompted for credentials.
2. Some time after entering credentails when going through DNS we get "401.1. unauthorized" error
SET UP:
------
1. Full server(Front end + Back end server roles) hosted on AWS1234.abc.def.com.
2. SQL /SSRs server(s) hosted on AWS5678.abc.def.com
3. URL : my-crm.division.company.com/CRM01
4. CRM AppPool service account is xyz/test-account
5. CRM Web Site - Configuration Editor: useAppPoolCredentials - set to True
6. Deployment Manager -- Web address Https (yes). web appliation service : my-crm.division.company.com:443, Organization appliation service : my-crm.division.company.com:443, Discovery Web service : my-crm.division.compnay.com:443,Deployment Web service : my-crm.division.compnay.com:443,
7. IIS > Authentication > Windows Authentication > Enable Kernel-mode authentication (checked).
8. %windir%\system32\inetsrv\config\ApplicationHost.config file
<windowsAuthentication enabled="true" useAppPoolCredentials="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
9. In AWS, we have load balancer which points to the front end server. in the DNS server, the domain name is being resolved to the load balancer (under cName)
SPN set up:
-----------
We set up the SPNs for our CRM AppPool service account as follows:
What should be the SPN’s that we need to set on our servers? We have the following:
On the frontend + backend server (which is on a single machine) for xyz/test-account
1. HTTP/ AWS1234.abc.def.com
2. HTTP/AWS1234
3. HTTP/ my-crm.division.compnay.com
4. HTTP/ my-crm
We also have for the Sandbbox account
1. MSCRMSandboxservice/ AWS1234
2. MSCRMSandboxservice/ AWS1234.abc.def.com
On front end + back end server, Microsoft recommends us to also set HTTP/frontend.contosco.local and MSCRMSandboxservice/backend.contosco.local
Given our scenario what should those SPNs be? Are they as follows or should we use any other format?
1. HTTP/ AWS1234.abc.def.com.local or HTTP/AWS1234.my-crm.local or HTTP/AWS1234.abc.def.com.my-crm.division.compnay.local
2. MSCRMSandboxService/ AWS1234.abc.def.com.local or MSCRMSandboxService/ AWS1234.my-crm.local or MSCRMSandboxService/AWS1234.abc.def.com.my-crm.division.compnay.local
*This post is locked for comments
I have the same question (0)
Created new Classic load balancer with TCP and routed our traffic to this new classic load balancer and fixed the issue. Now no more multiple authentication prompts.
Share
Report
All responses (
Answers (
