• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1148
  • Last Modified:

CRM won't authenticate with AD users

I have one machine with Windows Server 2003 Standard SP2 (Upgraded and Updated). I've installed:

IIS (w/ Asp.net support)
SQL Server 2005 SP2
Microsoft Dynamics CRM 4.0

The install for CRM went smoothly and if I go to http://localhost it works fine but doesn't ask for a user/pass.

I created an OU on AD called CRM1 and put a user in it. When I go to http://crm1 and put in the user and password it will not authenticate. I've tried domain\administrator too and that didn't work either. If I do the same thing in firefox it will get past the login box and tell me unsupported browser.

The CRM user is an admin of all the groups CRM creates and the reporting group and domain admins.

In short, CRM works locally, but won't authenticate with domain users remotely. No idea why this is happening!

  • 7
  • 5
1 Solution
OK, so a few things:
- why did you create a new OU?
- Was the user you put in that group new?
- Is that user the installation user?
- Can you hit http://servername:port from the CRM server? (can you add the servername so we can reference it moving forward)
- Are there Host Headers created?
- Is IE Enhanced Security on on the CRM server? (it is by default) (need to uninstall that)
- What are you running CRM as?  (Network Service is default, did you configure a service account?)

CRM creates 5 Security Groups in the OU of your choice in AD.  it can self manage them (typically).  The users that you put in CRM can be from other OUs in AD within the same domain, and in the right circumstances from Trusted, Child and Parent domains.  please indicate how you are configured.


littleknownAuthor Commented:
I created a new OU because CRM wants its own OU it looks like.
Yes the user was new.
Yes the user is the installation user.

servername: crm1 ( http://crm1/ brings me a username and passoword, nothing in AD works for it)
user created for crm in AD CRM OU is crmadmin.

yes IE enhanced security is on, i shall disable it now.

I'm running crm with a service account (crmadmin in the crm OU in AD)
The Enhanced Security is going to be problematic, so see if that gets you to the destination, but also check this as you are running with a Service Account

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

littleknownAuthor Commented:
Turning off enhanced security didn't fix the problem and that blog post didn't help either :(
so what CAN you do?
- Logon to http://localhost/loader.aspx FROM the server CRM1 as the installation user?
- Logon to http://crm1/loader.aspx FROM the server CRM1 as the installation user?
- Logon via IP to same address from CRM1 as install user

I am assuming you are on port 80?  If you get prompted with any of the above from the server, can you authenticate as the install user?  Did you IISRESET after removing the Enhanced Security?

Lets fix the server first and then move outward.  The name of the server is CRM1.  Can you ping that from itself?  How about NSLOOKUP?  What about Fully Qualified?

littleknownAuthor Commented:
ON CRM1 as Administrator
    -> http://localhost/ - no login prompt. works fine. logged in as first name last name.

     -> http://crm1/ - login prompt. nothing works.

We can't "login".

Yes I ran IISESET after removing IEES.
Yes, CRM1 can ping itself.
Yes, I can ping CRM1 from other computers on the domain.
NSLookup says it can't find servername for address non existant domain. UnKnown.
littleknownAuthor Commented:
Okay so we set up a new domain controller. We reformatted the CRM Box with Server 2003 SP2 and installed SQL Server 2005 +SP2 on it. We installed CRM logged in as domain\administrator. SQL and CRM installed with service account domain\crmadmin.

on crmserver(hostname) which is on the domain (nslookup doesnt error now), we have the exact problem as before! if you http://localhost it wont prompt for a password and will login fine, however remotely it will ask for a password and no account on our domain works. not domain\administrator, not even domain\crmadmin.
littleknownAuthor Commented:
ok ignore all that. its working but you cannot use the hostname, you must use the IP for it to authenticate.
DNS issue?
Are you just trying to use the web client for testing?

littleknownAuthor Commented:
We're using internet explorer...   presumably for production.
littleknownAuthor Commented:
I'm thinking it might be AD related?
So it still doesn't work by name from itself?

If it is just the clients, try adding a HOSTS entry for the name to the IP and see if it works as expected, if it does....DNS.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now