Solved

CRM won't authenticate with AD users

Posted on 2008-10-13
12
1,126 Views
Last Modified: 2010-08-05
I have one machine with Windows Server 2003 Standard SP2 (Upgraded and Updated). I've installed:

IIS (w/ Asp.net support)
SQL Server 2005 SP2
Microsoft Dynamics CRM 4.0

The install for CRM went smoothly and if I go to http://localhost it works fine but doesn't ask for a user/pass.

I created an OU on AD called CRM1 and put a user in it. When I go to http://crm1 and put in the user and password it will not authenticate. I've tried domain\administrator too and that didn't work either. If I do the same thing in firefox it will get past the login box and tell me unsupported browser.

The CRM user is an admin of all the groups CRM creates and the reporting group and domain admins.

In short, CRM works locally, but won't authenticate with domain users remotely. No idea why this is happening!

0
Comment
Question by:littleknown
  • 7
  • 5
12 Comments
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702802
OK, so a few things:
- why did you create a new OU?
- Was the user you put in that group new?
- Is that user the installation user?
- Can you hit http://servername:port from the CRM server? (can you add the servername so we can reference it moving forward)
- Are there Host Headers created?
- Is IE Enhanced Security on on the CRM server? (it is by default) (need to uninstall that)
- What are you running CRM as?  (Network Service is default, did you configure a service account?)

CRM creates 5 Security Groups in the OU of your choice in AD.  it can self manage them (typically).  The users that you put in CRM can be from other OUs in AD within the same domain, and in the right circumstances from Trusted, Child and Parent domains.  please indicate how you are configured.

Thanks

0
 
LVL 2

Author Comment

by:littleknown
ID: 22702850
I created a new OU because CRM wants its own OU it looks like.
Yes the user was new.
Yes the user is the installation user.

servername: crm1 ( http://crm1/ brings me a username and passoword, nothing in AD works for it)
user created for crm in AD CRM OU is crmadmin.

yes IE enhanced security is on, i shall disable it now.

I'm running crm with a service account (crmadmin in the crm OU in AD)
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702873
The Enhanced Security is going to be problematic, so see if that gets you to the destination, but also check this as you are running with a Service Account

http://www.ascentium.com/blog/crm/Post108.aspx
0
 
LVL 2

Author Comment

by:littleknown
ID: 22703512
Turning off enhanced security didn't fix the problem and that blog post didn't help either :(
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22703661
so what CAN you do?
- Logon to http://localhost/loader.aspx FROM the server CRM1 as the installation user?
- Logon to http://crm1/loader.aspx FROM the server CRM1 as the installation user?
- Logon via IP to same address from CRM1 as install user

I am assuming you are on port 80?  If you get prompted with any of the above from the server, can you authenticate as the install user?  Did you IISRESET after removing the Enhanced Security?

Lets fix the server first and then move outward.  The name of the server is CRM1.  Can you ping that from itself?  How about NSLOOKUP?  What about Fully Qualified?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22703712
ON CRM1 as Administrator
    -> http://localhost/ - no login prompt. works fine. logged in as first name last name.

ON ANY COMPUTER ON THE DOMAIN
     -> http://crm1/ - login prompt. nothing works.

We can't "login".

Yes I ran IISESET after removing IEES.
Yes, CRM1 can ping itself.
Yes, I can ping CRM1 from other computers on the domain.
NSLookup says it can't find servername for address 192.168.3.2: non existant domain. UnKnown.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Author Comment

by:littleknown
ID: 22721488
Okay so we set up a new domain controller. We reformatted the CRM Box with Server 2003 SP2 and installed SQL Server 2005 +SP2 on it. We installed CRM logged in as domain\administrator. SQL and CRM installed with service account domain\crmadmin.

on crmserver(hostname) which is on the domain (nslookup doesnt error now), we have the exact problem as before! if you http://localhost it wont prompt for a password and will login fine, however remotely it will ask for a password and no account on our domain works. not domain\administrator, not even domain\crmadmin.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22721688
ok ignore all that. its working but you cannot use the hostname, you must use the IP for it to authenticate.
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22721937
strange....
DNS issue?
Are you just trying to use the web client for testing?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22722084
We're using internet explorer...   presumably for production.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22722094
I'm thinking it might be AD related?
0
 
LVL 15

Accepted Solution

by:
WilyGuy earned 295 total points
ID: 22724581
So it still doesn't work by name from itself?

If it is just the clients, try adding a HOSTS entry for the name to the IP and see if it works as expected, if it does....DNS.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Automatically creating a Trello card using data from a Microsoft Dynamics CRM record turned out to be an easy project that yielded great results.  Here's how I did this for an internal team at General Code.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now