Solved

CRM won't authenticate with AD users

Posted on 2008-10-13
12
1,142 Views
Last Modified: 2010-08-05
I have one machine with Windows Server 2003 Standard SP2 (Upgraded and Updated). I've installed:

IIS (w/ Asp.net support)
SQL Server 2005 SP2
Microsoft Dynamics CRM 4.0

The install for CRM went smoothly and if I go to http://localhost it works fine but doesn't ask for a user/pass.

I created an OU on AD called CRM1 and put a user in it. When I go to http://crm1 and put in the user and password it will not authenticate. I've tried domain\administrator too and that didn't work either. If I do the same thing in firefox it will get past the login box and tell me unsupported browser.

The CRM user is an admin of all the groups CRM creates and the reporting group and domain admins.

In short, CRM works locally, but won't authenticate with domain users remotely. No idea why this is happening!

0
Comment
Question by:littleknown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702802
OK, so a few things:
- why did you create a new OU?
- Was the user you put in that group new?
- Is that user the installation user?
- Can you hit http://servername:port from the CRM server? (can you add the servername so we can reference it moving forward)
- Are there Host Headers created?
- Is IE Enhanced Security on on the CRM server? (it is by default) (need to uninstall that)
- What are you running CRM as?  (Network Service is default, did you configure a service account?)

CRM creates 5 Security Groups in the OU of your choice in AD.  it can self manage them (typically).  The users that you put in CRM can be from other OUs in AD within the same domain, and in the right circumstances from Trusted, Child and Parent domains.  please indicate how you are configured.

Thanks

0
 
LVL 2

Author Comment

by:littleknown
ID: 22702850
I created a new OU because CRM wants its own OU it looks like.
Yes the user was new.
Yes the user is the installation user.

servername: crm1 ( http://crm1/ brings me a username and passoword, nothing in AD works for it)
user created for crm in AD CRM OU is crmadmin.

yes IE enhanced security is on, i shall disable it now.

I'm running crm with a service account (crmadmin in the crm OU in AD)
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22702873
The Enhanced Security is going to be problematic, so see if that gets you to the destination, but also check this as you are running with a Service Account

http://www.ascentium.com/blog/crm/Post108.aspx
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Author Comment

by:littleknown
ID: 22703512
Turning off enhanced security didn't fix the problem and that blog post didn't help either :(
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22703661
so what CAN you do?
- Logon to http://localhost/loader.aspx FROM the server CRM1 as the installation user?
- Logon to http://crm1/loader.aspx FROM the server CRM1 as the installation user?
- Logon via IP to same address from CRM1 as install user

I am assuming you are on port 80?  If you get prompted with any of the above from the server, can you authenticate as the install user?  Did you IISRESET after removing the Enhanced Security?

Lets fix the server first and then move outward.  The name of the server is CRM1.  Can you ping that from itself?  How about NSLOOKUP?  What about Fully Qualified?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22703712
ON CRM1 as Administrator
    -> http://localhost/ - no login prompt. works fine. logged in as first name last name.

ON ANY COMPUTER ON THE DOMAIN
     -> http://crm1/ - login prompt. nothing works.

We can't "login".

Yes I ran IISESET after removing IEES.
Yes, CRM1 can ping itself.
Yes, I can ping CRM1 from other computers on the domain.
NSLookup says it can't find servername for address 192.168.3.2: non existant domain. UnKnown.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22721488
Okay so we set up a new domain controller. We reformatted the CRM Box with Server 2003 SP2 and installed SQL Server 2005 +SP2 on it. We installed CRM logged in as domain\administrator. SQL and CRM installed with service account domain\crmadmin.

on crmserver(hostname) which is on the domain (nslookup doesnt error now), we have the exact problem as before! if you http://localhost it wont prompt for a password and will login fine, however remotely it will ask for a password and no account on our domain works. not domain\administrator, not even domain\crmadmin.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22721688
ok ignore all that. its working but you cannot use the hostname, you must use the IP for it to authenticate.
0
 
LVL 15

Expert Comment

by:WilyGuy
ID: 22721937
strange....
DNS issue?
Are you just trying to use the web client for testing?

0
 
LVL 2

Author Comment

by:littleknown
ID: 22722084
We're using internet explorer...   presumably for production.
0
 
LVL 2

Author Comment

by:littleknown
ID: 22722094
I'm thinking it might be AD related?
0
 
LVL 15

Accepted Solution

by:
WilyGuy earned 295 total points
ID: 22724581
So it still doesn't work by name from itself?

If it is just the clients, try adding a HOSTS entry for the name to the IP and see if it works as expected, if it does....DNS.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Desired Skill Set for Microsoft Dynamics CRM Technical Resources – Part II
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question