Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CRM won't authenticate with AD users

Posted on 2008-10-13
12
Medium Priority
?
1,145 Views
Last Modified: 2010-08-05
I have one machine with Windows Server 2003 Standard SP2 (Upgraded and Updated). I've installed:

IIS (w/ Asp.net support)
SQL Server 2005 SP2
Microsoft Dynamics CRM 4.0

The install for CRM went smoothly and if I go to http://localhost it works fine but doesn't ask for a user/pass.

I created an OU on AD called CRM1 and put a user in it. When I go to http://crm1 and put in the user and password it will not authenticate. I've tried domain\administrator too and that didn't work either. If I do the same thing in firefox it will get past the login box and tell me unsupported browser.

The CRM user is an admin of all the groups CRM creates and the reporting group and domain admins.

In short, CRM works locally, but won't authenticate with domain users remotely. No idea why this is happening!

0
Comment
Question by:littleknown
  • 7
  • 5
12 Comments
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702802
OK, so a few things:
- why did you create a new OU?
- Was the user you put in that group new?
- Is that user the installation user?
- Can you hit http://servername:port from the CRM server? (can you add the servername so we can reference it moving forward)
- Are there Host Headers created?
- Is IE Enhanced Security on on the CRM server? (it is by default) (need to uninstall that)
- What are you running CRM as?  (Network Service is default, did you configure a service account?)

CRM creates 5 Security Groups in the OU of your choice in AD.  it can self manage them (typically).  The users that you put in CRM can be from other OUs in AD within the same domain, and in the right circumstances from Trusted, Child and Parent domains.  please indicate how you are configured.

Thanks

0
 
LVL 2

Author Comment

by:littleknown
ID: 22702850
I created a new OU because CRM wants its own OU it looks like.
Yes the user was new.
Yes the user is the installation user.

servername: crm1 ( http://crm1/ brings me a username and passoword, nothing in AD works for it)
user created for crm in AD CRM OU is crmadmin.

yes IE enhanced security is on, i shall disable it now.

I'm running crm with a service account (crmadmin in the crm OU in AD)
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702873
The Enhanced Security is going to be problematic, so see if that gets you to the destination, but also check this as you are running with a Service Account

http://www.ascentium.com/blog/crm/Post108.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:littleknown
ID: 22703512
Turning off enhanced security didn't fix the problem and that blog post didn't help either :(
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22703661
so what CAN you do?
- Logon to http://localhost/loader.aspx FROM the server CRM1 as the installation user?
- Logon to http://crm1/loader.aspx FROM the server CRM1 as the installation user?
- Logon via IP to same address from CRM1 as install user

I am assuming you are on port 80?  If you get prompted with any of the above from the server, can you authenticate as the install user?  Did you IISRESET after removing the Enhanced Security?

Lets fix the server first and then move outward.  The name of the server is CRM1.  Can you ping that from itself?  How about NSLOOKUP?  What about Fully Qualified?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22703712
ON CRM1 as Administrator
    -> http://localhost/ - no login prompt. works fine. logged in as first name last name.

ON ANY COMPUTER ON THE DOMAIN
     -> http://crm1/ - login prompt. nothing works.

We can't "login".

Yes I ran IISESET after removing IEES.
Yes, CRM1 can ping itself.
Yes, I can ping CRM1 from other computers on the domain.
NSLookup says it can't find servername for address 192.168.3.2: non existant domain. UnKnown.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22721488
Okay so we set up a new domain controller. We reformatted the CRM Box with Server 2003 SP2 and installed SQL Server 2005 +SP2 on it. We installed CRM logged in as domain\administrator. SQL and CRM installed with service account domain\crmadmin.

on crmserver(hostname) which is on the domain (nslookup doesnt error now), we have the exact problem as before! if you http://localhost it wont prompt for a password and will login fine, however remotely it will ask for a password and no account on our domain works. not domain\administrator, not even domain\crmadmin.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22721688
ok ignore all that. its working but you cannot use the hostname, you must use the IP for it to authenticate.
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22721937
strange....
DNS issue?
Are you just trying to use the web client for testing?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22722084
We're using internet explorer...   presumably for production.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22722094
I'm thinking it might be AD related?
0
 
LVL 15

Accepted Solution

by:
WilyGuy earned 1180 total points
ID: 22724581
So it still doesn't work by name from itself?

If it is just the clients, try adding a HOSTS entry for the name to the IP and see if it works as expected, if it does....DNS.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Desired Skill Set for Microsoft Dynamics CRM Technical Resources – Part III
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question